Italian Data Protection Authority Fines OpenAI EUR 15 Million Over ChatGPT GDPR Violations (2025)

Incident Summary

In January 2025, Italy’s data protection authority (Garante per la Protezione dei Dati Personali) imposed a EUR 15 million fine on OpenAI for violations of the General Data Protection Regulation (GDPR) related to the operation of ChatGPT.^[1][2] The Garante found that OpenAI had processed users’ personal data for training its AI models without establishing an adequate legal basis as required under GDPR, and had failed to implement effective age verification mechanisms to prevent minors under 13 from accessing the service.^[1]

The fine followed a prolonged regulatory engagement that began in March 2023, when the Garante temporarily banned ChatGPT in Italy — making it the first Western country to restrict the service — over privacy concerns.^[2][3] In addition to the financial penalty, the Garante ordered OpenAI to conduct a six-month public communication campaign in Italy to inform users about its data collection and processing practices.^[1] The fine amount, while substantial, was significantly lower than the maximum GDPR penalty of 4% of global annual turnover.^[3]

Key Facts

• Regulatory authority: Garante per la Protezione dei Dati Personali (Italy)
• Company fined: OpenAI
• Product: ChatGPT
• Fine amount: EUR 15 million
• Violations found: Processing personal data without adequate legal basis; lack of effective age verification for minors
• Additional orders: Six-month public communication campaign in Italy
• Context: Followed the Garante’s March 2023 temporary ban of ChatGPT (covered in INC-23-0003)

Threat Patterns Involved

Primary: Behavioral Profiling Without Consent — The Garante’s finding that OpenAI processed personal data without an adequate legal basis relates to the collection and use of user data — including conversational inputs — for model training, constituting a form of behavioral profiling that lacked proper consent mechanisms under GDPR.

Secondary: Data Imbalance and Bias — The lack of effective age verification mechanisms meant that data from minors under 13 may have been processed without adequate protections, contributing to data collection practices that failed to account for vulnerable populations.

Significance

1. First major GDPR fine against a frontier AI company. The penalty represents one of the first significant financial sanctions imposed by a European data protection authority specifically targeting the data practices of a large language model provider.
2. Legal basis for AI training data remains contested. The Garante’s finding that OpenAI lacked an adequate legal basis for processing personal data to train ChatGPT highlights an unresolved legal question that affects the entire large language model industry operating under GDPR jurisdiction.
3. Continuation of Italy’s regulatory leadership. The fine follows Italy’s 2023 temporary ban, establishing the Garante as one of the most active European regulators on AI privacy issues and potentially influencing how other EU data protection authorities approach similar investigations.
4. Proportionality debate. The EUR 15 million fine — while substantial in absolute terms — was significantly below the GDPR maximum, raising questions about whether current penalty structures are calibrated to effectively deter data protection violations by companies with annual revenues in the billions.