Generative A.I., minors’ protection and transparency: the Italian DPA fines Replika

The action followed an emergency temporary suspension of processing initially issued by the Authority and subsequently lifted within three months after the U.S. company committed to implement corrective measures. More importantly, it forms part of a broader context of enhanced oversight by the Italian Data Protection Authority regarding the use of generative A.I. systems. It is worth recalling that, in November 2024, the Garante had already imposed a Euro 15 million fine on OpenAI for violations related to the use of ChatGPT, highlighting issues that closely mirror those addressed in the present decision: transparency, identification of the legal basis for processing, and protection of underage users.

In summary, the Authority identified three main areas of non-compliance with respect to the A.I. companion Replika:

The decision not only imposed an administrative fine of Euro 5 million on the U.S.-based company, but also required the implementation of a series of corrective measures aimed at bringing processing activities into compliance with applicable data protection rules. These included the adoption of genuinely effective age verification systems and the revision - and translation into Italian - of the service’s privacy policy.

The Replika case also provides a valuable opportunity to reflect on the application of the recent A.I. Act and its coordination with the existing regulatory framework on personal data protection. Although the European Regulation on Artificial Intelligence is designed to operate in parallel with the GDPR, the two instruments share a common focus on transparency, risk assessment, and the protection of vulnerable users. Identifying the risk level associated with a given system and defining compliance measures from the earliest stages of design will be key for developers, who are now required to navigate a dual compliance landscape.

In conclusion, the decision by the Garante serves as a reminder to all those designing or deploying A.I.-based solutions: the supervisory authority closely monitors the technologies available on the market and is prepared to intervene swiftly and precisely, including through urgent measures when necessary. 

Lawfulness, fairness, and transparency, adherence to the principles of privacy by design and by default, and the implementation of secure and robust technical safeguards are required by the law. The ability to integrate appropriate safeguards for these principles into a strong, multidimensional compliance strategy is not only a way to avoid sanctions, but also a way to build trustworthy products, ready for the European market. And today, that should already be regarded as a competitive advantage.​