OpenAI is currently under scrutiny from Italy's data protection authority, Garante Per La Protezione Dei Dati Personali, for several data protection violations related to its AI model, ChatGPT.

In response to these violations, the GPDP has mandated OpenAI to conduct a six-month communication campaign aimed at informing the public about data processing practices and user rights under GDPR.

Additionally, the Garante imposed a fine of €15 million on OpenAI, which represents approximately 1.58% of the company's annual worldwide turnover for 2023.

This ruling marks a significant step in enforcing GDPR provisions and underscores the need for accountability in AI systems.

The investigation revealed that OpenAI failed to notify the Garante of a data breach that occurred in March 2023, which compromised user data, including chat histories and payment information.

Concerns were also raised regarding OpenAI's lack of age verification measures, which risked exposing minors to inappropriate content.

The campaign initiated by GPDP aims to educate both users and non-users about their rights under GDPR, including the rights to object, rectify, and delete their data.

The Garante rejected OpenAI's defense based on data protection impact assessments, finding no adequate legal basis for data processing prior to the public release of ChatGPT.

As OpenAI has established its European headquarters in Ireland, the GPDP has forwarded the case to the Irish Data Protection Authority, which will continue the investigation under the one-stop shop mechanism of GDPR.

The comprehensive review conducted by the Garante identified multiple violations, including the lack of a legal basis for processing personal data and failure to comply with user information obligations.

OpenAI plans to appeal the Garante's ruling, arguing that the imposed fine is disproportionate compared to their revenue generated in Italy.

This situation reflects a growing global focus on AI accountability, emphasizing the need for regulators to balance innovation with user privacy protection.