Data protection violation by AI chatbot "Replika": Italian supervisory authority imposes €5 million fine

The Italian Data Protection Authority has imposed a fine of €5 million on the U.S.-based company Luka Inc., operator of the AI-powered chatbot Replika, due to serious violations of key GDPR data protection principles. Replika is marketed as a virtual conversation partner and specifically targets sensitive and sometimes vulnerable user groups. The AI processes personal data such as communication content and users’ emotional self-disclosures to continuously improve its performance. During the investigation, the authority identified several infringements, including the lack of effective protection for minors: despite being clearly aimed at a younger audience, minors could use the service without restriction. There was no functioning age verification system in place (Articles 8, 25 GDPR).

Additionally, the data processing for model development was carried out without a sufficient legal basis (Article 5(1)(a), Article 6 GDPR), and the privacy policy was found to be inadequate – missing essential information such as data retention periods, details of data transfers, or the use of automated decision-making (Articles 12, 13 GDPR).

In addition to the sanction, the authority required the company to implement specific corrective measures – in particular with regard to transparency, age verification, and the handling of data transfers to third countries.

What does this mean in practice? The case illustrates that AI applications are clearly subject to the rules of the GDPR – regardless of whether the provider is established in the EU. Especially services operating in sensitive areas must take data protection, transparency, and technical safeguards into account from the outset. This applies all the more when minors may potentially be reached.