引言
2026年3月,意大利羅馬法院撤銷了意大利數據保護局(Garante)於2024年12月對人工智能巨頭OpenAI處以的1500萬歐元罰款,這一裁決在GDPR(通用數據保護條例)執法領域和全球AI產業界引起了廣泛關注。此案被視為2026年GDPR執法的第一大案,其結果不僅對OpenAI本身意義重大,也為全球,特別是出海的中國企業,在AI時代的數據合規路徑提供了新的思考和戰略啟示。
背景與事件回顧
2024年12月,意大利數據保護局Garante對OpenAI處以1500萬歐元的罰款,理由是其ChatGPT服務在處理用戶個人數據方面存在多項違規行為。Garante指出,OpenAI在未經充分法律依據的情況下,使用大量個人數據訓練其AI模型,違反了GDPR的合法性、公平性和透明度原則。此外,Garante還發現OpenAI未能充分告知用戶其數據處理活動,並且在2023年3月發生的一次安全漏洞中,導致部分ChatGPT Plus用戶的聊天記錄和支付信息泄露。當時,OpenAI對Garante的罰款表示“過重”,並隨即提起上訴。2025年3月,羅馬法院曾臨時中止了該罰款的執行,以對案件的實質內容進行審查。最終,在2026年3月,法院做出了撤銷罰款的裁決。
法院裁決分析
盡管羅馬法院尚未公布撤銷罰款的詳細理由,但我們可以從現有信息和GDPR的法律框架中進行合理推測。可能的考量因素包括:
-
OpenAI的合規改進措施:在罰款期間,OpenAI可能已經采取了積極的合規措施,例如改進了用戶數據處理的透明度、加強了數據安全防護、優化了用戶同意機制,並可能對AI訓練數據的匿名化或假名化處理進行了強化。法院可能認可了這些改進,認為OpenAI已有效解決了Garante提出的合規問題。
-
對數據處理合法性基礎的重新評估:Garante最初的罰款理由之一是OpenAI缺乏充分的法律依據來處理個人數據進行AI訓練。法院可能對OpenAI所依賴的“合法利益”或“合同履行”等法律基礎進行了更深入的審查,並認為在特定條件下,OpenAI的數據處理活動符合GDPR的要求。這可能涉及到對AI模型訓練數據性質、目的以及對個人權利和自由影響的綜合權衡。
-
比例原則的考量:法院在審理此類案件時,通常會考慮監管機構處罰的比例原則。1500萬歐元的罰款對於一家科技公司而言並非小數目。法院可能認為,考慮到OpenAI已采取的補救措施以及未來合規的承諾,撤銷罰款或減輕處罰更為合理。
-
AI技術發展的特殊性:AI技術,特別是生成式AI,在數據處理方面具有其特殊性。法院可能在裁決中考慮了AI技術創新與數據保護之間的平衡,認可了在確保數據主體權利的前提下,為AI發展提供一定靈活性的必要性。
對中資企業的潛在影響
此次意大利法院撤銷對OpenAI的罰款,對出海的中國企業,尤其是在歐洲市場運營的AI相關企業,具有多方面的潛在影響:
-
GDPR執法的不確定性:此案表明,即使是歐盟內部的數據保護機構,其執法決定也可能面臨司法審查和推翻。這增加了GDPR執法結果的不確定性,但也為企業通過法律途徑尋求救濟提供了先例。
-
AI數據處理合法性基礎的再思考:法院的裁決可能促使企業重新審視其AI數據處理的合法性基礎。對於依賴“合法利益”進行數據處理的企業,需要更嚴謹地進行合法利益評估(LIA),並確保其數據處理活動對數據主體權利和自由的影響最小化。
-
合規投入的必要性:盡管罰款被撤銷,但OpenAI在整個過程中投入了巨大的法律和合規成本。這提醒中資企業,在歐洲市場運營,必須將GDPR合規視為一項長期且重要的戰略投入,而非短期應對。
戰略啟示與合規建議
面對GDPR執法的新動態,中資企業應從中汲取經驗,制定更為穩健的合規策略:
-
強化數據治理體系:建立健全的數據治理框架,明確數據處理的各個環節,確保從數據收集、存儲、使用到銷毀的全生命周期都符合GDPR要求。特別要關注AI訓練數據的來源、合法性以及處理方式。
-
確保數據處理的合法性基礎:對於AI模型訓練所需的大量數據,企業必須明確其數據處理的合法性基礎,如獲得明確同意、履行合同、遵守法律義務或基於合法利益。在依賴合法利益時,務必進行詳細的合法利益評估,並記錄評估過程。
-
提升透明度與用戶告知:企業應以清晰、簡潔、易懂的語言向用戶告知其數據處理活動,包括數據收集的目的、類型、處理方式、存儲期限以及用戶的權利。對於AI服務,應特別說明AI模型如何使用用戶數據進行訓練和優化。
-
加強數據安全與隱私保護:持續投入資源提升數據安全防護能力,采用加密、匿名化、假名化等技術手段保護個人數據。建立完善的數據泄露應急響應機制,確保在發生數據泄露時能及時有效地應對。
-
積極與監管機構溝通:與歐洲各國的數據保護機構保持開放和積極的溝通,及時了解最新的監管要求和執法趨勢。在面臨合規挑戰時,主動與監管機構合作,展示企業的合規意願和努力。
-
關注AI監管發展:密切關注歐盟《人工智能法案》等新興AI監管法規的進展,預判未來合規要求,並提前進行戰略布局和技術准備。
結論
意大利法院撤銷對OpenAI的1500萬歐元罰款,是GDPR執法與AI技術發展博弈中的一個重要節點。它既提醒了企業在AI時代數據合規的複雜性和挑戰,也展現了司法系統在平衡創新與保護方面的審慎態度。對於出海的中資企業而言,這並非意味著GDPR合規壓力的減輕,而是要求企業以更專業、更前瞻的視角,將數據合規融入企業發展的核心戰略,從而在全球市場中行穩致遠。
The First GDPR Case of 2026: Why Did the Italian Court Revoke the €15 Million Fine Against OpenAI?
Introduction
In March 2026, the Rome Court in Italy overturned the €15 million fine imposed on the artificial intelligence giant OpenAI by the Italian Data Protection Authority (Garante) in December 2024. This ruling has attracted widespread attention in the field of GDPR (General Data Protection Regulation) enforcement and the global AI industry. Regarded as the first major GDPR enforcement case of 2026, its outcome is not only of great significance to OpenAI itself but also provides new reflections and strategic insights for global enterprises, especially Chinese companies expanding overseas, regarding data compliance pathways in the AI era.
Background and Event Review
In December 2024, the Italian Data Protection Authority (Garante) fined OpenAI €15 million, citing multiple violations in the processing of users’ personal data by its ChatGPT service. Garante pointed out that OpenAI used massive amounts of personal data to train its AI models without an adequate legal basis, violating the GDPR principles of lawfulness, fairness, and transparency. Furthermore, Garante found that OpenAI failed to adequately inform users about its data processing activities, and a security vulnerability in March 2023 led to the leakage of chat histories and payment information of some ChatGPT Plus users. At the time, OpenAI described the fine as “excessive” and immediately filed an appeal. In March 2025, the Rome court temporarily suspended the execution of the fine to review the merits of the case. Ultimately, in March 2026, the court ruled to annul the fine.
Analysis of the Court’s Ruling
Although the Rome court has not yet published the detailed reasoning for revoking the fine, we can make reasonable inferences based on available information and the GDPR legal framework. Possible considerations include:
-
OpenAI’s Compliance Improvements: During the fine period, OpenAI may have taken proactive compliance measures, such as improving the transparency of user data processing, strengthening data security protections, optimizing user consent mechanisms, and potentially enhancing the anonymization or pseudonymization of AI training data. The court may have recognized these improvements, concluding that OpenAI had effectively addressed the compliance issues raised by Garante.
-
Re-evaluation of the Legal Basis for Data Processing: One of Garante’s initial reasons for the fine was OpenAI’s lack of an adequate legal basis for processing personal data for AI training. The court may have conducted a more in-depth review of the legal bases relied upon by OpenAI, such as “legitimate interests” or “performance of a contract,” and determined that under specific conditions, OpenAI’s data processing activities complied with GDPR requirements. This likely involved a comprehensive balancing of the nature and purpose of the AI model training data against the impact on the rights and freedoms of individuals.
-
Consideration of the Principle of Proportionality: When hearing such cases, courts typically consider the principle of proportionality in regulatory penalties. A €15 million fine is not a small sum for a technology company. The court may have deemed that, given the remedial measures already taken by OpenAI and its commitments to future compliance, revoking the fine or mitigating the penalty was more reasonable.
-
The Specificity of AI Technology Development: AI technology, particularly generative AI, has its specificities in data processing. The court may have considered the balance between AI technological innovation and data protection in its ruling, acknowledging the necessity of providing some flexibility for AI development while ensuring the rights of data subjects.
Potential Impact on Chinese Enterprises
The Italian court’s revocation of the fine against OpenAI has multiple potential impacts on Chinese enterprises expanding overseas, especially AI-related companies operating in the European market:
-
Uncertainty in GDPR Enforcement: This case demonstrates that even the enforcement decisions of data protection authorities within the EU may face judicial review and be overturned. This increases the uncertainty of GDPR enforcement outcomes but also provides a precedent for enterprises to seek relief through legal channels.
-
Rethinking the Legal Basis for AI Data Processing: The court’s ruling may prompt enterprises to re-examine the legal basis for their AI data processing. For enterprises relying on “legitimate interests” for data processing, it is necessary to conduct Legitimate Interests Assessments (LIA) more rigorously and ensure that the impact of their data processing activities on the rights and freedoms of data subjects is minimized.
-
The Necessity of Compliance Investment: Although the fine was revoked, OpenAI invested immense legal and compliance costs throughout the process. This reminds Chinese enterprises that operating in the European market requires treating GDPR compliance as a long-term and crucial strategic investment rather than a short-term response.
Strategic Insights and Compliance Recommendations
Facing the new dynamics of GDPR enforcement, Chinese enterprises should draw lessons and formulate more robust compliance strategies:
-
Strengthen the Data Governance System: Establish a sound data governance framework, clarify all stages of data processing, and ensure that the entire lifecycle from data collection, storage, and use to destruction complies with GDPR requirements. Special attention should be paid to the source, lawfulness, and processing methods of AI training data.
-
Ensure the Legal Basis for Data Processing: For the massive amounts of data required for AI model training, enterprises must clarify the legal basis for their data processing, such as obtaining explicit consent, performing a contract, complying with legal obligations, or relying on legitimate interests. When relying on legitimate interests, be sure to conduct a detailed Legitimate Interests Assessment and document the evaluation process.
-
Enhance Transparency and User Notification: Enterprises should inform users about their data processing activities in clear, concise, and easily understandable language, including the purpose, type, processing method, storage period of data collection, and users’ rights. For AI services, it should be specifically explained how AI models use user data for training and optimization.
-
Strengthen Data Security and Privacy Protection: Continuously invest resources to enhance data security protection capabilities, adopting technical measures such as encryption, anonymization, and pseudonymization to protect personal data. Establish a comprehensive data breach emergency response mechanism to ensure timely and effective responses in the event of a data breach.
-
Actively Communicate with Regulatory Authorities: Maintain open and active communication with data protection authorities in European countries to stay abreast of the latest regulatory requirements and enforcement trends. When facing compliance challenges, proactively cooperate with regulatory authorities to demonstrate the enterprise’s willingness and efforts toward compliance.
-
Monitor AI Regulatory Developments: Closely monitor the progress of emerging AI regulatory laws such as the EU’s “Artificial Intelligence Act,” anticipate future compliance requirements, and make strategic layouts and technical preparations in advance.
Conclusion
The Italian court’s revocation of the €15 million fine against OpenAI is a significant milestone in the interplay between GDPR enforcement and AI technology development. It not only reminds enterprises of the complexity and challenges of data compliance in the AI era but also demonstrates the judicial system’s prudent attitude in balancing innovation and protection. For Chinese enterprises expanding overseas, this does not mean a reduction in GDPR compliance pressure; rather, it requires enterprises to integrate data compliance into their core development strategies with a more professional and forward-looking perspective, thereby achieving steady and long-term progress in the global market.
聲明
本文僅為交流探討之目的,不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容,請與本所溝通授權事宜,並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討,或需要專業的法律支持,歡迎與本所聯系。
聯系人:葉文女士
期待與您的進一步交流!
廣悅律師事務所介紹
廣悅律師事務所成立於2008年,是一家立足大灣區,堅持一體化管理的涉外綜合性律師事務所。發展至今,廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊,打造了多元化的業務體系,可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略,廣悅已擁有廣州、中國香港、深圳,以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室,客戶遍及境內外多個國家和地區。
供稿丨廣悅米蘭辦公室
編輯丨吳寶渲
審核丨蘇 冰
審定丨品牌宣傳與市場拓展委
