IA 360
Regulatory Framework

Italy Blocks ChatGPT Over Privacy and Child Safety Concerns

Italy’s data protection authority has ordered a temporary restriction on ChatGPT in the country, questioning the legal basis for using personal data and the lack of effective age verification.

4 min read Leer en español

Italy’s data protection authority on Friday ordered a temporary block on ChatGPT for users in Italy. The agency, known as the Garante, questioned whether OpenAI has a sufficient legal basis to collect and use the personal data it uses to train its system, and pointed to specific risks for minors.

The decision makes Italy the first Western country to directly suspend access to ChatGPT on data protection grounds. This is no theoretical debate: it affects a tool that, since its launch in November, has brought generative AI to millions of people and thousands of businesses.

What Italy is challenging OpenAI over

The Garante’s order immediately restricts OpenAI’s processing of Italian users’ data. The authority is examining a possible breach of the General Data Protection Regulation (GDPR), the European law that requires companies to clearly explain why personal data is collected and have a legal justification for using it.

The regulator identifies three main problems. The first concerns the information provided to ChatGPT users and to people whose data may have ended up in the material used to train models such as GPT.

The second is the legal basis for training. Large language models learn patterns by processing vast amounts of text. That capability makes it possible to draft, summarize, write code or hold a conversation, but it raises a difficult question: what happens when that text includes personal data published online or entered by users themselves?

The third is age. ChatGPT allows users to sign up from age 13, but the Garante says it has no effective way to verify that age. In the authority’s view, this could expose children to responses that are inappropriate for their level of development.

Recent security breach adds to the case

The intervention comes just days after OpenAI temporarily took ChatGPT offline because of an error in an open-source code library. The company said the bug may have exposed some users to the titles of other people’s conversations.

OpenAI also acknowledged that, during a nine-hour window on March 20, some ChatGPT Plus subscribers may have seen payment-related data belonging to other customers. This included names, email addresses, billing addresses, the last four digits of card numbers and expiration dates. The company said the number of people affected was small and contacted those who may have been exposed.

The incident is not the sole reason for the Italian order, but it provides context for the regulator’s concerns. ChatGPT does not work like a conventional search engine: users often paste documents, work-related queries, code snippets or personal information into it to get help. That makes the way conversations are stored and used a practical issue for individuals and businesses.

OpenAI has 20 days to respond

The Garante has given OpenAI 20 days to explain what measures it will take in response to the authority’s objections. If the company fails to provide a satisfactory response, the regulator can impose a fine of up to €20 million or 4% of the company’s total annual global turnover, whichever is higher under the GDPR.

OpenAI has said it complies with applicable privacy laws and is working to reduce the amount of personal data used to train its systems. The company has also argued that ChatGPT helps people in many countries and that it aims to work with regulators.

A warning for Europe’s generative AI rollout

Italy’s decision does not yet settle whether training a language model on information available online is compatible with European law. That question will likely remain in the hands of regulators, courts and lawmakers. But the order does anticipate the demands generative AI services will face in Europe: better explanations of how their data is used, tighter limits on the use of personal information and meaningful protections for minors.

For businesses, the episode is a wake-up call. Entering sensitive information into an external assistant can create privacy obligations even when the tool speeds up everyday tasks. Innovation does not eliminate those responsibilities; it makes them more urgent when an application reaches millions of users within a few months.

Share this article

This website uses cookies to improve the browsing experience. Cookie policy.