On Friday local time, the Italian Data Protection Agency (Garante) announced that it has imposed a fine of 15 million euros (approximately 15.58 million US dollars) on ChatGPT manufacturer OpenAI after ending its investigation into the use of personal data by generative artificial intelligence (AI) applications.
Garante stated that it found OpenAI's use of customers' personal data to train ChatGPT without sufficient legal basis violated transparency principles and obligations to users regarding relevant information.
In addition, OpenAI experienced a user information breach incident in March last year, but did not promptly inform regulatory agencies. Garante also claims that OpenAI does not provide an age verification mechanism, which may result in minors receiving inappropriate responses.
On March 25th last year, OpenAI confirmed that some ChatGPT Plus service subscribers had leaked their personal privacy and payment information. Subsequently, the company fixed the vulnerability and apologized to its users and the entire ChatGPT community, stating that it would work hard to rebuild trust.
After the aforementioned incident, Garante launched an investigation into OpenAI and made a decision to impose a fine on Friday. The regulatory agency also ordered OpenAI to conduct a six-month public campaign on radio, television, print media, and the internet to promote ChatGPT and its data processing methods.
A spokesperson for OpenAI stated that the company will appeal the fine, stating that the regulatory agency's penalty decision is "disproportionate" and that it undermines Italy's ambition to develop artificial intelligence.
The spokesperson pointed out, "When Garante ordered us to stop providing ChatGPT in Italy in 2023, we worked with them and then restarted the service a month later. They have recognized our industry-leading approach to protecting AI privacy, but this fine is almost twenty times the revenue we earned in Italy during the relevant period
Meanwhile, OpenAI stated that it will continue to comply with local privacy regulations and maintain cooperation with regulatory agencies.
Garante from Italy is one of the most proactive regulatory agencies in the EU when it comes to evaluating whether artificial intelligence platforms comply with EU data privacy regulations.
Garante pointed out that when imposing a fine of 15 million euros on OpenAI, the company's "cooperative attitude" was already taken into account, otherwise the amount of the fine could have been even greater.
According to the General Data Protection Regulation (GDPR) introduced by the European Union in 2018, any company found to have violated the regulations may face fines of up to 20 million euros or 4% of its global revenue.
GDPR requires compliance with principles of legality, fairness, transparency, purposefulness, data minimization, accuracy, storage limitations, and security when collecting and processing personal data. By imposing high fines and establishing government oversight agencies, the level of data protection has been significantly improved.