The report

Privacy watchdog: 'EU curbs unlimited power of platforms. Dangers from AI, especially for minors"

In 2024, sanctions collected amount to over 24 million euro. The revenge porn phenomenon is on the rise: 823 reports sent to the Garante by people fearing the dissemination of photos and videos with sexually explicit content, almost three times more than last year

by Andrea Carli and Andrea Gagliardi

15 July 2025

Il presidente del Garante privacy, Pasquale Stanzione, nella Relazione al Parlamento, Roma. ANSA/MAURIZIO BRAMBATTI

4' min read

Key points

Stanction: dangers from AI, alliance for child protection
Investigation against ChatGPT concluded
Revenge porn on the rise
Actions against aggressive telemarketing
Privacy and the right to report
Personal data breaches
Inspections
Sanctions of over 24 million euro

4' min read

"An essential part of the European digital governance strategy is also the regulation of the otherwise unlimited private power of platforms". This was said by the president of the Garante per la privacy Pasquale Stanzione, at the presentation of the Annual Report, recalling that the Regulation on political targeting assigns the Authorities "a relevant role in preventing the profiling and selection of content from altering democratic dynamics". "To the platforms there is the risk," he added, "otherwise of delegating the definition of freedoms and the exercise of democracy, redrawing a vertical power".

Stanction: dangers from AI, alliance for child protection

Stanzione also pointed out how the use of AI can give rise to "intolerable dangers", especially for minors who, as digital natives, "weave with neo-technologies an almost osmotic relationship, with undoubted benefits but also, at times, considerable risks". This is why "what is needed is the utmost rigour in respect of age verification obligations and, above all, a common alliance of institutions and educating communities for the promotion of digital awareness among minors".

Investigation against ChatGPT concluded

New emerging technologies, generative artificial intelligence, 'pay or ok' models and the training of AI systems through web scraping, alongside more consolidated activities such as the fight against aggressive telemarketing, the protection of the most vulnerable and the protection of health data. These are the various fronts on which the Privacy Guarantor has been engaged, according to the Annual Report presented today in Parliament. 2024 was the year of the confirmation of Artificial Intelligence in every activity and at the same time of the Garante's search for solutions capable of reconciling this technology's hunger for information with the rights of the individual. In the past year, the Authority concluded its investigation against ChatGPT and ordered OpenAI, the company managing the chatbot, to carry out an information campaign and pay a fine of EUR 15 million. Particular attention was paid to the use of biometric data and the spread of facial recognition systems.

The Authority sent a warning to Worldcoin in relation to the iris scanning project in exchange for cryptocurrencies, without adequate guarantees and the necessary awareness on the part of users. Activities also continued in connection with the processing operations of the Agenzia delle Entrate (Revenue Agency) involving the interchange of information between administrations to ensure the accuracy and completeness of the pre-filled tax return and the redditometro, as well as those related to the operation of the National Register of Education. On the front of the online protection of minors, the past year has seen the continuation of vigilance on the age of registration on social networks, including through 'age verification' systems.

Revenge porn on the rise

The report then raises the alarm over the worrying increase in the phenomenon of revenge porn: 823 reports sent to the Garante by persons fearing the dissemination of photos and videos with sexually explicit content, almost three times more than last year. The reports received were processed promptly and, in most cases, the examination ended with a measure directed at the platforms involved to obtain a preventive block on the dissemination of the photos and videos. During the course of the year, the Authority also received a number of reports concerning the dissemination of fictitious material created through the use of algorithms and AI (deep fakes).

Actions against aggressive telemarketing

On the consumer protection front, the Garante intervened against aggressive telemarketing with the application of heavy sanctions, most of which concern the use of subscriber data without consent. The authority also approved the Code of Conduct for telemarketing and teleselling activities and accredited the monitoring body. "Often the effectiveness of the Authority's strategy," recalled Stanzione in his speech, "lies in its integrated nature; in its combining, that is, different dimensions and directions of administrative action. Emblematic, in this sense, is the phenomenon of telemarketing, with respect to which the sanctioning measures, although significant in terms of entity and assumptions (in one case over six million euros), have been flanked by complementary activities, of a preventive, remedial and advisory nature, which are no less significant".

Privacy and the right to report

An important chapter also concerned the relationship between privacy and the right to report news. The Garante intervened several times to stigmatise the excess of details and the drifts of morbidity and spectacularisation of tragic events and to ensure the necessary safeguards.

Personal Data Breaches

The number of data breaches (personal data breaches) notified to the Garante in 2024 by public and private entities was significant: 2204. In the public sector (498 cases), the breaches mainly concerned municipalities, educational institutions and healthcare facilities; in the private sector (1706 cases), SMEs and professionals as well as large companies in the telecommunications, energy, banking and services sectors were involved. In the most serious cases, sanctions were taken.

Sanctions of over 24 million euro

In 2024, 835 collegial measures were adopted, of which 468 are corrective and sanctioning measures. The sanctions levied by the Authority, which is obliged to protect individuals in every context in which their data is processed (from business relations to healthcare, from education to journalism, from justice to immigration, from public security to social networks) amounted to more than EUR 24 million.

Inspections

There were 130 inspections carried out in 2024, in line with those of the previous year. The inspections carried out, also with the contribution of the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza, covered various sectors, both in the public and private sectors: in particular, SPID, use of innovative technologies (devices installed or tested by some municipalities to control tourist flows), electronic registers, facial recognition technologies, video surveillance tools and worker control, scientific research, data breach.

Andrea Gagliardiredattore
- @gagliardi_andr
- Email
Luogo: Roma
Lingue parlate: italiano, inglese, francese, spagnolo
Argomenti: politica, migranti, desk online
Scheda autore
Trust project
Andrea CarliRedattore
- @AncarliCarli
Luogo: Roma
Lingue parlate: Italiano, inglese e francese
Argomenti: Politica estera e geopolitica
Scheda autore
Trust project