The Italian supervisory authority temporarily suspended ChatGPT

On 30 March 2023, the Italian data protection authority (Garante per la protezione dei dati personali) published that it imposed an immediate temporary limitation on the processing of Italian users’ data by OpenAI, the US-based interactive AI service provider, and initiated an inquiry into the facts of the case (see the press release here (Italian and English) and the decision here (Italian only)).

The Italian data protection authority pointed out that ChatGPT may violate several GDPR obligations. These include:

• Transparency: OpenAI did not provide information to users and data subjects whose data are collected;
• Legal basis: There appears to be no legal basis for collecting and processing large amounts of personal data to ‘train’ the algorithms on which ChatGPT relies;
• Accuracy: The information provided by ChatGPT is not always factual, so inaccurate personal data may be processed; and
• Age verification mechanism: The lack of an age verification mechanism may result in children receiving responses that are not appropriate to their age or awareness.

The Italian data protection authority has therefore taken the decision to temporarily limit OpenAI’s processing of Italian users’ data and launch an investigation. This decision includes:

• Temporary Limitation: OpenAI to take urgent measures to provisionally restrict the processing of personal data of data subjects in Italy;
• Immediate Effect: The restriction shall take effect immediately, subject to further decisions based on the preliminary investigation; and
• Investigative Order: It requests OpenAI to provide within 20 days all elements it requires. If OpenAI fails to respond, a fine may be imposed.

Next Steps

This decision provides useful insights for considering the GDPR compliance of AI services. The organisations offering AI services should use this decision as a reference to check whether their services are compliant with GDPR.