The regulator emphasized the importance of informing users and non-users about how to oppose the training of AI.

OpenAI's ChatGPT is facing a steep €15 million fine from Italy's data protection authority. The penalty involves alleged data breach and misuse of personal information.

According to a statement by the regulator, the investigation began in March 2023 after a data breach involving ChatGPT raised concerns. The Italian Data Protection Authority (IDPA), also known as the Garante, uncovered several violations, including OpenAI's failure to notify the breach and its use of personal data to train its AI model without an adequate legal basis.

These actions, the IDPA said, violated principles of transparency under the General Data Protection Regulation (GDPR). Further concerns arose about the lack of effective age verification mechanisms, leaving minors under 13 exposed to potentially inappropriate responses from the chatbot.

"OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness, the regulator wrote.

The IDPA has now ordered OpenAI to execute a six-month public information campaign across radio, television, newspapers, and online platforms. The campaign aims to educate the public on how generative AI works, the data it collects, and how users can exercise their GDPR rights, such as data rectification or opposition.

The fine reflects OpenAI's partial cooperation during the investigation, which the IDPA acknowledged in its final ruling. Additionally, OpenAI's establishment of a European headquarters in Ireland during the investigation triggered the GDPR's one-stop shop rule. This means further inquiries into ongoing compliance will be overseen by Ireland's Data Protection Authority.

"ChatGPT users and non-users should be made aware of how to oppose the training of generative artificial intelligence with their personal data and, therefore, be effectively placed in the position to exercise their rights under the GDPR, the regulator noted.