The Italian data protection authority has fined the developers of the Replika AI chatbot €5 million, two years after it blocked the application from operating in the country.
https://www.shutterstock.com/g/Timon+photography+world
The regulator announced today that it was imposing the penalty against Luka Inc, the company responsible for Replika and under which name it trades, for failing to identify any legal bases for processing users’ data, having an “inadequate” privacy policy, and failing to have an age verification mechanism in place.
The penalty was decided by the regulator on 10 April.
As well as issuing the financial sanction, the regulator has ordered Replika to bring its operations in line with requirements.
Italy’s action against Replika began in February 2023, when it ordered the US-based company to pause its activities in the country over concerns that the chatbot could pose a threat to minors.
This ban was lifted in June 2023 on condition that Replika remedy the deficiencies identified by the authority and present a plan for implementing age verification and a method for users to report inappropriate content generated by the chatbot.
But the regulator subsequently found that Replika had largely failed on this count.
The company did not submit any any counterarguments to the authority’s assertion that it lacked a legal basis for the processing of users’ personal data, and the DPA concluded that “it clearly emerges that the Company has not identified in a granular manner the legal basis underlying the various processing operations carried out by the Company within the scope of the Replika service”.
Replika also failed to submit any defence against the claim that it lacked an adequate privacy policy, leading to an adverse finding from the regulator. Replika did update its privacy policy in February 2024, some time after the investigation began, but this was only available in English and did not address how long it retained users’ personal data.
Finally, Replika took no steps to contest the regulator’s claim that it fell short on age verification measures.
Replika had claimed in its submissions to the regulator to be based in the Netherlands, but the authority found that “this statement is not supported by any documents”: there was no material evidence, such as a Dutch Chamber of Commerce certificate; the company had not supplied the corporate name of the alleged European entity; and there was no mention of a European establishment in any of the company’s terms of service. The Italian DPA therefore concluded that it was under no obligation to refer the investigation under the one-stop-shop mechanism.
The relation of the violations to fundamental data protection principles, the heightened risk of these failings in the context of an “innovative, disruptive and rapidly expanding technology”, the cross-border nature of the processing, the high number of users – around 10 million, and the nature of the personal data involved were all considered aggravating factors.
Replika did not respond to a request for comment.