FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionGDPR

Italy and the OpenAI Saga: Lessons for Every European DPO

By Basel IsmailMay 18, 2026

Italy and the OpenAI Saga: Lessons for Every European DPO

Italy's data protection authority, the Garante per la protezione dei dati personali, has been the most aggressive European regulator when it comes to generative AI. And the enforcement arc that started in March 2023 is still playing out in ways that should matter to anyone deploying AI in European markets, whether you are building the models or just using them.

Let's walk through what actually happened, what the Garante's reasoning tells us about broader European enforcement trends, and where this leaves compliance teams right now.

The Timeline

On March 31, 2023, the Garante issued an emergency order temporarily banning ChatGPT across Italy. OpenAI had roughly 20 days to respond. The core allegations were straightforward GDPR violations: no valid legal basis for processing personal data to train the model (Articles 6 and 9), no age verification mechanism to protect minors under 13 (Article 8 of the GDPR, read alongside Italy's implementation setting the threshold at 14), insufficient transparency about how personal data was collected and used (Articles 12 and 13), and factual inaccuracies in ChatGPT outputs constituting a kind of data accuracy failure (Article 5(1)(d)).

OpenAI complied with enough of the requirements that service was restored in Italy by late April 2023. They published a revised privacy policy, introduced an age gate, and added an opt-out mechanism for training data. But the Garante was not finished.

In January 2024, the Garante issued a formal statement of objections, signaling that the temporary measures had not resolved the underlying concerns. Then, on December 20, 2024, the Garante imposed a 15 million euro fine on OpenAI. They also ordered OpenAI to conduct a six-month public awareness campaign about its data practices, which is an unusual and somewhat creative remedy.

OpenAI has announced it will appeal. The company's position is that the fine is disproportionate and that it has cooperated throughout. The appeal will likely take years to resolve.

What the Garante Actually Cared About

If you read the Garante's reasoning carefully, a few things stand out.

Legal Basis Is the Central Problem

The Garante rejected OpenAI's reliance on legitimate interest (Article 6(1)(f)) as a legal basis for processing personal data scraped from the public internet to train its models. This is significant because legitimate interest is the fallback that most AI companies have been leaning on. The Garante's view is that the scale and nature of the processing, combined with the lack of any direct relationship between OpenAI and the data subjects whose information was ingested, makes legitimate interest insufficient.

This aligns with what the European Data Protection Board signaled in its preliminary opinion on generative AI from May 2024, which noted that legitimate interest requires a careful balancing test and cannot be assumed simply because data is publicly available. Public availability does not equal free availability under GDPR. DPOs who have been treating web-scraped data as low-risk should revisit that assumption.

Accuracy Is a Real Obligation, Not a Theoretical One

The Garante's invocation of Article 5(1)(d), the accuracy principle, in the context of AI-generated hallucinations is genuinely novel. The argument is that when ChatGPT generates false statements about identifiable individuals, it is processing inaccurate personal data. This is a creative reading, but it is not an unreasonable one. And it creates a compliance problem that is essentially unsolvable with current large language model architectures, because hallucination is a statistical feature of how these models work, not a bug that can be patched.

For DPOs, this means you need to think about what happens when your AI tools generate incorrect information about real people. Disclaimers help, but the Garante seems to want more than disclaimers.

Age Verification Cannot Be Performative

OpenAI's initial response was to add a self-declaration age gate. The Garante found this inadequate. Italy's implementation of GDPR sets the age of digital consent at 14 (under Article 8's allowance for member states to set thresholds between 13 and 16), and the Garante expects meaningful verification, not just a checkbox. This is consistent with how several European regulators have been moving; France's CNIL published recommendations in June 2024 pushing for more robust age verification across digital services.

Why This Matters Beyond Italy

Italy is one member state, and 15 million euros is a relatively modest fine for a company valued in the hundreds of billions. So why should DPOs elsewhere in Europe pay attention?

First, the EDPB's coordination mechanism means that the Garante's reasoning will influence other DPAs. The one-stop-shop mechanism under Article 60 does not apply to OpenAI in the same way it would to a company with an EU establishment, since OpenAI designated its Irish entity relatively late in this process. But the substantive analysis, particularly on legal basis and accuracy, is being watched by every DPA in Europe.

Second, the Garante moved first, but others are following. France's CNIL opened its own investigation into OpenAI in April 2023. Poland's UODO filed a complaint in the same period. Spain's AEPD launched a preliminary investigation in April 2023 as well. The pattern is clear: multiple regulators are converging on the same set of concerns.

Third, the AI Act (Regulation 2024/1689), which entered into force on August 1, 2024, with its obligations phasing in through 2027, does not replace GDPR obligations. It layers on top of them. Article 2(7) of the AI Act explicitly preserves GDPR. So the legal basis questions the Garante raised are not going away; they are going to compound as AI Act transparency and risk management requirements kick in.

Practical Takeaways for Compliance Teams

Audit your legal basis for AI training data. If your organization is fine-tuning models on data that includes personal information, legitimate interest requires a documented balancing test. "The data was publicly available" is not sufficient analysis.
Assess hallucination risk as a data accuracy issue. If your AI tools generate text about identifiable individuals, you have an Article 5(1)(d) exposure. Document your mitigation measures and consider output filtering.
Take age verification seriously. If your product is accessible to consumers in the EU, a self-declaration checkbox is increasingly being treated as inadequate by regulators.
Map your obligations across both GDPR and the AI Act. These frameworks interact, and compliance with one does not guarantee compliance with the other. Your Data Protection Impact Assessments under Article 35 of GDPR should now account for AI Act risk classifications.
Watch the EDPB's forthcoming guidance on AI and GDPR. The Board has been developing specific guidance on generative AI and data protection, and whatever they publish will effectively set the enforcement baseline across all 27 member states.

How FirmAdapt Addresses This

FirmAdapt was built with these regulatory dynamics in mind. The platform's compliance-first architecture means that data processing activities, including any AI-driven features, are designed around documented legal bases with configurable controls for jurisdiction-specific requirements like age thresholds and data subject rights workflows. When regulatory frameworks layer on top of each other, as GDPR and the AI Act now do, FirmAdapt's integrated compliance mapping helps teams identify overlapping obligations without maintaining separate tracking systems.

For organizations deploying AI tools in European markets, FirmAdapt provides the audit trail and governance infrastructure that regulators like the Garante are explicitly looking for. The platform supports DPIA documentation, legal basis records, and cross-framework obligation tracking, which is the kind of demonstrable accountability that makes the difference between a defensible compliance posture and a 15 million euro problem.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free