Italian Authority Fined Luka Inc. €5 Million for GDPR Violations in Replika Chatbot
The Italian Supervisory Authority (SA) has imposed a €5 million administrative fine on Luka Inc., the US company behind the Replika chatbot service, for multiple violations of the EU General Data Protection Regulation (GDPR). The investigation revealed that Luka Inc. failed to establish a legal basis for processing personal data within the Replika service. Additionally, the company’s privacy policy was found to be inadequate in providing necessary information to users, violating transparency and information obligations under the GDPR.
The Replika chatbot, which uses generative AI to create virtual companions acting as confidants, therapists, or mentors, was also found lacking in age verification mechanisms. Despite claims that minors are excluded from using the service, Luka Inc. had no proper age verification during registration or use. Even after implementing some age verification measures, the Italian SA found these to be insufficient and technically deficient.
The Italian Supervisory Authority’s decision highlights the responsibility of data controllers to ensure compliance with GDPR principles, including accountability, transparency, and data protection by design and default. Luka Inc. was found in breach of multiple GDPR articles, including those related to lawful processing, transparency, and controller responsibility. Beyond the fine, the SA ordered Luka Inc. to bring all processing activities into compliance with the regulation.
The authority also reserved the right to open a separate investigation into the lawfulness of data processing throughout the entire lifecycle of the generative AI system powering Replika. This case underscores the increasing scrutiny on AI services and the importance of protecting personal data in innovative technologies under EU law.