We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.



Generative A.I., minors’ protection and transparency: the Italian DPA fines Replika

PrintMailRate-it

​​​​​​​​​​​​​​​​​published on 26 May 2025 | reading time approx. 3 minutes


Following an investigation launched in 2023 in response to press coverage, with a decision issued on April 10, 2025 the Italian Data Protection Authority (the “Garante”) sanctioned the U.S. company Luka Inc. - developer of the well-known adult-targeted chatbot “Replika” - for serious and systematic violations in the handling of the service users’ personal data.

The action followed an emergency temporary suspension of processing initially issued by the Authority and subsequently lifted within three months after the U.S. company committed to implement corrective measures. More importantly, it forms part of a broader context of enhanced oversight by the Italian Data Protection Authority regarding the use of generative A.I. systems. It is worth recalling that, in November 2024, the Garante had already imposed a Euro 15 million fine on OpenAI for violations related to the use of ChatGPT, highlighting issues that closely mirror those addressed in the present decision: transparency, identification of the legal basis for processing, and protection of underage users.

In summary, the Authority identified three main areas of non-compliance with respect to the A.I. companion Replika:
  • the failure to identify - in a precise and granular manner - the legal bases for the processing in relation to the purposes pursued through the chatbot;
  • the use of a privacy policy that was overly generic, opaque, and ambiguous, while only being available in English;
  • the inadequacy of the measures in place to prevent access by minors, who could nonetheless easily use the service despite the controller’s claims.

The decision not only imposed an administrative fine of Euro 5 million on the U.S.-based company, but also required the implementation of a series of corrective measures aimed at bringing processing activities into compliance with applicable data protection rules. These included the adoption of genuinely effective age verification systems and the revision - and translation into Italian - of the service’s privacy policy.

The Replika case also provides a valuable opportunity to reflect on the application of the recent A.I. Act and its coordination with the existing regulatory framework on personal data protection. Although the European Regulation on Artificial Intelligence is designed to operate in parallel with the GDPR, the two instruments share a common focus on transparency, risk assessment, and the protection of vulnerable users. Identifying the risk level associated with a given system and defining compliance measures from the earliest stages of design will be key for developers, who are now required to navigate a dual compliance landscape.

In conclusion, the decision by the Garante serves as a reminder to all those designing or deploying A.I.-based solutions: the supervisory authority closely monitors the technologies available on the market and is prepared to intervene swiftly and precisely, including through urgent measures when necessary. 

Lawfulness, fairness, and transparency, adherence to the principles of privacy by design and by default, and the implementation of secure and robust technical safeguards are required by the law. The ability to integrate appropriate safeguards for these principles into a strong, multidimensional compliance strategy is not only a way to avoid sanctions, but also a way to build trustworthy products, ready for the European market. And today, that should already be regarded as a competitive advantage.​

DATA PROTECTION BITES

author

Contact Person Picture

Nicola Sandon

Attorney at law (Italy)

Senior Associate

+39 049 8046 911

Send inquiry

Profile

Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu