Italy Temporary Ban on ChatGPT for GDPR Violations (2023)

Incident Summary

On March 30, 2023, the Italian data protection authority (Garante per la Protezione dei Dati Personali) issued an emergency order temporarily restricting OpenAI from processing the personal data of Italian users through its ChatGPT service.^[1] The action followed a data breach on March 20, 2023, in which some users were able to see other users’ chat titles and, in some cases, payment information. The Garante’s order identified four specific concerns: the absence of a legal basis for the mass collection and processing of personal data used to train ChatGPT’s algorithms; the lack of age verification systems to prevent minors under 13 from accessing the service; the potential for the system to generate inaccurate information about individuals; and insufficient transparency regarding data processing practices.^[1]

OpenAI blocked access to ChatGPT in Italy following the order. On April 11, 2023, the Garante issued a detailed list of requirements that OpenAI needed to fulfill before the service could resume. These included implementing an age verification mechanism, providing clear privacy disclosures, offering users the ability to opt out of having their data used for model training, and establishing a legal basis for data processing.

OpenAI implemented the required changes, and ChatGPT service was restored in Italy on April 28, 2023. However, the Garante’s investigation continued, and in December 2024, the authority announced a EUR 15 million fine against OpenAI for violations of the General Data Protection Regulation. Italy’s action was the first instance of a national regulator restricting a major generative AI service and prompted data protection authorities across Europe to examine similar concerns.

Key Facts

• Regulatory authority: Garante per la Protezione dei Dati Personali (Italian Data Protection Authority)
• Duration of ban: March 31 to April 28, 2023 (approximately one month)
• Grounds: Absence of legal basis for data processing, no age verification, inaccurate personal information generation, insufficient transparency
• Precedent: First national ban of a major generative AI service
• Fine: EUR 15 million imposed on OpenAI (announced December 2024)
• Resolution: Service restored after OpenAI implemented privacy controls and age verification

Threat Patterns Involved

Primary: Sensitive Attribute Inference — The Garante identified that ChatGPT could generate and infer sensitive personal information about individuals without their consent, raising concerns about the system’s capacity to produce detailed personal profiles.

Secondary: Behavioral Profiling Without Consent — The mass collection of user interaction data and the use of personal data for model training without adequate legal basis or user consent constituted a form of behavioral profiling that violated GDPR principles.

Significance

1. First regulatory restriction of a major AI service. Italy’s temporary ban on ChatGPT was the first instance of a national data protection authority restricting access to a widely used generative AI service, establishing a precedent for regulatory action.
2. GDPR applicability to generative AI. The case established that existing data protection regulations, specifically the GDPR, apply to the training and operation of large language models, including the collection of training data and the generation of personal information.
3. Regulatory coordination across Europe. The Italian action prompted parallel investigations by data protection authorities in France, Germany, Spain, and other EU member states, creating a coordinated regulatory approach to generative AI privacy concerns.
4. Industry-wide privacy reforms. In response to the ban and ongoing investigations, OpenAI and other AI companies implemented privacy controls including data opt-out mechanisms, age verification, and improved transparency disclosures across their European operations.