Luka Inc. – €5,000,000 Fine (Italy, 2025)

US company Luka Inc. (the controller) made available Replika, a chatbot based on generative AI. Replika was meant to be a virtual companion that could help users track their mood, cope with stress, and work out their emotional and psychological problems. Replika could be configured to fulfil various roles, including therapist and romantic partner. Replika gained attention from international media after it allegedly encouraged minors to engage in self-harm. The news prompted an ex officio investigation from the DPA. In early 2023 the Italian DPA ordered the controller to halt the processing of personal data of all users in Italy, as a precautionary measure. In this early phase of the procedure, the DPA found evidence of possible GDPR violations and reserved the right to investigate further. Months later the DPA lifted the ban on the condition that the controller took steps to ensure Replika’s compliance with data protection law, including implementing an effective age verification system to prevent minors from accessing the service. The controller made Replika available again after the ban was lifted. In May 2025 the DPA issued a final decision and closed the procedure. The DPA reserved the right to further investigate certain aspects of the case in a different procedure. The DPA found violations of Articles 5(1)(a), 5(1)(c), 6, 12, 13, 24, and 25(1) GDPR. The DPA fined the controller €5,000,000. This is a notably high fine amounting to 2% of the controller’s global turnover - half the statutory maximum under the GDPR. On the scope of the decision In its decision, the DPA found violations of the principles of lawfulness and transparency based on the version of Replika’s privacy notice in force on February 2023 (the date of the DPA’s order to halt the processing). The controller later made changes to its notice. The DPA reserved the right to open a second investigation on lawfulness, based on the controller’s up-to-date notice. The DPA also found that the controller