BREAKING: I told you the EDPB opinion was GAME-CHANGING: only 2 days after it was published, The Italian Data Protection Authority imposed a 15 million euro fine on OpenAI based on it. THIS WAS FAST! What you need to know:
"The provision, which ascertains the violations previously contested to the Californian company, comes at the end of an investigation started in March 2023 and after the EDPB published the opinion with which it identifies a common approach to some of the most relevant issues relating to the processing of personal data in the context of the design, development and distribution of services based on AI.
According to the Garante [Italian DPA], the US company, which created and manages the generative AI chatbot, in addition to not having notified the Authority of the data breach suffered in March 2023, processed users' personal data to train ChatGPT without first identifying an adequate legal basis and violated the principle of transparency and the related information obligations towards users. Furthermore, OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness.
The Authority, with the aim of ensuring, first and foremost, effective transparency in the processing of personal data, has ordered OpenAI (...) to carry out a 6-month institutional communication campaign on radio, television, newspapers and the Internet.
The contents, to be agreed with the Authority, will have to promote public understanding and awareness of the functioning of ChatGPT, in particular on the collection of data from users and non-users for the training of generative AI and the rights exercisable by the interested parties, including those of opposition, rectification and cancellation.
Thanks to this communication campaign, ChatGPT users and non-users should be made aware of how to oppose the training of generative artificial intelligence with their personal data and, therefore, be effectively placed in the position to exercise their rights under the GDPR.
The Garante has imposed a fine of fifteen million euros on OpenAI, also calculated taking into account the company's collaborative attitude.
Finally, given that the company, during the investigation, established its European headquarters in Ireland, the Garante, in compliance with the so-called one-stop shop rule, transmitted the documents of the procedure to the Irish DPC, which has become the lead supervisory authority pursuant to the GDPR, so that it can continue the investigation in relation to any violations of a continuing nature that did not end before the opening of the European establishment."
[automatic translation of the press release ]
Read my deep dive into the EDPB Opinion (and join 43,000+ subscribers of my newsletter) below.