Italy's ChatGPT suspension: what the Garante's intervention taught enterprises

In March 2023, Italy's data protection authority (Garante) ordered a temporary nationwide block of ChatGPT — the first major regulator to halt a frontier generative AI service. The Garante cited missing lawful basis for mass data collection, inadequate age verification for minors, and insufficient transparency on how OpenAI processed Italian users' data.

Service restored — conditions set precedent

ChatGPT returned after OpenAI implemented age gates, expanded privacy disclosures, and addressed EU data subject rights. The episode proved national regulators can stop AI services quickly when privacy governance is inadequate — not years later after harm accumulates.

Parallel actions in Europe

• Spanish AEPD and other DPAs opened coordinated inquiries into generative AI
• EDPB formed a ChatGPT task force for consistent EU approach
• Enterprises using ChatGPT APIs faced internal legal reviews of employee usage

Enterprise takeaway

When employees or customer-facing products rely on third-party models, the enterprise — not only the vendor — answers regulators. Deployers must know:

• What personal data enters the model (prompts, attachments, logs)
• Whether minors can access the service
• How deletion and access requests are fulfilled
• Where inference and logging occur geographically

Govern before the ban

Deploy gates ensure no generative AI integration reaches production without privacy intake and GRC review. Approved enterprise deployments use contracts, data processing agreements, and regional hosting — avoiding the ad hoc consumer-tool pattern that triggered Italy's order.