INTELLIGENCE
ZERO|TOLERANCE
Intelligence Advisory
zerotolerance.me

OpenAI Fined €15M for ChatGPT Data Processing

Dec 2024 · €15M fine

Publication Date
2024-12-01
Category
Regulatory Enforcement
Author
K. Ellabban
Organization
Zero|Tolerance Security Research

OpenAI Fined EUR 15M for ChatGPT Data Processing

The Italian Data Protection Authority (Garante per la protezione dei dati personali) fined OpenAI EUR 15 million in December 2024 for multiple GDPR violations related to ChatGPT's processing of personal data for AI model training and its failure to implement adequate age verification mechanisms. The enforcement action concluded an investigation that began in March 2023 when the Garante temporarily banned ChatGPT in Italy--the first regulatory action against a generative AI service in Europe.

Executive Summary

KEY FACTS

  • WhatOpenAI processed EU personal data to train ChatGPT without valid legal basis.
  • WhoEU residents whose data was scraped, plus minors bypassing weak age verification.
  • Data ExposedScraped personal data, user conversations, account details, and minors' interactions.
  • OutcomeItalian DPA fined OpenAI EUR 15M and ordered a public information campaign.
Impact Assessment

WHAT WAS EXPOSED

  • Personal data of EU residents contained within internet content scraped to build ChatGPT's training dataset
  • ChatGPT conversation data from EU users, including prompts containing personal information and health queries
  • User account information collected during registration without adequate age verification
  • Inaccurate personal information generated by ChatGPT's "hallucination" tendency about real individuals
  • Minor users' interaction data processed without parental consent
Compliance Impact

REGULATORY ANALYSIS

The primary finding concerned absence of a valid legal basis under Article 6 for processing personal data in web-scraped training data. Contractual necessity (Article 6(1)(b)) was rejected because training an AI model on user data is not necessary for providing ChatGPT. Legitimate interest (Article 6(1)(f)) failed the balancing test because data subjects had no reasonable expectation their data would train a commercial AI system. Article 5(1)(a) transparency violations were found. Age verification relied solely on self-declared date of birth with no actual verification.

The EUR 15 million fine considered OpenAI's cooperation and the measures subsequently implemented.

References

SOURCES

Garante Provision No. 10085022, Garante Provision No. 9870832 (temporary ban), EDPB ChatGPT Taskforce Report, GDPR Articles 5, 6, 8, 13, 14, 25, 35

Related Analysis

Related Intelligence

Clearview AI Fined Over €100M for Illegal Facial Recognition
Sep 2024 · €100M+ fines
TikTok Fined €530M for Sending EU Data to China
May 1, 2025 · €530M fine
Meta Fined €1.2B for Illegal EU-to-US Data Transfers
May 2023 · €1.2B fine
LinkedIn Fined €310M for Behavioral Ad Targeting
Oct 2024 · €310M fine
UAE Foils AI-Powered Ransomware Campaign - 200,000 Attacks/Day Intercepted
Feb 21, 2026 · UAE threat brief
MORE REGULATORY ENFORCEMENT →