IT
Italy | Regulatory Framework Status: suspended (interim)
Effective: N/A
high

GPDP case on ChatGPT — EUR 15m fine and six‑month information campaign

Press release — ChatGPT: the Italian DPA closes the investigation; OpenAI must run a six‑month information campaign and pay a EUR 15 million fine

I. Regulatory Summary

High enforcement relevance for providers of generative AI services that process personal data. Requires robust legal-basis analysis for training, clear transparency for users and non‑users, and age‑safeguards. Demonstrates significant financial exposure (EUR 15m) and reputational impact via mandated public communications.

II. Full Description

## Context and nature of the instrument This document is a GPDP press release summarising a sanctioning decision concerning OpenAI’s ChatGPT. ## Scope and key findings (as described) - The GPDP concludes the investigation and identifies GDPR compliance issues, including transparency, legal basis for processing personal data for training, and age protection. - It also references issues linked to March 2023 (including breach notification). - The file is transmitted to the Irish DPC for continuation of the cross‑border procedure. ## Measures and consequences - Administrative fine: EUR 15 million. - Corrective measure: a six‑month institutional information campaign across media and online channels. - The press release notes an interim judicial suspension of the GPDP decision by the Court of Rome, subject to the posting of a security. ## Dates - Document date/publication: 20 December 2024.

III. Scope & Application

Announces the GPDP’s sanctioning decision concerning OpenAI’s ChatGPT service. The authority finds GDPR breaches related to transparency and legal basis for processing personal data for model training, age‑verification/child protection, and (for March 2023) data breach notification. It orders an institutional public information campaign lasting six months and imposes an administrative fine of EUR 15 million. The file is also transmitted to the Irish DPC for the continuation of the cross‑border procedure. The document notes an interim judicial suspension of the GPDP decision by the Court of Rome (conditional on a security).

IV. Policy Impact Assessment

High enforcement relevance for providers of generative AI services that process personal data. Requires robust legal-basis analysis for training, clear transparency for users and non‑users, and age‑safeguards. Demonstrates significant financial exposure (EUR 15m) and reputational impact via mandated public communications.

Primary Focus: gdpr_enforcement_on_ai_services