Skip to main content


The Italian block of ChatGPT: privacy against AI or AI against privacy?

By Katia Genovali

March 31, the popular chatbot service ChatGPT has been suspended by the Italian Data Protection Authority on charges of personal data misuse, according to the European GDPR, the General Data Protection Regulation. Furthermore, the service will be investigated with the suspicion that it could not respect privacy regulations. The measure could be the first in a long series among Western countries, considering that the GDPR is common to all EU member states. 

We tried to understand more with the help of Dr. Francesca Pratesi, a data scientist at the Institute of Information Science and Technologies "Alessandro Faedo" ISTI-CNR (Italy). She is in charge of studying solutions to deal with personal data in an ethical manner, especially regarding the privacy of the individuals described in the data itself. She and her colleagues design and develop impactful services based on big data analytics and machine learning in such a way that the quality of results can coexist with fairness, privacy protection, and transparency. 

Dr. Pratesi, why has the Italian Authority suspended ChatGPT on the grounds of wrong data use? Are not most of our data on the internet already public (name, CV, affiliations, etc.)? 

“Yes and no. Generally speaking, this is true. However, the fact that some information is published on the internet does not mean that it can be used for a different scope than the one that was originally intended. Consider images instead of text: I could publish a picture of mine for self-promotion on my personal website, but this does not imply that everyone can download, edit and republish it, even for non-commercial uses.” 

What makes this tool more powerful (and potentially harmful) than a more common internet search engine?

“The amazing capacity of ChatGPT to find information could amplify leaks of information that are clearly already present somewhere but mostly inaccessible with usual search engines. Think about a document that has been published by mistake: we can remove it, but if ChatGPT already scanned the information contained in it for its training, there is no possibility to discriminate whether a piece of information is legit or not.” 

Are you saying that, in principle, we could use ChatGPT to search for information we want to remove from the Net? 

“One of the major drawbacks of ChatGPT is that the sources of the information it uses are not known. This makes it impossible to verify if the information used by the bot complies with the EU privacy regulations, as we actually cannot infer where the data are taken from.” 

Pratesi fears that Italian citizens will remember this episode as an attack by law against AI technology, whereas the Italian Authority presented it as a way to protect citizens’ interests. However, the Authority’s aim is very clear. 

“The Italian Data Protection Authority's action could be intended as a demonstrative action; at the moment, they only faced the most popular AI. However, this is a signal that Italy is unwilling to tolerate any unclear situation concerning data protection. Data science unlocks unprecedented opportunities to understand social phenomena, but can also develop data-driven services that can serve collective well-being and social goods. In my opinion, the Italian case let emerge the need for coordinated action among European countries to show cohesion under the umbrella of the GDPR.”