The Italian watchdog overseeing data protection has told Microsoft-backed artificial intelligence chatbot application ChatGPT to stop processing citizens’ personal data in the country. Garante, the watchdog, stands out as one of the European Union’s most proactive entities in evaluating AI platform adherence to the bloc’s data privacy regulations. Last year, it temporarily prohibited ChatGPT due to an alleged violation of EU privacy rules. The ban imposed in March forced the company to turn off the chatbot for users in Italy while it re-designed the tool.
Its Monday decision cited four ways the company was breaking data protection laws. These include failing to tell users about its collection practices, using inaccurate information about them, failing to meet any of six possible legal justifications for processing their data, and preventing children under 13 from using the service.
Garante expects the company to comply with its requests within 20 days or face fines of up to 22 million euros ($22 million) or 4% of global revenue. The watchdog also cited a data breach the company experienced that compromised ChatGPT subscribers’ conversations and payment details.
The company’s failure to verify users’ age was the watchdog’s most glaring fault in its review. This exposed minors to receiving responses “that are inappropriate for their level of development and awareness,” the watchdog said. It argued that failing to do so also violated children’s privacy and data protection rights.
In a statement, Garante said it had asked OpenAI to implement mechanisms for age verification and a public campaign to inform citizens of their rights to opt out of having their data used for training AI algorithms. It also wants the company to stop using inaccurate information about people and provide them with a bundle of their data, as the GDPR allows.
According to one lawyer, Italy’s actions are likely to be closely watched by privacy regulators across Europe. “I suspect that regulators in France, Germany, and Ireland are already reaching out to their counterparts in Italy to learn more about the reasons for the ban on the ChatGPT processing of data of Italian citizens,” Edward Machin, a partner at Law fa firm Ropes & Gray, told Reuters.
The watchdog says it will consider the defense arguments submitted by the company before deciding on further steps. If satisfied with the company’s changes, it may decide to lift the ban. It may also decide to refer the case to a group of national data protection supervisors set up to support investigations and enforcement in this area. The group includes national supervisory authorities from Belgium, France, Ireland, Germany, Sweden and the United Kingdom. Its members will meet on April 30. The meeting comes amid growing concern over the impact of generative AI systems such as ChatGPT and Replika on personal privacy. The EDPB is drafting regulations requiring developers of these systems to ensure that they consider data protection concerns from the outset.