Italian data regulator not standing for privacy violations by city or company

Italy’s data protection agency, the Garante per la protezione dei dati personali, is taking issue with uses of AI and video surveillance tools that it says violate national data privacy laws.

We know it was you, Trento

The Garante has imposed a €50,000 (~US$54K) fine on the municipality of Trento in the Italian Alps, for overstepping legality in scientific research for its EU-funded smart city projects. Of particular issue were the initiatives dubbed Marvel and Protector. Marvel involved algorithmic monitoring of public video and audio surveillance footage for potential risks to public safety. Protector focused specifically on securing places of worship, and included the collection and sentiment analysis of social media content deemed hateful or threatening.

Trento’s research experiment was a textbook of bad practices, exemplifying the risks that arise when enthusiasm for new technology oversteps legal rights. Garante says the municipality failed in matters of transparency and disclosure, consent to share data with third parties, technical acuity in applying anonymization techniques, and proper protocol in conducting impact assessments.

In its assessment, Garante says Trento “does not include scientific research among its institutional purposes” and “has not proven the existence of any legal framework capable of justifying the processing of personal data.” It furthermore condemns the town for “massive and invasive processing methods put in place, which entailed significant risks for the rights and freedoms of the interested parties, including those of a constitutional nature.”

OpenAI faces potential fine of €20 million for unlawful practices and safeguards

The Italian data protection agency is equally cross at ChatGPT. Garante has imposed an immediate temporary limitation on the processing of Italians’ data by OpenAI, which owns and manages the groundbreaking AI chatbot. It says OpenAI is collecting users’ data without their knowledge, that it harvests and processes inaccurate data, and that – like the projects in Trento – it is operating without any legitimate legal underpinning.

One particular objection is the lack of an age verification mechanism for ChatGPT, which “exposes children to receiving responses that are absolutely inappropriate to their age and awareness,” despite the terms of service stipulating that users should be over the age of thirteen. Age verification debates have been heating up in the EU, where data privacy regulation is ahead of the global curve.

Garante has given OpenAI 20 days to implement measures that bring it into compliance, and promised a fine of up to €20 million if the changes are not made.

Article Topics

biometric identifiers  |  ChatGPT  |  data protection  |  Italy  |  regulation  |  sentiment detection