Today, the Italian Data Protection Authority (Garante) announced that it notified breaches of data protection law to OpenAI and, accordingly, activated sanction proceedings. 

A brief recap of the story so far: 

• On March 20, 2023, OpenAI suffered a data breach, which it communicated to the public on March 24, 2023.
• On March 30, 2023, the Garante, following an investigation arising out of such data breach, ordered a temporary limitation on OpenAI’s processing of Italian data subjects’ personal data.
• On April 11, 2023 OpenAI agreed with the Garante on the urgent measures it would implement by April 30, 2023. 
• On April 28, 2023, the Garante revoked its limitation in light of OpenAI's newly implemented measures .

More specifically, during its initial review, the Garante identified failures of OpenAI to comply with Articles 5, 6, 8, 13 and 25 of the GDPR, arising from the inadequacy of the privacy policy, the lack of a suitable legal basis for processing the personal data for the purpose of training the AI system, the lack of an age verification mechanism, and the impossibility to ensure correctness of the personal data processed.

The measures implemented by OpenAI (including a more detailed privacy policy and description of the relevant legal basis for processing, the implementation of opt-out mechanisms from processing of personal data for AI system training purposes, the granting of an effective right to erasure and the adoption of an age gate) were deemed sufficient by the Garante to lift the temporary limitation on OpenAI’s processing activities in Italy. 

Nonetheless, as noted in our previous articles (see here and here), the temporary limitation was an urgent remedy to foster the prompt achievement of a minimum level of compliance, while the Garante carried out a further investigation on the lawfulness of OpenAI’s processing. 

After an in-depth investigation, the Garante noted that “the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR”. Whether such breaches are due to the insufficiency of the measures previously agreed by the Garante and OpenAI to ensure compliance with the GDPR, or concern other provisions of the GDPR, is yet to be determined.  

This is the official opening of the sanction proceedings: OpenAI will now have 30 days to file its defence briefs (being understood that OpenAI can in principle ask for an extension).

As stated in its press release (see here, both in Italian and in English), the Garante will also take into account the ongoing work of the special task force established by the European Data Protection Board. The outcome should therefore shed some light on generative AI systems and privacy also for other EU jurisdictions. 

We will further update you as more information becomes available. In the meantime, let us know if you need any clarifications!