you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH :

28 April 2023

Data protection stopping machine overlords?

The Italian Data Protection Authority "Garante per la Protezione dei Dati Personali" recently banned the use of ChatGPT in Italy due to allegations of unlawful collection of personal data and the lack of an age verification system for children

ChatGPT is a well-known artificial intelligence chatbot developed by OpenAI. It is a simulated chatbot that was primarily created to fulfil customer service tasks. However, people tend to use it to perform many other tasks, such as writing essays, programming or predicting business developments. ChatGPT uses not only data from sources such as websites, articles or textbooks to improve its interaction with its users and to fulfil the set tasks, but also collects and processes data from the users and from the information they provide.

Italian proceedings

Following a data breach affecting ChatGPT users' conversations (title of conversation prompts and other chat history visible to other users) and data on payments (such as billing information, credit card type, last four digits of credit card number, etc.), the Italian DPA assessed ChatGPT's GDPR compliance. It found that no information on the processing of personal data was provided to data subjects using the chatbot service. Also, the DPA claims that there was no legal basis to lawfully collect and process the large amounts of users' personal data used to train the chatbot's algorithms. In addition, it was found that ChatGPT does not always provide reliable information, resulting in the processing of inaccurate personal data. Finally, the DPA states that due to the lack of a functional age verification system, children are exposed to answers from the chatbot that are inappropriate for their age and awareness. According to ChatGPT's terms and conditions, the service is aimed at people over the age of 13 years.

The DPA orders OpenAI to notify it within 20 days of measures implemented to ensure compliance with the GDPR, otherwise a fine under the GDPR (up to EUR 20m or 4 % of the company's global annual turnover) may be imposed. In addition, the DPA demands that OpenAI disclose more about its methods (especially how the algorithm is trained) and its business model.

OpenAI (not established in the EU but having a designated representative in the EEA) has reacted by geo-blocking the ChatGPT website to IP addresses from Italy. The founder of OpenAI, Sam Altman, stated that paying Italian customers will be refunded. However, he has also expressed his conviction that the processing of data from ChatGPT is lawful.

Effects in Europe

Other European DPA's are monitoring the Italian proceedings closely. A spokeswoman of the German DPA stated that the authority is "highly interested" in the results of the Italian compliance assessment. She also said that the German DPA has already requested further information on the blocking of ChatGPT and will forward this information to the relevant national authorities. The results of these proceedings and the findings of the DPA can have far-reaching effects throughout Europe. If the Italian DPA can sufficiently demonstrate a breach of the GDPR, other European data protection authorities would also have to take action against OpenAI.

German and Austrian politicians emphasise that AI must not be banned but instead sensibly regulated. It would be important not to provide for legal regulations after the fact, but to establish the conditions for safe and transparent use of AI before it is widely available.

Update: In the meantime, the German AI Taskforce of the DSK has also addressed this issue and initiated investigations.

Recommended user action

Since OpenAI states that it uses the data entered by its users as well as other data (not actively "fed" to ChatGPT), you need to be aware of what information you share with the chatbot and to not use it at all unless you accept that it processes other (user) data as well. Take great care when feeding company data or other proprietary and/or personal data into the chatbot and best avoid doing so.

If you plan to use ChatGPT, at least opt-out from its data tracking using the provided form from OpenAI under


Attorney at Law

austria vienna