ChatGPT and the GDPR: OpenAI fined €15 million

The Italian Data Protection Authority (DPA), the “Garante”, has issued a €15 million fine against OpenAI due to ChatGPT’s alleged GDPR compliance failures.

The fine followed around 20 months of back-and-forth between the California-based AI provider and the regulator, which at one stage resulted in OpenAI temporarily pulling its product from the Italian market.

Here’s a look at the background to this case and the reasons behind the Garante’s penalty.

The initial data breach

In March 2023, ChatGPT experienced a data breach that exposed some chat histories and partial payment details. While the data breach was relatively minor, it drew the attention of the Garante to broader alleged compliance issues within the company.

By the end of that month, the Garante had ordered OpenAI to stop processing personal data about users in Italy, which prompted the company to block ChatGPT access in the country.

The regulator was particularly concerned about the platform’s use by children, transparency issues, and adherence to the GDPR’s data protection principles.

Lifting the ‘stop processing’ order.

By April 11, 2023, OpenAI had made progress in addressing some of the Garante’s concerns, leading the regulator to suspend its “stop processing” order—on the condition that the company implemented specific transparency and compliance measures in the near future.

Later that month, OpenAI reported that it had fulfilled some of the regulator’s demands—such as publishing a privacy notice and adding new privacy settings—while committing to meet additional requirements later.

In May 2023, OpenAI launched an informational campaign to educate Italians about its use of personal data, but the Garante found the effort lacking. By the end of May, OpenAI submitted a plan to roll out age verification tools by September 30, 2023.

That September, OpenAI partnered with UK-based firm Yoti to introduce age verification using document scanning, facial recognition, and credit card verification. However, the dialogue between OpenAI and the Garante continued into November 2023.

Issuing the fine

Still dissatisfied with OpenAI’s progress, the Garante formally initiated proceedings against the company in January 2024. In November 2024, the Garante issued an official notice summarizing the investigation’s findings and the steps OpenAI needed to take to bring ChatGPT into compliance.

Finally, in late December 2024, the Garante formally sanctioned OpenAI for violating the GDPR.

The Garante found that OpenAI violated the following GDPR provisions:

• The GDPR’s principle of “lawfulness, fairness, and transparency” at Article 5 (1) (a) of the GDPR
• The transparency obligations at Articles 12 and 13
• The general compliance obligation, set out at Article 24
• The doctrine of “data protection by design and by default” at Article 25
• Certain aspects of the data breach reporting obligation at Article 33 (1)
• The requirement to cooperate with the DPA at Article 83 (5) (e)

The €15 million penalty represents around 1.5% of OpenAI’s global annual revenues for the relevant period.

Other corrective measures

In addition to paying the €15 million fine, the Garante ordered OpenAI to undertake certain corrective actions to bring its operations into compliance with the GDPR:

• Run a further awareness-raising program in Italian media to make people aware that their personal data might be used to train OpenAI’s GPT models
• Update the ChatGPT privacy notice to add further detail about how OpenAI uses personal data
• Make improvements to its age verification measures to keep younger children off the platform
• Restrict how it uses personal data for training its AI models

While OpenAI has appeared willing to comply with the Garante’s orders throughout the investigation, its efforts were apparently insufficient to ensure the high standards of GDPR compliance that the regulator clearly expects.

ChatGPT requires huge amounts of personal data in order to properly function. Whether OpenAI can fully adhere to the Garante’s demands without undermining its core business model remains to be seen.