All posts by Elisabetta Trecani


1. An Order to Stop ChatGPT

On March 30, 2023 the Italian Data Protection Authority (“Garante”) issued an order by which it temporarily banned the ChatGPT platform (“ChatGPT”) operated by OpenAI LLC (“OpenAI”). The Garante in fact regards ChatGPT as infringing Articles 5, 6, 8, 13 and 25 of the GDPR. In particular:

  • No Information.  OpenAI does not provide any information to users, whose data is collected by OpenAI and processed via ChatGPT;
  • No Legal Basis.  There is no appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the operation of ChatGPT;
  • No Check of User’s Age.  OpenAI does not foresee any verification of users’ age in relation to the ChatGPT service, nor any filters prohibiting the use for users aged under 13.

Given that, the Garante has immediately banned the use of ChatGPT, and OpenAI has blocked the access to ChatGPT to the Italian people.

2. Measures Offered by OpenAI

On April 11, 2023, in light of the willingness expressed by OpenAI to put in place measures to protect the rights and the freedom of the users of ChatGPT, the Garante issued a new order, which opened the possibly to re-assess ChatGPT if OpenAI adopts the following measures:

  1. to draft and publish an information notice to data subjects, which should be linked so that it can be read before the registration;
  2. to make available, at least to data subjects who are connected from Italy, a tool to exercise their right to (i) object, (ii) obtain a rectification, insofar as such data have been obtained from third parties, or (iii) the erasure of their personal data;
  3. to change the legal basis of the processing of users’ personal data for the purpose of algorithmic training, by removing any reference to contract and instead relying on consent or legitimate interest;
  4. to include a request to all users connecting from Italy to go through an “age gate” and to submit a plan for the deployment of age verification tools; and
  5. to promote a non-marketing-oriented information campaign by May 15, 2023 on all the main Italian mass media, the content of which shall be agreed upon with the Italian Authority.

OpenAI has until April 30, 2023 to comply (until May 31, 2023 to prepare a plan for age verification tools). The objections by the Garante have been echoed by other European Union data protection authorities. The European Data Protection Board will be attempting to solve the dispute within two months and launched a dedicated task force on ChatGPT “to exchange information on possible enforcement actions conducted by data protection authorities”

New Rules On Whistleblowing

On December 9, 2022, a bill to implement Directive (EU) 2019/1937 on whistleblowing was submitted to the President of the Chamber of Deputies.

The draft envisages several obligations for entities of public and private sectors, including an obligation to activate a whistleblowing channel (internal or external) that guarantees the confidentiality of the identity of the reporting person, unless the reporting person gives express consent; of the person involved; of the person otherwise mentioned in the report; and of the content of the report and any related documentation.

Such reports may be made either in written or oral form, through telephone lines or voice messaging systems; the reporting person may request that a face-to-face meeting be scheduled.

The Italian Anti-Corruption Authority, after having heard the Italian Data Protection Authority, must adopt, within 3 months of the adoption of the legislation, specific guidelines on procedures for handling external reports.

To comply with personal data protection legislation, it will be necessary to:

  • Prepare adequate privacy notices regarding the processing of data collected within the reporting process;
  • Adopt appropriate technical and organizational measures to ensure an adequate level of confidentiality of the information of the reporting person and the person involved, as well as the content of the report and related documentation, to be identified on the basis of a data protection impact assessment;
  • Give an express authorization to the parties who will receive reports to process personal data;
  • Formally appoint all parties that process data related to the reports (i.e., external providers) as data processors.

The draft also provides that data related to internal and external reports, as well as related documentation, may be retained for up to a maximum of 5 years from the date of the communication of the final outcome of the reporting procedure.

Retaliation against reporting persons is prohibited and sanctions can be applied as a result.

Once approved, the whistleblowing legislation will take effect 4 months after the date of its entry into force, except for private-sector entities that have employed, over the past year, an average of not less than 50 and not more than 249 employees, with unlimited term or fixed-term employment contracts, for whom the provisions of the legislation will take effect as of December 17, 2023.