Italy's data protection authority (Garante) has imposed a €5 million fine on Luka Inc., the developer of the Replika chatbot, for processing user data without a proper legal basis, providing inadequate privacy notices, and failing to implement effective age verification systems until February 2023. The Garante temporarily blocked the service in Italy in February 2023 before launching an investigation that confirmed multiple GDPR violations, including Articles 5.1(a), 6, 12, 13, 5.1(c), 24, and 25.1. The Italian authority has also initiated a separate proceeding to assess whether Replika's AI training methods comply with EU privacy regulations, particularly regarding the legal basis for processing throughout the AI system's lifecycle.
Launched in 2017 by San Francisco-based Luka Inc., Replika is an AI application offering customised virtual companions that can serve as confidants, therapists, romantic partners, or mentors, marketed as improving users' emotional wellbeing. Technical assessments revealed that the company's current age verification system remains deficient in several respects, despite the company's declaration that minors are excluded from potential users. In addition to the fine, the Garante ordered the company to bring its data processing operations into compliance with GDPR provisions, with particular focus on establishing proper legal grounds and transparency measures.
The significance of this case extends beyond the specific penalty and signals stricter regulation of AI systems in the EU. The Garante is one of the most proactive EU regulatory authorities in assessing AI platform compliance, having fined OpenAI €15 million for ChatGPT last year after briefly banning its use in Italy in 2023. The EU's AI Act, which will implement risk-based rules by 2027, will complement GDPR and could impose fines of up to €35 million or 7% of global turnover on high-risk AI systems such as emotional chatbots.
Sources:
1.
2.
3.
Home
