On December 20, 2024, the Italian Data Protection Authority (Garante) issued a €15 million fine to OpenAI, creator of ChatGPT, marking one of the EU’s first major GDPR penalties targeting a generative AI platform.
What Triggered the Fine?
The Garante’s investigation began in March 2023, after a security incident revealed a system bug that exposed chat histories and payment data belonging to approximately 440 Italian users. The probe uncovered several key violations:
- No Legal Basis for Data Processing: OpenAI used personal data to train its ChatGPT models without establishing a compliant legal foundation under GDPR
- Transparency Failures: It failed to clearly inform users and even non‑users about how their data were being collected and processed
- Inadequate Age Verification: The system lacked robust measures to block children under 13, raising the risk of exposing minors to unsuitable content
- Failure to Report Data Breach: Despite GDPR’s Article 33 mandating timely breach notifications, OpenAI did not inform the Garante of the March 2023 incident
Breakdown of OpenAI’s €15 Million Penalty
- €9,000,000 for unlawful processing of personal data
- €320,000 for breach reporting failures
- €5,680,000 for ignoring prior corrective orders and transparency mandates
This split represents both punitive and educational intent reflecting violations across data processing, non‑reporting, and non‑compliance with earlier directives.
Mandated Public Awareness Campaign by OpenAI
In addition to the fine, OpenAI must launch a six-month public information campaign across Italian TV, radio, newspapers, and online platforms. The initiative must illuminate how ChatGPT uses personal and non‑personal data for training and clarify users’ rights such as objection, correction, and deletion. It’s a rare case where GDPR enforcement includes both monetary penalty and mandated outreach.
OpenAI’s Response and Appeal.
OpenAI described the fine as “disproportionate,” emphasizing that it amounts to nearly 20 times its Italian revenue during the relevant period. The company stated its plans to appeal and underscored its cooperation with the Garante, noting previous compliance steps that led to lifting Italy’s temporary ban on ChatGPT in April 2023 . It also reaffirmed its commitment to privacy compliance globally.
Broader Implications for AI Regulation
This action marks the first significant GDPR enforcement targeting a generative AI firm a milestone with far ‑ reaching consequences, Amid growing momentum behind the EU’s AI Act, regulators are now increasingly scrutinizing how AI systems handle personal data and respect privacy principles.
Under GDPR’s “one‑stop‑shop” rule, OpenAI’s new European headquarters in Ireland shifts future supervisory responsibility to the Irish Data Protection Commission. Nonetheless, the Italian Garante retains jurisdiction over violations that pre‑date the establishment of that EU base
What This Means for AI Developers
Privacy-by-Design Is Essential: Data protection should be integrated into AI systems from inception.
Legal Basis Requirement: Companies must ensure transparent, lawful grounds for data use before training AI models.
Age Controls Are Non-Negotiable: To avoid regulatory fines and protect minors, robust age-verification workflows are mandatory.
Breach Notification Compliance: GDPR demands prompt reporting to national DPAs when data incidents occur.
Final Thoughts
Italy’s €15 million fine is more than a regulatory action it’s a wake‑up call for the AI industry. With this enforcement, the Garante signals that innovation cannot bypass core privacy rights. The balance between AI advancement and user protection is no longer theoretical it’s enforceable, immediate, and global. For OpenAI and its peers, the message is clear: robust privacy governance is now foundational to AI development.
References
https://www.pexels.com/photo/chatgpt-text-on-monitor-16027810
https://www.infosecurity-magazine.com/news/italy-15m-fine-to-openai-chatgpt