Italy’s data protection authority, the Garante, has ruled that Replika, a popular AI-powered chatbot, is in breach of EU data protection regulation.
Replika, a San Francisco startup, offers users customised avatars. In a recent ruling, Garante provided that by intervening in the user’s mood, Grante’s chatbot “may increase the risks for individuals still in a developmental stage or in a state of emotional fragility”.
Garante ruled that Replika is in breach of the EU General Data Protection Regulation (GDPR), as it does not comply with transparency requirements and it processes personal data unlawfully.
A temporary limitation was placed on the processing of personal data relating to users in the Italian territory, while additional determinations may be made upon finalisation of the ongoing fact-finding activities.
It was asserted that Replika cannot use the existence of a contract to justify the processing of the users’ information, since minors are potential users of the chatbot, and they are incapable of entering into a valid contract under Italian law.
The Garante gave Replika 20 days to follow its order or face a fine of up to 20 million euros of 4% of annual turnover.