The Italian Data Protection Authority announced on a Friday—March 31—that it has temporarily limited the processing of residents’ personal data by the ChatGPT chatbot. This move comes after a formal review by the supervisory authority, and it signals a precautionary step aimed at safeguarding user privacy as the technology operates within Italy. The regulator emphasized that a precautionary pause is in place while the authority assesses compliance with data protection rules and checks how personal information might be used in training and improvement of the system.
In its assessment, the watchdog notes that the American company behind the technology has not provided adequate information to users whose data may have been collected by OpenAI. This lack of clear user-facing disclosures raises questions about how individuals can exercise their data rights, including access, rectification, and deletion, within the context of a rapidly evolving AI service. The authority’s stance underscores the need for transparent notices that explain what data is collected, why it is collected, and how it is stored and processed.
The regulator also stated that there is no lawful basis for initiating large-scale collection and storage of personal data solely for the purpose of training or refining learning algorithms. Such bulk processing could conflict with established privacy safeguards and the principle of data minimization. The authority urged OpenAI to provide a concrete legal framework detailing purposes, retention periods, and safeguards, ensuring that data practices align with both national and European standards for data protection.
Additionally, the chatbot, which is described as being suitable for users aged 13 and older, lacks an age-verification filter. This missing safeguard could expose younger users to content or data processing practices that may not be appropriate for a 13-year-old audience. The Italian authority highlighted the importance of implementing reliable age checks and consent mechanisms to protect minors while still enabling access to AI tools for older users who can make informed choices about their data.
Earlier reporting noted a separate incident involving an alleged network leakage affecting ChatGPT users. Company representatives attributed the leak to a flaw in the AI system’s operation, and they stated that the breach involved personal data associated with user accounts. The authorities have indicated they will closely examine such incidents to determine whether proper security measures were in place and if users’ information was adequately protected, with attention to notification requirements and remediation steps. At stake is a clear, enforceable framework that balances the benefits of AI innovation with robust privacy protections across the country and beyond, with ongoing dialogue among regulators, developers, and the public eye.