Skip to content
Vol. I · No. 251
Mon · 8 Jun
A Daily Lexicon of Trustworthy Data
No. 249
249·02 · Owner MissingNo. 249 · 29 May 2026 · 2 min

The €15M Privacy Fine That Collapsed Because Nobody Owned It

Europe's first big AI-training fine got voided. Not for being wrong — for being orphaned.

PromotedThe EditorOwnership Weather

In December 2024 Italy's privacy regulator did the thing everyone said no regulator would dare: it fined an AI company €15 million for training a model on people's data without first deciding it was allowed to. Fifteen months later a court erased the fine without disputing a single fact, on the grounds that the regulator was not the manager on duty.

On 20 December 2024 the Garante, Italy's data protection authority, closed its ChatGPT investigation with a €15 million penalty, a six-month public-awareness campaign, and findings that OpenAI had trained the model with no identified lawful basis, fell short on transparency, lacked real age checks, and never reported a March 2023 breach. The same day, three days after the EU's data board issued its opinion on exactly this question, the regulator's own notice already conceded it had forwarded the file to Ireland's DPC as the new lead authority under the one-stop-shop rule.

On 18 March 2026 the Court of Rome annulled the decision in full, and on 28 May 2026 it published why: the Irish DPC had become lead supervisory authority on 15 February 2024, the day it recognized OpenAI's Dublin entity as the EEA establishment. The Garante issued its decision nine months after that. So the court set aside the fine and the campaign order without reaching whether keeping-everything-to-train-the-model broke the law at all. The merits were not refuted. They were declared somebody else's paperwork.

What this reveals is the quiet load-bearing assumption of modern enforcement: that the hard part is proving the harm, when the hard part is establishing who holds the clipboard. The substantive question — can you collect first and find a lawful basis later — was researched, argued, written up, and then shelved on a jurisdictional technicality that the issuing regulator had itself flagged in the original notice. An entire flagship action turned out to rest on an ownership handoff nobody had finished.

Watch whether Dublin, now the undisputed lead, actually re-runs the case it inherited, or whether "lead authority" becomes the regulatory equivalent of the shared inbox where tickets go to age. Watch the appeal. And watch how quickly "the fine was thrown out" hardens into "a court blessed training on scraped personal data" in vendor decks — a claim the ruling pointedly never made. When the only finding is about custody, everyone gets to keep believing they won.

The takeaway

A control with no named owner isn't a control; it's a story you tell auditors. The €15M fine didn't fail on the facts — it failed because two regulators each assumed the other was driving.

The claim, mapped

  1. The Garante fined OpenAI €15 million in December 2024, citing training data with no identified lawful basis, transparency failures, weak age verification, and an unreported 2023 breach.

    supports01

  2. The EU data board's December 2024 opinion addressed when an AI model is anonymous and when legitimate interest can justify training-data collection.

    context02

  3. The Court of Rome annulled the fine in full on 18 March 2026 on jurisdictional grounds — the Irish DPC was lead authority — without ruling on whether the conduct broke the law.

    supports03

  4. The Garante's own original notice already stated it had forwarded the proceedings to the Irish DPC under the one-stop-shop mechanism.

    supports01
Sources
01
Garante per la protezione dei dati personali — ChatGPT: the Italian DPA closes the preliminary investigation; €15M fine and six-month information campaign2024-12-20 · Tier 1 · primaryHaving established its European HQ in Ireland during the investigation, the Garante, under the one-stop-shop rule, forwarded the proceedings to the Irish DPC as lead authority. Fine of EUR 15 million.
02
European Data Protection Board — Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models2024-12-17 · Tier 1 · primaryAdopted 17 Dec 2024 at the Irish DPC's request: AI-model anonymity is case-by-case; legitimate interest needs a three-step test; unlawful development processing has consequences for the model's later use.
03
Wilson Sonsini Goodrich & Rosati — OpenAI Prevails in Landmark Italian AI and GDPR Enforcement Case2026-03-01 · Tier 2 · analystOn appeal, the Court of Rome annulled the Garante's decision in its entirety, setting aside both the fine and the media-campaign order.
Mark this entry
Marginalia · 0 notes

No notes yet. The margin is open.

Sign in to add a note. The margin is moderated — we keep it useful, not cruel.

Related entries
Business Sense Required
Privacy law says keep less. The model says keep everything. Nobody wrote down what "it" is.

Minimization is a sentence about purpose. Most firms never finished the sentence.

Process Debt
10 Million Student Records, One Login Nobody Deprovisioned

The FTC's fix for an ed-tech breach wasn't more storage. It was a retention schedule someone has to own.

Owner Missing
Who Owns the Event Definition? The Registry Knows; the Org Doesn't

A compatibility check can block a breaking change. It can't name who's allowed to make one.