Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica
The Italian Data Protection Authority (the "Authority") banned the data processing activities of Replica, an AI-powered chatbot app that offers a "virtual friend" experience to users. If Replica fails to comply with the Authority's order within 20 days, it may face a fine of up to €20 million or 4% of its global turnover.
The Authority found that Replica does not adhere to the transparency principle outlined in the European Data Protection General Regulation (GDPR) regarding the processing of personal data. In particularly, the legal basis for Replika's data processing, which relies on the performance of a contract, is invalid as children are not qualified to enter into such contracts.
The decision also notes that Replika poses tangible threat to children. Replica lacks any age verification system during the registration process, and the chatbot's responses may not be appropriate for the children using the app.
Concerns have been raised about the risks such technology might pose to children. These range from worries over kids being exposed to inappropriate content to more general concerns such as that they might get addicted to the interactions, be encouraged into spending money on customizing their avatars or to gain access to other paid content. But the Authority appears to the first regulator to take formal action over child safety.