Background information
- Date of final decision: 10 April 2025
- National case
- Controller: Luka Inc.
Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default) - Decision: administrative fine, Compliance order
- Key words: accountability, administrative fine, algorithms, principles relating to processing of personal data, responsibility of the controller, transparency
Summary of the Decision
Origin of the case
The proceedings originated from an investigation initiated by the Italian Supervisory Authority (SA) of its own motion following the publication of press reports and preliminary fact-finding conducted on the Replika service, a chatbot with a written and voice interface developed and managed by the US company Luka Inc and based on a generative AI system. The chatbot features both a written and voice interface, allowing users to ‘generate’ a ‘virtual companion’ that can take on the role of a confidant, therapist, romantic partner, or mentor.
Key Findings
During its investigation, the Italian SA found that the alleged infringements notified in February 2023—when it had ordered the blocking of the application—had indeed occurred. According to the Italian SA, until 2 February 2023, the US company had failed to identify the legal basis for the data processing operations carried out through Replika. Moreover, Luka had provided a privacy policy that was inadequate in several respects. The Italian SA also found that, until 2 February 2023, the Company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having declared that minors were excluded from potential users.
Technical assessments revealed that the age verification system currently implemented by the controller continues to be deficient in several respects.
For these reasons, in addition to imposing a fine, the Italian SA ordered the company to bring its processing operations into compliance with the provisions of the Regulation.
Decision
The Italian SA has imposed on Luka Inc. an administrative fine of 5 million € for infringing Articles 5.1 (a) and 6; Articles 5.1 (a), 12, 13, 5.1 (c), 24 and 25.1 of the GDPR.
Additionally, the Italian SA reserves the right to investigate and assess in a separate and autonomous proceeding, the aspects concerning the lawfulness of the processing operations carried out by Luka Inc., with specific reference to the legal bases for processing applicable throughout the entire lifecycle of the generative AI system underlying the Replika service.
For further information:
• AI: Il Garante sanziona la società che gestisce il chatbot “Replika”
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.