Skip to main content
NOPE
In Effect Regulation AI Safety Context Relevance

IT Garante AI

Italy Garante AI Enforcement Actions

Italian DPA (Garante) is most aggressive EU enforcer on AI. Precedent-setting enforcement against ChatGPT and Replika. Enforcement theory: companion AI processes special category health data.

Jurisdiction

Italy

IT

Enacted

Unknown

Effective

Unknown

Enforcement

Garante per la protezione dei dati personali

Who Must Comply

This law applies to:

  • AI chatbot operators serving Italian users

Who bears obligations:

Data ControllerData Processor

Safety Provisions

  • Replika emergency block (Feb 2023): Lack of age verification
  • Replika fine (May 2025, decision Apr 2025): €5M for processing mental health data without lawful basis
  • ChatGPT fine (Dec 20, 2024): €15M for transparency failures, no age verification
  • Required: Robust age verification (self-declaration insufficient)
  • Required: Consent mechanisms specific to mental health data

Enforcement

Enforced by

Garante per la protezione dei dati personali

Penalties

€20M or 4% revenue (whichever higher)

Max fine: €20,000,000
Revenue %: 4%

Up to €20M/4% per GDPR; actual fines €5-15M for AI cases.

Quick Facts

Binding
Yes
Mental Health Focus
Yes
Child Safety Focus
Yes
Algorithmic Scope
No

Why It Matters

Italy sets enforcement precedent for all EU DPAs. Replika case establishes companion AI = health data. Other DPAs will follow.

What You Need to Comply

You need: robust age verification; explicit consent for emotional data; content moderation preventing harmful outputs to minors.

NOPE can help

Cite This

APA

Italy. (n.d.). Italy Garante AI Enforcement Actions. Retrieved from https://nope.net/regs/it-garante-ai-enforcement

BibTeX

@misc{it_garante_ai_enforcement,
  title = {Italy Garante AI Enforcement Actions},
  author = {Italy},
  year = {n.d.},
  url = {https://nope.net/regs/it-garante-ai-enforcement}
}

Related Regulations

In Effect AT AI Safety

Digital Austria 2.0

Austria's digital sovereignty framework establishing Sovereignty Compass for AI audits and mandatory Digi-Check for all legislation.

In Effect EE AI Safety

Estonia Kratt Plan

Estonia's €85M AI and Data Action Plan establishing safety testing framework and human-centered AI deployment principles.

In Effect AT AI Safety

Austria AI Service Center

Austria's national AI authority established within RTR (Rundfunk und Telekom Regulierungs-GmbH) for EU AI Act market surveillance coordination.

In Effect CH Data Protection

Switzerland FADP

Switzerland's revised data protection law with Article 21 automated decision transparency requirements, human review rights, and fines up to CHF 250,000.

In Effect PT Data Protection

Portugal Digital Rights Charter

Portugal's Charter of Digital Rights with Article 9 requiring AI to respect fundamental rights and establishing algorithmic auditability principles.

In Effect RS Data Protection

Serbia PDP Law

Serbia's GDPR-aligned data protection law with profiling safeguards and DPIA requirements.

Back to all regulations Check if this applies to you