Italy: Announced ruling in Italian Data Protection Authority investigation into OpenAI for data protection violations including EUR 15 million fine

On 20 December 2024, the Italian Data Protection Authority (DPA) published its ruling specifying that OpenAI, which operates the ChatGPT service, violated several provisions of the General Data Protection Regulation (GDPR). The violations included failure to report a data breach, lack of a clear legal basis for processing personal data for AI model training, inadequacies in the privacy policy, absence of age verification mechanisms, non-compliance with an order to conduct an informational campaign, and generation of inaccurate data. The DPA imposed a fine of EUR 15 million and ordered OpenAI to conduct a six-month informational campaign on major Italian media outlets to raise awareness about data protection issues related to ChatGPT, particularly focusing on users' rights to object to data processing and request data deletion. OpenAI established a presence in Ireland as of 15 February 2024. OpenAI established its European headquarters in Ireland on 15 February 2024, which was during the investigation. Following the GDPR's one-stop shop rule, the DPA transferred the case documents to the Irish Data Protection Authority, which is now the lead supervisory authority, to address ongoing violations predating the establishment.