Training or feeding AI on personal data with no legal basis
"It was on the internet" is not a legal basis. In the EU it is barely an excuse.
Not legal advice. Sally roasts behaviour and use-cases in general, never your specific situation, and nothing here replaces a real lawyer. The cases are real; what you do about them is between you and someone licensed to tell you.
Pouring scraped or customer personal data into a model without identifying a lawful basis or telling anyone.
Garante (Italian DPA) v. OpenAI
EUR 15M fine, ruling Dec. 2024 Β· EU (Italy)
Italy's regulator found OpenAI trained ChatGPT on personal data without a valid legal basis, breached transparency duties, and failed to notify a breach.
A EUR 15M fine, the first major generative-AI GDPR penalty, plus an ordered public-awareness campaign. OpenAI is appealing.
A data protection authority handed down a major eight-figure fine over training an AI on personal data without a valid legal basis, alongside transparency failures and a missed breach notification. It was the first big generative-AI penalty under EU data law, and it will not be the last.
The instinct that public means free to use does not survive contact with GDPR. Personal data carries obligations regardless of where you found it: a lawful basis, transparency about what you are doing, and a way for people to exercise their rights.
βYou trained on everyone's data and budgeted for none of the consequences. The regulator did the budgeting for you.β
- 01Identify a lawful basis before any personal data goes near a model, and document it.
- 02Be transparent about what you collect and why. Surprise is the enemy of compliance.
- 03Strip or pseudonymize personal data you do not actually need for the task.
Not legal advice. General commentary on a use-case, not your situation. Talk to a real lawyer before you act.