Italy Fines OpenAI For Failing To Disclose A Data Breach

Tyler Cross
Tyler Cross Senior Writer
Published on: December 26, 2024
Tyler Cross Tyler Cross
Published on: December 26, 2024 Senior Writer

Italian authorities levied OpenAI with a €15 million fine for failing to disclose a data breach in March 2023, among other issues. OpenAI is the parent company of the ChatGPT AI model. Since its release in 2022, the model has exploded in popularity, while also collecting a ton of personal user data on its customers, which has unfortunately made it a key target for hackers and cyber threats.

According to a release by the Italian Data Protection Authority (GPDP), OpenAI failed to notify authorities after it was breached and processed user data without first providing legal justifications for the data it collected.

OpenAI also doesn’t implement any age verification systems. This means that minors could easily use ChatGPT to generate inappropriate responses. ChatGPT can also provide links to its users, which minors could click on to find websites that they otherwise wouldn’t find.

The (Italian) Authority also ordered OpenAI to go through a six-month long awareness campaign to promote awareness and understanding of how to use ChatGPT safely, with a focus on how it utilizes user data. The power to make a company go through these awareness campaigns is brand new — it’s the first time that Italy is using them.

“Through this communication campaign, users and non-users of ChatGPT will have to be made aware of how to oppose generative artificial intelligence being trained with their personal data and thus be effectively enabled to exercise their rights under the GDPR,” The report reads.

“Finally, in view of the fact that the company established its European headquarters in Ireland in the course of the preliminary investigation, the Data Protection Authority, in compliance with the so-called one stop shop mechanism, forwarded the procedural documents to the Irish Data Protection Authority (DPC),” it states.

“Which became lead supervisory authority under the GDPR so as to continue investigating any ongoing infringements that have not been exhausted before the opening of the European headquarters.”

About the Author
Tyler Cross
Tyler Cross
Senior Writer
Published on: December 26, 2024

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends.

Leave a Comment