Garante per la protezione dei dati personali (Italy) - 9852214

From GDPRhub
Garante per la protezione dei dati personali - 9852214
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 8 GDPR
Article 9 GDPR
Article 13 GDPR
Article 58(1) GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.02.2023
Published: 03.02.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 9852214
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: n/a

Under Article 58(2)(f) GDPR, the Italian DPA imposed a temporary limitation on processing of an AI-powered ChatBot. The privacy policy did not clarify which legal basis had been relied upon by the company, particularly for processing of underage users. The DPA also held that no age verification mechanism was in place.

English Summary

Facts

The controller is Luka Inc, a US-based company that developed and operated Replika, an AI-powered chatbot.

According to the controller, Replika can improve the user's mood and emotional well-being by helping them understand their thoughts and feelings, keep track of their mood, learn coping skills (i.e., stress control), calm anxiety, and work towards goals such as positive thinking, stress management, socialising, and finding love. In other words, Replika provides a kind of 'virtual friend' that users can configure as friend, partner or mentor.

Various reports were published in Italian media concerning inappropriate content on the Replika app, which would pose concrete risks particularly to minors and emotionally vulnerable people. Subsequently, the Italian DPA conducted an investigation focusing on the collection of personal data and the app’s age verification mechanisms.

The investigation revealed that, regardless of what the company stated in its privacy policy or terms of service, no age verification procedure was in place when users created an account. Moreover, the controller had not implemented any blocking method for users who could be believed to be underage during the use of Replika, for example based on the content of their responses.

The investigation also showed that the privacy policy failed to disclose information on the key elements of the processing, in particular the legal grounds and the use of children’s personal data.

Holding

The DPA held that the legal basis for the processing activities could hardly be determined from the controller's privacy policy.

In doing so, the DPA also ruled out any legal grounds under Article 6(1)(b) GDPR (contractual necessity). Children, the DPA argued, are legally incapacitated to enter contracts under Italian law, especially when performance of such contracts implies making available a substantial amount of personal data, as in this case. Hence, the DPA ruled that the processing of personal data, in particular of children was in breach of Article 5, Article 6, Article 8, Article 9, and Article 25 GDPR.

Consequently, the DPA urgently imposed upon the controller a temporary limitation on the processing of personal data relating to all users in Italy under Article 58(2)(f) GDPR. The limitation concerns all users, taking into account that there is no age verification mechanism in the app. The DPA stated that, pursuant to Article 58(1) GDPR, the controller can provide information on the steps it may take to comply with the measures within 20 days and that a fine can be imposed in case of failure to comply.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO: Press release of February 3, 2023

- English version



[doc. web no. 9852214]

Provision of February 2, 2023

Register of measures
no. 39 of 2 February 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD also to the Personal Data Protection Code (Legislative Decree No. 196 of 30 June 2003);

NOTING that recent press reports have given evidence - in great detail - of some tests conducted on the Replika application (a chatbot, with a written and vocal interface, based on artificial intelligence that generates a "virtual friend" that the user can decide to configure as a friend, romantic partner or mentor), evidence that has highlighted concrete risks for minors and, more generally, for people in a state of emotional fragility;

NOTING that in the privacy policy (updated on July 5, 2022) published on its website, the service provider declares that it does not knowingly collect personal data of minors under the age of 13 and encourages parents and legal guardians to monitor the use of Internet by their children, to respect the privacy policy by instructing minors never to provide personal data on the service without their authorization and to contact the platform in the event that they have reason to believe that a child under the age of 13 has provided personal data so that they can be deleted from the databases;

NOTING, in particular, that in the two main "App stores" the application is classified as suitable for people over 17 years of age, while, in the terms of service (updated to 14 September 2022) published on the developer's website, a ban is indicated of use for children under 13 and the requirement that children under 18 receive prior authorization from a parent or guardian;

CONSIDERING that the tests carried out and reported by the aforementioned press articles show the absence of filters for minors and the proposition to them of absolutely unsuitable answers with respect to the degree of development and self-awareness of the same;

VERIFIED that during the creation of an account the platform does not provide for any procedure for verifying and checking the user's age, of which the system only asks for name, email and gender;

VERIFIED also the absence of interdiction or blocking mechanisms even in the face of user declarations that explain his minor age and the proposal of "answers" by the chatbot clearly in contrast with the protections that should be ensured for minors and, more in general, to all the most fragile subjects;

NOTING that several reviews published in the two main "App stores" also contain comments from users who complain about sexually inappropriate content provided by the Replika chatbot;

NOTING that on the developer's website, as well as the two main "App stores", Replika is presented as a chatbot capable of improving the user's mood and emotional well-being, helping him to understand his thoughts and feelings, to keep track her mood, learn coping (ie, stress management) skills to calm anxiety, and work toward goals such as positive thinking, stress management, socializing, and finding love;

CONSIDERING that even these characteristics, mainly attributable to interventions on the person's mood, may be suitable for increasing the risks for the fragile subjects involved;

CONSIDERING, also, that the aforementioned privacy policy cannot be considered compliant with the principles and obligations established by the Regulation on transparency, revealing nothing about the essential elements of the treatment with particular regard to the use of personal data of minors, thereby placing in contrast with the art. 13 of the Regulation;

CONSIDERING that from the aforementioned lack of information derives the impossibility of identifying the same legal basis of the various processing operations carried out by the aforementioned chatbot, having to in any case exclude that, with particular regard to minors, this may - even if only implicitly - be found in the contractual framework, given the recognized incapacity of minors in the Italian legal system to conclude contracts for the use of services such as the one in question which involve a significant provision of their personal data;

CONSIDERED therefore that in the situation outlined above, the processing of personal data of users, in particular of minors, is in violation of articles 5, 6, 8, 9 and 25 of the Regulation;

RECOGNIZING, therefore, the need to have - pursuant to art. 58, par. 2, lit. f), of the Regulation – as a matter of urgency, against Luka Inc, the US company that develops and manages Replika, as owner of the processing of personal data carried out through the application in question, the measure of the temporary limitation of the processing ;

CONSIDERING that, in the absence of any mechanism for verifying the age of users, as well as, in any case, of the complex of violations detected, said temporary limitation must extend to all personal data of users established in the Italian territory;

CONSIDERED it necessary to order the aforementioned limitation with immediate effect from the date of receipt of this provision, reserving any other determination to the outcome of the definition of the preliminary investigation started on the case;

RECALLING that, in the event of non-compliance with the measure established by the Guarantor, the criminal sanction pursuant to art. 170 of the Code and the administrative sanctions provided for by art. 83, par. 5, letter. e), of the Regulation;

CONSIDERING, on the basis of the foregoing, that the prerequisites for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, which provides that «In cases of particular urgency and in which the Guarantor cannot be convened in good time, the president can adopt the measures pertaining to the body , which cease to have effect from the moment of their adoption if they are not ratified by the Guarantor in the first useful meeting, to be convened no later than the thirtieth day";

HAVING REGARD to the documentation in the deeds;

ALL THE ABOVE CONSIDERING THE GUARANTOR:

a) pursuant to art. 58, par. 2, lit. f), of the Regulation, urgently establishes, against Luka Inc, the US company that develops and manages Replika, as owner of the processing of personal data carried out through this application, the measure of the temporary limitation of the processing of personal data of users established in the Italian territory;

b) the aforementioned limitation has immediate effect from the date of receipt of this provision, subject to any other determination following the outcome of the definition of the investigation started on the case.

The Guarantor, pursuant to art. 58, par. 1, of Regulation (EU) 2016/679, invites the data controller who is the recipient of the provision, also, within 20 days from the date of receipt of the same, to communicate what initiatives have been undertaken in order to implement the provisions and to provide any element deemed useful to justify the violations highlighted above. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of Regulation (EU) 2016/679.

Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller has his residence, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

In Rome, February 2, 2023

PRESIDENT
Station

__________

GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the ‘Regulation’);

Having regard to the Personal Data Protection Code (legislative decree No 196 of 30 June 2003, hereinafter the ‘Code’);

Noting that media outlets recently reported in detail on tests that had been performed on the 'Replika' app – which is an AI-powered chatbot equipped with a text and voice interface generating a 'virtual friend' users can configure as a friend, partner or mentor; noting that those tests had reportedly pointed to factual risks to minors and, generally speaking, emotionally vulnerable individuals;

Noting that the service provider declares – in the privacy policy as last updated on 5 July 2022 and published on the relevant website – that personal data relating to below-13 children are not collected knowingly, whereas parents and legal guardians are encouraged to monitor use of the Internet by their children, comply with the privacy policy by instructing children to never provide personal data on the service without their authorization, and contact the platform in case they have reason to believe that a below-13 child has provided personal data so that such data be removed from databases;

Noting, in particular, that the app is classified as suitable for individuals aged above 17 in the two main App Stores, whilst the terms of service as last updated on 14 September 2022 and published on the developer's website mention that below-13 children are banned from using the app and that below-18 users must be authorized beforehand by their parents or legal guardians;

Whereas the tests carried out on the app as reported by the above mentioned media outlets show that no gating system is in place for children and that utterly inappropriate replies are served to children by having regard to their degree of development and self-conscience;

Having established that no age verification or control procedures are in place on the platform during account creation, and that the system only requires users to provide their names, email accounts, and gender;

Having also established that no banning or blocking mechanisms are triggered even where a user declares explicitly that he or she is underage, and that the chatbot serves 'replies' that are clearly at odds with the safeguards children and, more generally, vulnerable individuals are entitled to;

Taking note that several reviews on the two main App Stores include comments by users pointing to the sexually inappropriate contents that are provided by the Replika chatbot;

Noting that Replika is presented both on the developer's website and in the two main App Stores as a chatbot that can improve users' mood and emotional welfare by helping them understand their thoughts and feelings, keep track of their mood, learn coping skills (i.e., to control stress), calm their anxiety and work towards goals such as positive thinking, stress management, socialization and the search for love;

Finding that the above features can also be such as to enhance risks to the vulnerable individuals concerned as they can mostly be traced back to actions on an individual's mood;

Whereas the aforementioned privacy policy is not to be regarded as compliant with the transparency principles and obligations set out in the Regulation as it fails to disclose whatever information on the key elements of the processing at issue, in particular on the use of children's personal data, which is in breach of Article 13 of the Regulation;

Whereas such flawed information entails that the legal basis for the individual processing activities by the said chatbot can hardly be determined; whereas one can unquestionably rule out that the legal basis at issue may be traced back, also implicitly, to contractual performance especially as regards children, since children are legally incapacitated under Italian law to enter into a contract for the supply of services such as the one at hand - which entails making available a substantial amount of one's personal data;

Finding accordingly that the processing of personal data relating to users, in particular underage users, is in breach of Articles 5, 6, 8, 9 and 25 of the Regulation in the light of the aforementioned circumstances;

Deeming therefore that a temporary limitation on the processing is to be ordered urgently under Article 58(2)(f) of the Regulation vis-à-vis Luka Inc., i.e., the US developer and operator of Replika, in its capacity as controller of the processing of personal data that is performed via the app in question;

Finding that the above temporary limitation is to be imposed on all the personal data relating to users in the Italian territory, taking account of the lack of whatever age verification mechanism as well as of the infringements that have been established;

Finding it necessary for the said limitation to be enforced immediately as from the date of receipt of this order, whereby this is without prejudice to such additional determinations as may be made upon finalization of the ongoing fact-finding activities;

Recalling that failure to comply with a measure ordered by the Garante carries the criminal punishment referred to in Section 170 of the Code along with the administrative fine referred to in Article 83(5)(e) of the Regulation;

Finding in the light of the foregoing considerations that the preconditions are put to apply Article 5(8) of Regulation 1/2000 concerning organization and operation of the Office of the Garante, whereby 'If a case is especially urgent and cannot be put off and this prevents the Guarantor from being agreed in due time, the President may take such measures as fall under the scope of competence of the panel; these measures shall cease to be enforceable starting from the date of their adoption if they are not ratified by the Guarantor in the first meeting suitable for that purpose, which is to be agreed within the ensuing thirty days';

Having regard to the documents on file;

BASED ON THE FOREGOING PREMISES, THE GUARANTEE

a) orders under Article 58(2)(f) of the Regulation that a temporary limitation be imposed urgently on the processing of personal data relating to users in the Italian territory as performed by Luka Inc., the US-based developer and operator of Replika, in its capacity as controller of the processing of personal data that is carried out via the said app;

b) provides that the said limitation be enforced immediately as from the date of receipt of this order, whereby this shall be without prejudice to such additional determinations as may be made upon finalization of the ongoing fact-finding activities.

Pursuant to Article 58(1) of the Regulation, the Garante calls upon the controller addressed by this order to provide information within 20 days from the receipt hereof on any steps it may have taken in order to comply with the foregoing measures, and to submit any elements that are deemed helpful in order to account for the aforementioned infringements. It is recalled hereby that failure to comply with an Article 58 request entails imposition of the administrative fine referred to in Article 83(5)(e) of the Regulation.

Under the terms of Article 78 of the Regulation, Section 152 of the Code and Section 10 of legislative decree No 150 of 1 September 2011, this measure may be challenged before judicial authorities by lodging an appeal with the court of the controller's place of residence within thirty days of the date of communication hereof, or within sixty days of the latter date if the appellant is resident abroad.

Rome, 2 February 2023

THE PRESIDENT
station



SEE ALSO: Press release of February 3, 2023

- English version



[doc. web no. 9852214]

Provision of February 2, 2023

Register of measures
no. 39 of 2 February 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD also to the Personal Data Protection Code (Legislative Decree No. 196 of 30 June 2003);

NOTING that recent press reports have given evidence - in great detail - of some tests conducted on the Replika application (a chatbot, with a written and vocal interface, based on artificial intelligence that generates a "virtual friend" that the user can decide to configure as a friend, romantic partner or mentor), evidence that has highlighted concrete risks for minors and, more generally, for people in a state of emotional fragility;

NOTING that in the privacy policy (updated on July 5, 2022) published on its website, the service provider declares that it does not knowingly collect personal data of minors under the age of 13 and encourages parents and legal guardians to monitor the use of Internet by their children, to respect the privacy policy by instructing minors never to provide personal data on the service without their authorization and to contact the platform in the event that they have reason to believe that a child under the age of 13 has provided personal data so that they can be deleted from the databases;

NOTING, in particular, that in the two main "App stores" the application is classified as suitable for people over 17 years of age, while, in the terms of service (updated to 14 September 2022) published on the developer's website, a ban is indicated of use for children under 13 and the requirement that children under 18 receive prior authorization from a parent or guardian;

CONSIDERING that the tests carried out and reported by the aforementioned press articles show the absence of filters for minors and the proposition to them of absolutely unsuitable answers with respect to the degree of development and self-awareness of the same;

VERIFIED that during the creation of an account the platform does not provide for any procedure for verifying and checking the user's age, of which the system only asks for name, email and gender;

VERIFIED also the absence of interdiction or blocking mechanisms even in the face of user declarations that explain his minor age and the proposal of "answers" by the chatbot clearly in contrast with the protections that should be ensured for minors and, more in general, to all the most fragile subjects;

NOTING that several reviews published in the two main "App stores" also contain comments from users who complain about sexually inappropriate content provided by the Replika chatbot;

NOTING that on the developer's website, as well as the two main "App stores", Replika is presented as a chatbot capable of improving the user's mood and emotional well-being, helping him to understand his thoughts and feelings, to keep track her mood, learn coping (ie, stress management) skills to calm anxiety, and work toward goals such as positive thinking, stress management, socializing, and finding love;

CONSIDERING that even these characteristics, mainly attributable to interventions on the person's mood, may be suitable for increasing the risks for the fragile subjects involved;

CONSIDERING, also, that the aforementioned privacy policy cannot be considered compliant with the principles and obligations established by the Regulation on transparency, revealing nothing about the essential elements of the treatment with particular regard to the use of personal data of minors, thereby placing in contrast with the art. 13 of the Regulation;

CONSIDERING that from the aforementioned lack of information derives the impossibility of identifying the same legal basis of the various processing operations carried out by the aforementioned chatbot, having to in any case exclude that, with particular regard to minors, this may - even if only implicitly - be found in the contractual framework, given the recognized incapacity of minors in the Italian legal system to conclude contracts for the use of services such as the one in question which involve a significant provision of their personal data;

CONSIDERED therefore that in the situation outlined above, the processing of personal data of users, in particular of minors, is in violation of articles 5, 6, 8, 9 and 25 of the Regulation;

RECOGNIZING, therefore, the need to have - pursuant to art. 58, par. 2, lit. f), of the Regulation – as a matter of urgency, against Luka Inc, the US company that develops and manages Replika, as owner of the processing of personal data carried out through the application in question, the measure of the temporary limitation of the processing ;

CONSIDERING that, in the absence of any mechanism for verifying the age of users, as well as, in any case, of the complex of violations detected, said temporary limitation must extend to all personal data of users established in the Italian territory;

CONSIDERED it necessary to order the aforementioned limitation with immediate effect from the date of receipt of this provision, reserving any other determination to the outcome of the definition of the preliminary investigation started on the case;

RECALLING that, in the event of non-compliance with the measure established by the Guarantor, the criminal sanction pursuant to art. 170 of the Code and the administrative sanctions provided for by art. 83, par. 5, letter. e), of the Regulation;

CONSIDERING, on the basis of the foregoing, that the prerequisites for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, which provides that «In cases of particular urgency and in which the Guarantor cannot be convened in good time, the president can adopt the measures pertaining to the body , which cease to have effect from the moment of their adoption if they are not ratified by the Guarantor in the first useful meeting, to be convened no later than the thirtieth day";

HAVING REGARD to the documentation in the deeds;

ALL THE ABOVE CONSIDERING THE GUARANTOR:

a) pursuant to art. 58, par. 2, lit. f), of the Regulation, urgently establishes, against Luka Inc, the US company that develops and manages Replika, as owner of the processing of personal data carried out through this application, the measure of the temporary limitation of the processing of personal data of users established in the Italian territory;

b) the aforementioned limitation has immediate effect from the date of receipt of this provision, subject to any other determination following the outcome of the definition of the investigation started on the case.

Il Garante, ai sensi dell’art. 58, par. 1, del Regolamento (UE) 2016/679, invita il titolare del trattamento destinatario del provvedimento, altresì, entro 20 giorni dalla data di ricezione dello stesso, a comunicare quali iniziative siano state intraprese al fine di dare attuazione a quanto prescritto e di fornire ogni elemento ritenuto utile a giustificare le violazioni sopra evidenziate. Si ricorda che il mancato riscontro alla richiesta ai sensi dell’art. 58 è punito con la sanzione amministrativa di cui all'art. 83, par. 5, lett. e), del Regolamento (UE) 2016/679.

Ai sensi dell’art. 78 del Regolamento, nonché degli artt. 152 del Codice e 10 del d.lgs. 1° settembre 2011, n. 150, avverso il presente provvedimento può essere proposta opposizione all’autorità giudiziaria ordinaria, con ricorso depositato al tribunale ordinario del luogo ove ha la residenza il titolare del trattamento dei dati, entro il termine di trenta giorni dalla data di comunicazione del provvedimento stesso, ovvero di sessanta giorni se il ricorrente risiede all’estero.

In Roma, 2 febbraio 2023

IL PRESIDENTE
Stanzione

__________

GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the ‘Regulation’);

Having regard to the Personal Data Protection Code (legislative decree No 196 of 30 June 2003, hereinafter the ‘Code’);

Noting that media outlets recently reported in detail on tests that had been performed on the ‘Replika’ app – which is an AI-powered chatbot equipped with a text and voice interface generating a ‘virtual friend’ users can configure as a friend, partner or mentor; noting that those tests had reportedly pointed to factual risks to minors and, generally speaking, emotionally vulnerable individuals;

Noting that the service provider declares – in the privacy policy as last updated on 5 July 2022 and published on the relevant website – that personal data relating to below-13 children are not collected knowingly, whereas parents and legal guardians are encouraged to monitor use of the Internet by their children, comply with the privacy policy by instructing children to never provide personal data on the service without their authorisation, and contact the platform in case they have reason to believe that a below-13 child has provided personal data so that such data be removed from databases;

Noting, in particular, that the app is classed as suitable for individuals aged above 17 in the two main App Stores, whilst the terms of service as last updated on 14 September 2022 and published on the developer’s website mention that below-13 children are banned from using the app and that below-18 users must be authorised beforehand by their parents or legal guardians;

Whereas the tests carried out on the app as reported by the abovementioned media outlets show that no gating system is in place for children and that utterly inappropriate replies are served to children by having regard to their degree of development and self-conscience;

Having established that no age verification or control procedures are in place on the platform during account creation, and that the system only requires users to provide their names, email accounts, and gender;

Having also established that no banning or blocking mechanisms are triggered even where a user declares explicitly that he or she is underage, and that the chatbot serves ‘replies’ that are clearly at odds with the safeguards children and, more generally, vulnerable individuals are entitled to;

Taking note that several reviews on the two main App Stores include comments by users pointing to the sexually inappropriate contents that are provided by the Replika chatbot;

Noting that Replika is presented both on the developer’s website and in the two main App Stores as a chatbot that can improve users’ mood and emotional welfare by helping them understand their thoughts and feelings, keep track of their mood, learn coping skills (i.e., to control stress), calm their anxiety and work towards goals such as positive thinking, stress management, socialisation and the search for love;

Finding that the above features can also be such as to enhance risks to the vulnerable individuals concerned as they can mostly be traced back to actions on an individual’s mood;

Whereas the aforementioned privacy policy is not to be regarded as compliant with the transparency principles and obligations set out in the Regulation as it fails to disclose whatever information on the key elements of the processing at issue, in particular on the use of children’s personal data, which is in breach of Article 13 of the Regulation;

Whereas such flawed information entails that the legal basis for the individual processing activities by the said chatbot can hardly be determined; whereas one can unquestionably rule out that the legal basis at issue may be traced back, also implicitly, to contractual performance especially as regards children, since children are legally incapacitated under Italian law to enter into a contract for the supply of services such as the one at hand - which entails making available a substantial amount of one’s personal data;

Finding accordingly that the processing of personal data relating to users, in particular underage users, is in breach of Articles 5, 6, 8, 9 and 25 of the Regulation in the light of the aforementioned circumstances;

Deeming therefore that a temporary limitation on the processing is to be ordered urgently under Article 58(2)(f) of the Regulation vis-à-vis Luka Inc., i.e., the US developer and operator of Replika, in its capacity as controller of the processing of personal data that is performed via the app in question;

Finding that the above temporary limitation is to be imposed on all the personal data relating to users in the Italian territory, taking account of the lack of whatever age verification mechanism as well as of the infringements that have been established;

Finding it necessary for the said limitation to be enforced immediately as from the date of receipt of this order, whereby this is without prejudice to such additional determinations as may be made upon finalisation of the ongoing fact-finding activities;

Recalling that failure to comply with a measure ordered by the Garante carries the criminal punishment referred to in Section 170 of the Code along with the administrative fine referred to in Article 83(5)(e) of the Regulation;

Finding in the light of the foregoing considerations that the preconditions are met to apply Article 5(8) of Regulation 1/2000 concerning organisation and operation of the Office of the Garante, whereby ‘If a case is especially urgent and cannot be put off and this prevents the Garante from being convened in due time, the President may take such measures as fall under the scope of competence of the panel; these measures shall cease to be enforceable starting from the date of their adoption if they are not ratified by the Garante in the first meeting suitable for that purpose, which is to be convened within the ensuing thirty days’;

Having regard to the documents on file;

BASED ON THE FOREGOING PREMISES, THE GARANTE

a) orders under Article 58(2)(f) of the Regulation that a temporary limitation be imposed urgently on the processing of personal data relating to users in the Italian territory as performed by Luka Inc., the US-based developer and operator of Replika, in its capacity as controller of the processing of personal data that is carried out via the said app;

b) provides that the said limitation be enforced immediately as from the date of receipt of this order, whereby this shall be without prejudice to such additional determinations as may be made upon finalisation of the ongoing fact-finding activities.

Pursuant to Article 58(1) of the Regulation, the Garante calls upon the controller addressed by this order to provide information within 20 days from the receipt hereof on any steps it may have taken in order to comply with the foregoing measures, and to submit any elements that are deemed helpful in order to account for the aforementioned infringements. It is recalled hereby that failure to comply with an Article 58 request entails imposition of the administrative fine referred to in Article 83(5)(e) of the Regulation.

Under the terms of Article 78 of the Regulation, Section 152 of the Code and Section 10 of legislative decree No 150 of 1 September 2011, this measure may be challenged before judicial authorities by lodging an appeal with the court of the controller’s place of residence within thirty days of the date of communication hereof, or within sixty days of the latter date if the appellant is resident abroad.

Rome, 2 February 2023

THE PRESIDENT
Stanzione