On Friday, March 30, 2023, the Italian Data Protection Authority (Garante Privacy) ordered OpenAI, the organization that owns ChatGPT, to temporarily suspend the processing of data of Italian users.
The decision comes in the aftermath of a data breach that affected ChatGPT and led to the disclosure of payment details and conversations of 1.2% of ChatGPT Plus users.
ChatGPT is accessible again in Italy. After a meeting with the Garante Privacy, OpenAI has introduced new data protection measures, as required by the Italian authority.
In particular, OpenAI has published a notice, dedicated to all users and non-users, in which it explains which personal data are processed for algorithm training and in what manner. European users are also given the right to object to the processing of their personal data. Regarding the minimum age requirement, OpenAI has included the requirement to confirm the date of birth on the service sign-up page, and provided a block on registration for users under thirteen years of age.
You can access the official press release here.
Underlying the Garante’s measure are four main reasons:
In light of this, the processing of personal data of users, including minors, and data subjects whose data is used by the service is in violation of the GDPR.
In an interview, Guido Scorza – one of the members of the Italian Garante – said that the Authority’s concern is mainly about the processing of data that is used to “train the algorithm.” The measure is therefore a precautionary measure and will kick off a more in-depth investigation. The Garante has given OpenAI twenty days to communicate the measures taken to implement what was requested, or the organization risks a penalty of up to 20 million euros or up to 4% of annual global turnover.
As a consequence, OpenAI decided to suspend the ChatGPT service for all users accessing from Italy and to refund all Italian users who purchased a ChatGPT Plus subscription.
So far, no other statements have been released by the American organization. The only statement is from Sam Altman, CEO of OpenAI, who announced on Twitter the decision to suspend ChatGPT for Italy:
We of course defer to the Italian government and have ceased offering ChatGPT in Italy (though we think we are following all privacy laws).— Sam Altman (@sama) March 31, 2023
Italy is one of my favorite countries and I look forward to visiting again soon!
The Garante’s measure could also lead other European Data Protection Authorities to make the same decision, as happened with Google Analytics.
iubenda’s CEO, Andrea Giannangelo, also shared his views on the matter. In an interview with the Italian newspaper La Repubblica, he said:
It amazes me that the message going out is that enforcing the European data legislation, the GDPR, is not needed. The whole world is going in the European direction, and having rules is the only way to make big companies respect users’ rights.
Check here 👉 5 things you need to do now to comply with GDPR
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.