OpenAI – €15,000,000 Fine (Italy, 2024)

On 20 March 2023, a technical bug on the ChatGPT service caused users to view the chat history of other users instead of their own for a limited amount of time. The controller, OpenAI, publicly acknowledged the issue and confirmed that the exposed data included names, surnames, email addresses, and the last four digits and expiration dates of credit cards used for the ChatGPT Plus (the paid version of the service). Following this data breach, the Italian DPA started an ex officio investigation. First, the DPA considered whether the one-stop-shop mechanism would apply. More specifically, the DPA considered that, at the time of the alleged violations, the controller was established in California and did not have any indicated establishment in the EU. In fact, ChatGPT has been available in the EU since 30 November 2022, as also confirmed by the controller. The controller had an establishment in Ireland only from the 15 February 2024. Therefore, the DPA found that, for every alleged violation of the GDPR happened before the 15 February 2024, the one-stop-shop mechanism does not apply and the DPA has jurisdiction to rule on the matter. Second, the Italian DPA concluded its investigation and held that: Violation of Article 33(1) GDPR The controller is under the obligation to notify any data breach to the DPA within 72 hours according to Article 33(1) GDPR. The controller states that it notified the data breach to the Irish DPA, as it was in the process of setting up its Irish registered office when the breach happened. The DPA considered that, during the breach, the controller was based in the U.S.A and did not have any establishment in the EU. The DPA highlighted that, where a proprietor does not have an establishment in the EU, Article 56 GDPR does not apply in favour of the general rule laid out in Article 55(1) GDPR, according to which each supervisory authority is competent to execute the tasks assigned to it and to exercise the powers conferred upon it under the