The Italian data protection authority (Garante per la protezione dei dati personali) (Garante) made headlines in March 2023 when it announced its decision to temporarily ban a popular generative AI tool.
The Garante is considered one of the most active national data protection authorities (DPAs) in the EU, having issued the second highest total number of European General Data Protection Regulation (GDPR) fines so far. Its enforcement style is characterised by a large volume of moderately high fines, as well as individual multi-million-euro fines in the TMT and energy sectors. Within the Italian enforcement landscape, Italy’s competition authority (Autorità garante della concorrenza e del mercato) (AGCM) also integrates data protection concerns into its assessment of anti-competitive behaviour. The AGCM has issued several multi-million-euro antitrust fines in relation to companies’ data practices.
Generative AI chatbots – an enforcement priority for the Italian DPA
On 31 March 2023 the Garante announced a temporary ban on the processing of the personal data of Italian generative AI users. In the Garante’s view, the generative AI tool's processing of personal data allegedly lacks a sufficient legal basis of processing (Art. 6(1) GDPR), is inaccurate in some cases and does not comply with the GDPR’s transparency requirements. In addition, the Garante alleges that there are not sufficient controls in place to verify the age of users of this tool. On 12 April 2023, the Garante further announced that it would suspend the temporary ban of the tool unless certain measures would be implemented by 30 April 2023, including (i) complying with alleged information duties and legal basis for processing, and (ii) providing for means for deletion of personal data as well as for age verification mechanisms.
Following Italy’s lead, a number of DPAs across the EU (eg Germany, France and Spain) have initiated preliminary investigations into the popular generative AI tool. On 13 April 2023, the European Data Protection Board launched a dedicated task force on this tool.
Hefty fines for TMT and energy companies in Italy
Aside from AI-powered chatbots being a recent enforcement priority for the Garante, large telecommunications companies are particularly vulnerable to GDPR fines in Italy. The TMT sector accounts for almost two-thirds of the total fines imposed by the Garante so far. TMT companies have also received six of the ten highest fines in Italy. The highest fine ever issued by the Garante (€27.8m) was imposed on a leading Italian telecommunications provider. Yet, the Garante does not only target data-heavy businesses. It has also imposed significant fines on companies in the retail and energy sectors. A case in point is the enforcement action it took against an Italian electricity and gas provider, which resulted in a €26.5m fine.
The Garante’s approach to GDPR enforcement
Nearly 50 percent of the fines issued by the Garante relate to a lack of a legal base of processing. The Garante has handed down a total of 29 fines for infringements of Art. 15 GDPR, making Italy the most active jurisdiction in the EU for the enforcement of cases of non-compliance with data subject access requests. Another focal point of the Garante’s GDPR enforcement has been the unlawful processing of users' personal data for telemarketing purposes.
The Garante's enforcement style in terms of the volume and severity of fines imposed differs from that of other DPAs. Some DPAs have only initiated a small number of fine proceedings, but these have resulted in exorbitant multi-million-euro fines (eg the average fine of the Irish DPA is €65m). In contrast, the Garante's GDPR enforcement is characterised by a high volume of fine proceedings, most of which do not result in multi-million-euro fines, but in moderately high fines (the Garante's average fine is €470,000). Although the Garante generally appears to be selective when it comes to large-scale enforcement actions, the fines imposed already have showcased its willingness to impose severe fines for GDPR infringements.
We will continue to monitor data protection enforcement developments, including on generative AI tools and their potential impact on data protection. For more information, please contact your local Freshfields contact.