Italy’s Garante imposes and then withdraws a ban on ChatGPT
On 28 April, the Garante, Italy’s Data Protection Authority, announced that it had reinstated ChatGPT in Italy because the company had cooperated in responding to the Garante’s concerns expressed in an Order dated 11 April.
On 31 March, the Garante imposed a temporary ban on Open AI’s ChatGPT. The regulator took action after having received a report on 20 March that a data breach had occurred affecting ChatGPT users' conversations, and information on payments by subscribers.
When announcing an immediate temporary limitation on the processing of Italian users' data by OpenAI, the US-based company developing and managing the platform, the Garante based its decision on:
- lack of information provided to users and data subjects whose data is collected by Open AI; and
- an insufficient legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies.
At the same time, the Garante launched an enquiry into the ChatGPT Service and the discussion with OpenAI is continuing.
The regulator overturned its initial ban as OpenAI responded to many of the Garante’s objections and applied them to its service across Europe.
In short, Open AI stated that:
- everyone had a right to opt-out of processing by means of an online, easily accessible online form
- it has introduced mechanisms to enable data subjects to obtain erasure of information they consider inaccurate
- it has implemented a form to enable all European users to opt-out from the processing of their personal data and thus to filter out their chats and chat history from the data used for training algorithms.
However, this is not the end of the matter. The Garante stated that it welcomes the OpenAI measures so far but called on the company to implement an age verification system, and conduct an information campaign to inform Italians of what happened as well as of their right to opt-out from the processing of their personal data for training algorithms.
The European Data Protection Board has discussed the Garante’s original position and established an investigation task force.