How Europe’s AI privacy rules are being gamed

A Rome court docket on March 18, 2026 annulled the one GDPR high quality ever imposed on a generative AI launch. The choice didn’t discover OpenAI harmless. It discovered that Italy had no proper to evaluate OpenAI in any respect – and the complete reasoning, revealed on Might 28, 2026, lays naked a structural weak point in European privateness enforcement that authorized students, regulators from Germany to France, and privateness advocates have documented for years.

The info should not in dispute. OpenAI launched ChatGPT on November 30, 2022. A knowledge breach occurred on March 20, 2023, permitting some customers to see the titles of different customers’ energetic conversations. The corporate had no EU institution at that time. Italy’s Garante per la Protezione dei Dati Personali moved rapidly, issued an emergency ban, performed a multi-year investigation, and on November 2, 2024, issued provvedimento n. 755 – a €15 million high quality alongside a compulsory six-month media consciousness marketing campaign to run throughout Italian radio, tv, newspapers, and web platforms. In accordance with authorized students Theodore Christakis and Giulio Monga, writing on June 4, 2026 on the European Law Blog after the complete grounds of the judgment grew to become accessible on Might 28, 2026, the Tribunale Ordinario di Roma annulled that call solely on a single jurisdictional level, declared all different grounds of enchantment “absorbed,” and by no means examined whether or not OpenAI had truly complied with the GDPR.

As PPC Land reported when the reasoning was revealed on Might 28, the court docket “doesn’t attain the substantive GDPR violations alleged by the Italian authority. It doesn’t assess whether or not OpenAI did not notify the Garante of the March 20, 2023 information breach. It doesn’t decide whether or not ChatGPT’s coaching information processing lacked a sound authorized foundation.” The substance was irrelevant. The equipment had been turned towards the regulator.

An organization, a date, and a vanishing case

The important thing occasion was not the information breach of March 2023, nor the enforcement continuing opened in January 2024. It was a recognition letter. On February 15, 2024, the Irish Information Safety Fee formally recognised OpenAI Eire Restricted as the corporate’s single institution within the European Financial Space. OpenAI Eire had been integrated on March 24, 2023 – 4 days after the breach that triggered the Italian investigation. However as PPC Land’s evaluation of the case famous, “incorporation is an act of firm regulation that brings a authorized entity into existence… whereas ‘principal’ or ‘single institution’ is an autonomous idea of EU information safety regulation, turning on the efficient and actual train of exercise by way of steady preparations.” The 2 needn’t coincide in time, and on this case they didn’t – practically a yr separated OpenAI Eire’s incorporation and its recognition as the one EEA institution.

That hole grew to become the decisive authorized occasion. Below Article 56(1) of the GDPR, the supervisory authority of a controller’s principal or single institution holds unique competence over cross-border processing. The Court docket of Rome, counting on EDPB Opinion 8/2019, held that lead competence can change to a newly competent authority at any time earlier than a closing determination is reached. As a result of no closing determination had been taken by February 15, 2024, the Garante ought to have transferred the case to Dublin. Its November 2024 determination was subsequently issued by an authority that had, on the court docket’s reasoning, already misplaced its proper to behave.

In accordance with Christakis and Monga, the Garante did the investigation. It gathered the proof. It constructed the case over greater than a yr. After which, on a jurisdictional technicality tied to the timing of a company registration, your entire consequence was voided. PPC Land’s reporting on the case put it plainly: 9 months of Italian enforcement work culminating in a €15 million order “was voided on that foundation, with none ruling on whether or not the underlying conduct was lawful.”

The Garante’s case, in full

The Italian investigation was not superficial. As PPC Land documented, the Garante’s findings coated a variety of alleged violations throughout the interval from November 30, 2022, ahead: an unreported information breach in violation of Article 33 GDPR; an absence of recognized lawful bases for coaching beneath Articles 5(2) and 6; insufficient privateness disclosures beneath Articles 12 and 13; lacking age verification programs beneath Articles 24 and 25(1); and a failure to hold out the notice marketing campaign already mandated beneath provvedimento n. 114 in April 2023, itself a violation of Article 83(5)(e).

OpenAI raised ten grounds of enchantment. The court docket examined one. Having discovered the primary – jurisdictional competence – decisive, it absorbed the remaining 9 with out examination. The proportionality of the high quality, the lawfulness of OpenAI’s coaching practices, the transparency shortcomings, the age verification failures: all stay formally unanswered.

What different EU regulators did can be instructive. PPC Land’s reporting famous that “different European information safety authorities which had additionally opened investigations into OpenAI’s GDPR compliance transferred their information to the Irish DPC after February 15, 2024 – the date on which OpenAI Eire was formally recognised because the EEA institution. This, the court docket discovered, confirmed the right interpretation of the one-stop-shop guidelines. Italy stood alone in urgent to a closing determination.”

Italy’s persistence was penalised. Each different authority that recognised the jurisdictional shift and stepped again was vindicated procedurally. The Garante, which had been probably the most aggressive European regulator on AI and had completed probably the most investigative work, was the one left with nothing.

The playbook each non-EU supplier now has

This isn’t an summary authorized downside. It’s a replicable sequence. A overseas supplier enters the EU market with no institution, processes information throughout the continent, absorbs no matter provisional measures land in the course of the early enforcement part – emergency bans, data requests, compliance orders – after which, if enforcement strain intensifies, incorporates a real EEA subsidiary and has it recognised in probably the most congenial member state earlier than any pending continuing reaches a closing determination. Each open case is then funnelled towards that chosen authority.

In accordance with Christakis and Monga, the judgment palms any non-EEA supplier a transparent structural choice: as soon as a real EEA subsidiary is recognised, each pending nationwide continuing that has not but led to a closing determination is funnelled towards a single chosen authority. Given the breadth of parallel enforcement fronts that main AI launches now generate, that consolidation prize is substantial.

The vacation spot of alternative has lengthy been Eire. As PPC Land has documented extensively, main US expertise platforms – Meta, Google, Apple, LinkedIn, TikTok – established their European headquarters in Dublin to make the most of Eire’s company tax atmosphere, routinely making the Irish Information Safety Fee their lead GDPR regulator throughout all 450 million European customers. The one-stop-shop mechanism, designed to forestall fragmented enforcement, as an alternative concentrated regulatory energy in a single jurisdiction and created a structural incentive to ascertain there.

PPC Land’s evaluation of the Rome ruling framed the connection instantly: “The timing and sequence of these steps can decide, as this case exhibits, whether or not a multimillion-euro penalty stands or falls.”

Forty p.c of €7.1 billion by no means existed

The Rome ruling didn’t arrive alone. It got here inside days of Luxembourg’s Administrative Court docket annulling the €746 million high quality imposed on Amazon by the Nationwide Fee for Information Safety – a case during which the court docket confirmed Amazon had violated GDPR however struck down the high quality as a result of the regulator had utilized strict legal responsibility with out assessing negligence, as required by Court docket of Justice of the European Union case regulation. PPC Land reported the Luxembourg ruling on March 13, 2026 and subsequently revealed a detailed legal breakdown of the decision. In a single week in March 2026, €761 million was erased from the GDPR enforcement ledger and not using a single discovering that both firm had complied with the regulation.

That sample just isn’t an anomaly. In accordance with PPC Land’s eight-year enforcement analysis, drawing on information compiled by Alliance Threat, European regulators have introduced €7.1 billion in GDPR fines since Might 2018, however roughly €2.8 billion of that complete – practically 40% – has been both annulled or is actively contested earlier than courts. The framework is, in Alliance Threat’s phrases, “being rewritten whereas it is nonetheless being examined.” Meta’s €1.2 billion penalty for unlawful US information transfers – nonetheless the biggest particular person GDPR high quality ever issued – stays beneath energetic enchantment within the Irish courts.

GDPR enforcement statistics published earlier by PPC Land discovered that only one.3% of GDPR instances resulted in financial penalties between 2018 and 2023. The ratio between investigations opened and fines collected tells a special story than the headline numbers counsel.

Eire: the lead authority downside

Eire’s Information Safety Fee holds a place in European privateness enforcement with no equal wherever within the regulation. As a result of the GDPR’s one-stop-shop mechanism designates an organization’s lead authority primarily based on the place its principal institution sits, and since Eire’s company tax atmosphere attracted Google, Meta, Microsoft, Apple, and dozens of different main expertise platforms to Dublin, the Irish DPC capabilities as the first GDPR regulator for a disproportionate share of world web providers.

The nominal high quality totals from Eire are giant. However the hole between imposed and picked up is stark. In accordance with privateness organisation noyb, solely 0.6% of fines nominally issued towards main corporations had truly been collected – with billions beneath energetic judicial enchantment. PPC Land’s reporting on the Rome case famous the determine instantly: noyb characterised a sample during which the Irish DPC had “de facto not enforced the GDPR towards US Massive Tech. Whereas formally issuing billions on fines, solely 0.6% of them have been ever collected.”

The delay downside can be documented within the courts. In January 2025, the EU Basic Court docket ruled that the Irish DPC had acted unlawfully by refusing to investigate a complaint about Meta’s data practices – a criticism initially filed on Might 25, 2018, the primary day GDPR got here into pressure. Seven years elapsed between criticism and a court docket order requiring the DPC to behave. The identical sample appeared within the WhatsApp enforcement case, the place eleven national data protection authorities raised formal objections to the Irish DPC’s draft decision on transparency violations, and the EDPB finally needed to difficulty a binding determination requiring the high quality to be considerably increased than the DPC’s preliminary evaluation.

The structural battle of curiosity argument gained new visibility in September 2025 with the appointment of Niamh Sweeney as the third Data Protection Commissioner after practically eight years at Meta, together with as head of public coverage at Fb Eire and director of public coverage for Europe at WhatsApp. Noyb’s public response: “We now actually have a US large tech lobbyist policing US large tech for Europe.” As PPC Land’s evaluation of the Rome ruling concluded on this level, “whether or not or not that characterisation is truthful as an entire account of the DPC’s work, the statistical file is obvious sufficient by itself phrases.”

The enforcement vacuum nobody needs to acknowledge

Essentially the most troubling facet of the ruling, in accordance with Christakis and Monga, is what it doesn’t do. The court docket holds that the Garante misplaced its competence. It doesn’t maintain that the Irish DPC gained competence over conduct accomplished earlier than February 15, 2024.

That distinction issues enormously for the information breach cost particularly. The breach occurred on March 20, 2023, and the notification obligation beneath Article 33 fell due seventy-two hours later – at a degree when OpenAI had no EU institution and OpenAI Eire had not but even been integrated. As PPC Land’s reporting famous, the Garante “categorized that infringement as consumed and retained it, forwarding to Eire solely the persevering with issues.” However the court docket annulled your entire determination, consumed infringements included, with out addressing whether or not the Irish authority may truly train jurisdiction over conduct predating its personal existence.

The consequence just isn’t a switch of enforcement. It’s the elimination of it. In accordance with Christakis and Monga, the real looking end result is a unfavourable battle of competence: the Garante is shut out, and it’s removed from clear that Eire is introduced in for the pre-establishment conduct. Not a slower discussion board, however no discussion board in any respect. The procedural coherence the court docket optimised for comes at the price of any substantive end result for the information topics whose data was processed throughout ChatGPT’s launch interval.

The try to repair what’s damaged

As PPC Land reported in April 2025, the EU’s try to deal with the cooperation mechanism by way of a brand new GDPR Procedural Regulation risked creating “unprecedented complexity that can additional delay privateness enforcement throughout Europe.” Quite than streamlining the system, the proposed regulation threatened so as to add roughly ten various kinds of GDPR procedures. Germany, France, Spain, and Italy had all formally expressed considerations about Eire’s enforcement file. The European Fee’s proposal was criticised for shielding the Irish DPC from significant accountability to different nationwide authorities by way of what commentators known as an “inquisitorial system” strategy.

The Rome judgment lands as these reform negotiations proceed. The European Fee is concurrently trying to rewrite substantive components of GDPR by way of the Digital Omnibus legislative package, proposing new official curiosity bases for AI coaching and redefining what constitutes private information. The system is being contested at each stage without delay – in court docket, in parliament, and within the soft-law opinions that regulators depend on to resolve jurisdictional disputes.

In accordance with Christakis and Monga, the attain of Article 56 over conduct predating an institution is unsettled regulation and warrants a preliminary reference to the Court docket of Justice of the European Union beneath Article 267 TFEU. The Rome judgment is a first-instance ruling by a single decide of the Tribunale di Roma. The Garante could but enchantment earlier than the Corte di Cassazione, Italy’s supreme court docket. However till that increased court docket speaks – or till Luxembourg does – the mechanism documented by the Rome court docket stays intact.

PPC Land’s evaluation of the ruling captured the endpoint exactly: a case during which a €15 million high quality, “issued by a significant European authority, has been annulled not as a result of the conduct was discovered lawful, however as a result of nobody agreed on who had the precise to evaluate it.” Eight years of GDPR enforcement, one closing determination on a generative AI launch, and that call now not exists.

Timeline

• November 30, 2022 – OpenAI launches ChatGPT publicly with no EU institution
• February 1, 2023 – ChatGPT Plus subscription tier launched
• March 20, 2023 – Information breach exposes some customers’ dialog titles
• March 24, 2023 – OpenAI Eire Restricted integrated, 4 days after the breach
• March 30, 2023 – Italy’s Garante points emergency processing ban on ChatGPT (provvedimento n. 112)
• April 11, 2023 – Garante suspends ban, orders compliance measures; ChatGPT reinstated in Italy
• Might 25, 2018 – January 2025 – Noyb’s Meta criticism, filed on GDPR’s first day, stays unresolved till the EU General Court forces an investigation seven years later
• January 26, 2024 – Garante formally opens sanctioning continuing towards OpenAI
• February 15, 2024 – Irish DPC formally recognises OpenAI Eire as the corporate’s single EEA institution; Garante’s competence, on the court docket’s reasoning, ends right here
• November 2, 2024 – Garante points closing €15 million determination towards OpenAI (provvedimento n. 755)
• September 2025 – Ireland appoints former Meta executive as Data Protection Commissioner; noyb states solely 0.6% of introduced Irish fines ever collected
• March 12-13, 2026 – Luxembourg court docket annuls Amazon’s €746 million GDPR high quality; PPC Land reports and publishes legal breakdown
• March 18, 2026 – Tribunale Ordinario di Roma annuls Garante’s €15 million high quality towards OpenAI; PPC Land reports the outcome
• Might 28, 2026 – Full grounds of the Rome judgment revealed; PPC Land publishes detailed evaluation
• Might-June 2026 – PPC Land reports nearly 40% of €7.1B in GDPR fines annulled or challenged
• June 4, 2026 – Theodore Christakis and Giulio Monga publish first substantive evaluation of the complete judgment reasoning on the European Regulation Weblog, arguing the ruling opens a replicable enforcement vacuum for non-EU AI suppliers

Abstract

Who: The Tribunale Ordinario di Roma, Italy’s Garante per la Protezione dei Dati Personali, OpenAI OpCo LLC, the Irish Information Safety Fee, and authorized students Theodore Christakis (professor of worldwide, European and digital regulation, College of Grenoble Alpes) and Giulio Monga (Italian information safety lawyer), writing on June 4, 2026 on the European Regulation Weblog.

What: The Court docket of Rome annulled the one GDPR high quality ever imposed on a generative AI launch on a single jurisdictional level – that the Garante misplaced competence as soon as OpenAI’s Irish subsidiary was recognised on February 15, 2024. The June 4, 2026 scholarly evaluation argues the ruling maps a replicable sequence permitting any non-EU AI supplier to neutralise pending nationwide enforcement by timing a company institution appropriately. Mixed with Eire’s documented assortment file, the EU’s stalled procedural reform, and practically €2.8 billion in GDPR fines already erased by courts, the Rome judgment is a knowledge level in a broader sample during which GDPR enforcement towards main AI suppliers has produced, after eight years, precisely one closing sanctioning determination – and that call now not stands.

When: Underlying conduct from November 2022 to March 2023. Garante’s high quality issued November 2, 2024. Court docket’s ruling issued March 18, 2026. Full grounds revealed Might 28, 2026. First substantive scholarly evaluation revealed June 4, 2026.

The place: Rome, Italy – with jurisdictional penalties spanning your entire EEA and centering on the boundary between Italian and Irish regulatory competence beneath the GDPR one-stop-shop mechanism, a boundary set by a company recognition letter issued in Dublin on February 15, 2024.

Why: The ruling issues as a result of it confirms a structural vulnerability in European privateness enforcement: non-EU AI suppliers can launch with out an EU presence, generate information processing occasions throughout the continent throughout probably the most legally delicate window of their progress, after which set up in a beneficial jurisdiction earlier than enforcement concludes – probably leaving launch-period conduct with no competent authority wherever within the EU. The judgment optimises for authorized certainty at the price of enforcement effectiveness at exactly the second when the GDPR’s software to generative AI stays probably the most contested and consequential open query in European digital regulation.