top of page

Italian data protection authority bans ChatGPT over GDPR breaches


The Garante, the Italian Data Protection Authority, has effectively banned  the popular AI chatbox ChatGPT and accused its creators OpenAI of “unlawful collection of personal data” in breach of EU General Data Protection Regulation (GDPR) and failing to implement age verification systems.

The Rome based Garante is responsible for monitoring application of GDPR and has ordered OpenAI to stop collecting Italian users’ data immediately until it amends its data collection practices.

A spokesperson for OpenAI told Computing: “We have disabled ChatGPT for users in Italy at the request of the Italian Garante. We are committed to protecting people’s privacy and we believe we comply with GDPR and other privacy laws.”

OpenAI was given 20 days to inform the authority about the corrective measures taken in response to the decision or face an administrative fine equal to €20 million or 4% of its global annual turnover.

The company has been accused of lacking lawful justification for the collection of users’ personal information with the GPDP claiming OpenAI has no mechanism in place to stop underage users accessing the service.

The site will be blocked until OpenAI adheres to the EU privacy framework when processing the personal data of Italian users. The Italian data protection authority has also initiated an investigation into the American tech company.

Launched in November, ChatGPT , the chatbot has become one of the fastest-growing internet services passing 100 million users in just two months. But according to the Garante, OpenAI has failed to inform users and individuals whose personal data has been processed to train the algorithm of its data processing practices.

Significantly, it is alleged the US company has no legal basis to justify the collection of personal data used to train its AI models. On 20 March, the AI-powered chatbot suffered a data breach regarding conversations and payment information of some subscribers to its premium services, ChatGPT Plus.

The Garante said it had run tests which saw  ChatGPT provide inaccurate replies related to personal data, another potential breach of the EU data protection rulebook.

The ChatGPT ban reminds organisations and individuals of the dangers of private data being shared with a third party. This has ramifications for Directors & Officers Liability Insurance, Cyber Insurance, Professional Indemnity Insurance and Intellectual Property Insurance, depending on the nature of the breach and whose data it was.

W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit or contact Vida Jarašiūnaitė or Mark Dutton

bottom of page