OpenAI Fined €15M for ChatGPT Data Processing

• .What: OpenAI processed EU personal data to train ChatGPT without valid legal basis.
• .Who: EU residents whose data was scraped, plus minors bypassing weak age verification.
• .Data Exposed: Scraped personal data, user conversations, account details, and minors' interactions.
• .Outcome: Italian DPA fined OpenAI EUR 15M and ordered a public information campaign.

• .Personal data of EU residents contained within internet content scraped to build ChatGPT's training dataset
• .ChatGPT conversation data from EU users, including prompts containing personal information and health queries
• .User account information collected during registration without adequate age verification
• .Inaccurate personal information generated by ChatGPT's "hallucination" tendency about real individuals
• .Minor users' interaction data processed without parental consent

The primary finding concerned absence of a valid legal basis under Article 6 for processing personal data in web-scraped training data.

Contractual necessity (Article 6(1)(b)) was rejected because training an AI model on user data is not necessary for providing ChatGPT. Legitimate interest (Article 6(1)(f)) failed the balancing test because data subjects had no reasonable expectation their data would train a commercial AI system.

Article 5(1)(a) transparency violations were found. Age verification relied solely on self-declared date of birth with no actual verification. The EUR 15 million fine considered OpenAI's cooperation and the measures subsequently implemented.

Garante Provision No. 10085022, Garante Provision No. 9870832 (temporary ban), EDPB ChatGPT Taskforce Report, GDPR Articles 5, 6, 8, 13, 14, 25, 35