The Italian Data Protection Authority has once again reported OpenAI for non-compliance with privacy regulations

The Italian Data Protection Authority has once again reported OpenAI for non-compliance with privacy regulations

Italy has done it again. Almost a year after the restriction imposed by the Italian Data Protection Authority, the Italian regulator has once again accused OpenAI of violating several provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, “General Data Protection Regulation” or “GDPR”).

Background to the OpenAi complaint

Let’s remember that in March 2023, Italy imposed an emergency measure due to the following breaches by ChatGPT:

1. Lack of information about data processing. Articles 13 and 14 of the General Data Protection Regulation require data subjects to be informed about the processing of their personal data. The information to be provided will depend on whether the data has been obtained directly from the data subject or not.
2. Lack of a proper legal basis for lawful processing of personal data. According to Article 6 of the GDPR, for processing to be lawful, one of the legal bases provided by the same article must be met, including: the data subject’s consent, performance of a contract, compliance with a legal obligation, protection of vital interests of the data subject or another natural person, for reasons of public interest, or for the legitimate interests pursued by the controller.
3. Inaccuracy of data and absence of age verification for users. One of the processing principles stated in the General Data Protection Regulation is the accuracy of the processed data. Article 5 states that “personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”

The Italian supervisory authority gave the technology company a 20-day deadline to demonstrate compliance with the law.

Almost a month after the restriction, Italy lifted the ban after OpenAI made a series of changes. Now the website displays detailed information on what personal data is collected and how it is processed for algorithm training.

Additionally, users now have the option to object to their data being used to train AI models. Registration is no longer required to learn about data processing practices in detail. A new welcome page has been included, referring to the new privacy policy and methods of personal data processing for AI model training.

The company has informed users that, although it will continue to process certain personal data to ensure the proper functioning of the service, it will process their personal data for algorithm training purposes unless they indicate otherwise with the provided alternatives. Users who have already registered must declare that they are of legal age to use the service.

Finally, new users must provide their date of birth, and registration will be blocked if they are under 13 years old and do not have consent from their parents or legal guardians to use the service.

OpenAI conveyed via email to Reuters that they believe their practices are in line with EU privacy laws and that they were actively working “to minimize personal data in the training of our systems like ChatGPT” and plan to “continue working constructively with the Authority.”

Report OpenAi for data protection violations

However, apparently, these measures have not been sufficient for the Italian Data Protection Authority, which, on January 29, through an official statement, notified that there are still violations of data protection legislation.

The exact principles that OpenAI would be violating are unknown, but we know they are related to data collection and age protection. Italy has given OpenAI a 30-day deadline to make their allegations and has the participation of the special working group created by the EDPB to specifically address the presence of ChatGPT in Europe.

This 30-day deadline has already passed, and we have no news of OpenAI’s statement. We assume they will be very busy preparing for the launch of ChatGPT-5.