Italy Temporarily Bans ChatGPT Over GDPR Privacy Violations

On March 31, 2023, Italy's data protection authority, known as Garante, issued an immediate temporary ban on OpenAI's ChatGPT service, making Italy the first Western country to block the popular AI chatbot. The regulatory action cited multiple violations of the European Union's General Data Protection Regulation (GDPR), including the absence of a legal basis for collecting and processing massive amounts of personal data used to train the AI system. The Garante identified several specific concerns in its enforcement action. First, OpenAI lacked adequate legal justification under GDPR for processing personal data of Italian users. Second, the company failed to implement proper age verification mechanisms, potentially exposing minors to inappropriate content and illegal data collection. Third, ChatGPT was found to generate inaccurate information about real individuals without providing mechanisms for data subjects to correct or challenge such information, violating GDPR's accuracy and rectification principles. The ban affected an estimated 13 million Italian users who had accessed ChatGPT services. OpenAI was required to immediately stop processing Italian users' data and was given 20 days to implement comprehensive remediation measures. The company faced potential fines of up to 4% of its global revenue under GDPR's penalty structure, though no specific fine amount was initially imposed. OpenAI responded by working closely with Italian authorities to address the compliance issues. The company implemented age verification systems, enhanced its privacy policies, provided clearer information about data processing activities, and established mechanisms for users to request corrections to inaccurate information. These remediation efforts included technical changes to prevent access from Italian IP addresses during the ban period. On April 28, 2023, following OpenAI's implementation of the required compliance measures, the Garante lifted the temporary ban and restored ChatGPT access for Italian users. The resolution required ongoing compliance monitoring and established precedent for how EU regulators would approach AI systems under existing privacy frameworks. The incident highlighted the tension between rapid AI development and established data protection regulations, influencing subsequent discussions about AI governance across the European Union.