According to a press release published on March 31, 2023, the Italian National Authority for Personal Data Protection said that ChatGPT violates the EU’s General Data Protection Regulation (GDPR) in more than one way. In their press release they say:
The Italian SA imposed an immediate temporary limitation on the processing of Italian users’ data by OpenAI
OpenAI is not established in the EU, however it has designated a representative in the European Economic Area. It will have to notify the Italian SA within 20 days of the measures implemented to comply with the order, otherwise a fine of up to EUR 20 million or 4% of the total worldwide annual turnover may be imposed.
The announcement does not make it clear what exactly the definition of “processing of Italian users’ data” is, however in cases like this, it is common for the related company to halt operations in order to make sure they are not in violation of the order, especially when there are large fines in order, effectively banning ChatGPT until some changes are made. For example, is a single ChatGPT prompt from a user in Italy considered “Italian users’ data”?
The english translation follows the original italian translation (and is located towards the bottom of the document).