Italy’s Data Protection Authority (DPA) has blocked access to ChatGPT, the artificial intelligence (AI) language model developed by OpenAI, over concerns that the technology may be violating the European Union’s General Data Protection Regulation.

The Italian DPA alleges that ChatGPT collects and processes users’ personal data without obtaining explicit consent, as required by the GDPR.

According to SecurityWeek, the AI’s data handling practices have raised concerns about inadequate anonymization and insufficient transparency, prompting the DPA to take action until “ChatGPT respects privacy.”

TechCrunch reported OpenAI issued a statement apologizing to users attempting to access ChatGPT from an Italian IP address, notifying them that access has been disabled at the request of Italy’s data protection authority, known as the Garante.

The company has also announced that it will be refunding all users in Italy who purchased the ChatGPT Plus subscription service last month and has temporarily paused subscription renewals in the region.

While OpenAI has implemented a simple geo-block, using a VPN to switch to a non-Italian IP address may provide a workaround.

However, for users who originally registered their ChatGPT account in Italy, it may be inaccessible, and they may need to create a new account with a non-Italian IP address to bypass the block.

As ChatGPT’s popularity has surged globally in recent months, there have been increasing calls in the U.S. and Europe to regulate the self-generative AI tool due to concerns related to data protection, disinformation, and job safety.

Italy has now implemented one of the first nationwide measures limiting the use of ChatGPT.

OpenAI has “no legal basis” for using the data it had garnered from millions of users over the months and deploying it for training “the algorithms that power the platform.”

WSJ reported that the Italian regulator initiated an inquiry into OpenAI and has given the company 20 days to demonstrate its compliance with European Union privacy regulations or face potential fines.

Under the EU’s General Data Protection Regulation, the maximum fine is 4% of a company’s global annual revenue or the equivalent of $21.8 million, whichever is greater.

Additionally, the regulator stated that there is currently no system in place to verify the age of users and prevent children under the age of 13 from using the chatbot.

This poses a risk of exposing them to “responses that are absolutely unsuitable to their degree of development and self-awareness.”

To comply with the regulator’s demands, OpenAI may need to add age verification measures, update its privacy policies, and provide users with more detailed information about how their data will be utilized.