The Italian Data Protection Authority, Garante, has ruled that Replika, a popular AI-powered chatbot, is in breach of EU data protection regulation. The decision follows an investigation into Replika’s practices, which revealed that the company had failed to implement adequate measures to protect the personal data of its users.
According to a statement released by Garante, the investigation found that Replika had failed to adequately inform users about the data it collected and how it was being used. The chatbot also lacked proper security measures to prevent unauthorized access to user data, and did not provide users with the option to delete their data after they had finished using the service.
The ruling from Garante highlights the need for companies to take data protection seriously, particularly in the fast-growing field of AI technology. With the increasing use of AI-powered chatbots and other similar technologies, it is crucial that companies take steps to ensure that user data is protected and used responsibly.
In a statement, Garante’s President, Antonello Soro, said
“This ruling sends a clear message to companies that operate in the field of AI and data protection. The EU’s data protection regulation is clear and must be respected, and companies that fail to do so will be held accountable.”
The ruling against Replika is expected to have far-reaching implications for the AI industry, as companies will be under increased pressure to ensure that they are complying with EU data protection regulations. It is hoped that this ruling will encourage companies to invest in the necessary measures to protect user data and ensure that they are using AI technology in a responsible and ethical manner.
The Ruling:
Based on the above, the Garante:
- Orders under Article 58(2)(f) of the Regulation that a temporary limitation be imposed urgently on the processing of personal data relating to users in the Italian territory as performed by Luka Inc., the US-based developer and operator of Replika.
- Provides that the said limitation be enforced immediately as from the date of receipt of this order, whereby this shall be without prejudice to such additional determinations as may be made upon finalization of the ongoing fact-finding activities.
- Pursuant to Article 58(1) of the Regulation, the Garante calls upon the controller to provide information within 20 days from the receipt.
Failure to comply with an Article 58 request entails imposition of the administrative fine referred to in Article 83(5)(e) of the Regulation.
The ruling by Garante against Replika is a wake-up call for companies operating in the AI industry. It highlights the importance of data protection and the need for companies to take their obligations under EU data protection regulation seriously. As AI technology continues to grow in popularity and use, it is essential that companies take steps to ensure that user data is protected and used responsibly.