Garante Fines U.S. Company $5.6 Million for Chatbot GDPR Breaches
Italian privacy regulator Garante fined U.S. consumer AI company Luka $5.6 million (5 million euros) for General Data Protection Regulation breaches and launched a probe into how it processes data during the life cycle of the generative AI systems that underlie its Replika chatbot, it announced Monday.
Sign up for a free preview to unlock the rest of this article
The chatbot, equipped with a written and voice interface, lets users "generate" a "virtual friend" to assume the role of confidant, therapist, romantic partner or mentor, Garante said.
The watchdog's initial investigation in 2023, when it ordered the app to be blocked, found that Luka failed to set out the legal bases for its data-processing operations on Replika, and that its privacy policy was inadequate.
At the same time, the watchdog said, it found that Luka failed to offer an age-verification mechanism either when individuals registered for the service or during its use, although the company said it excluded minors. The current age-verification system continues to be inadequate, Garante said. It ordered Luka to comply with the GDPR.
The new investigation is focused on the company's risk assessment and measures taken to protect data in the various stages of development and training of the language model underlying Replika, Garante said. It's also examining the types and categories of data used, and the possible implementation of anonymization or pseudonymization measures.