A Rome court on March 18, 2026 annulled the only GDPR fine ever imposed on a generative AI launch. The decision did not find OpenAI innocent. It found that Italy had no right to judge OpenAI at all - and the full reasoning, published on May 28, 2026, lays bare a structural weakness in European privacy enforcement that legal scholars, regulators from Germany to France, and privacy advocates have documented for years.

The facts are not in dispute. OpenAI launched ChatGPT on November 30, 2022. A data breach occurred on March 20, 2023, allowing some users to see the titles of other users' active conversations. The company had no EU establishment at that point. Italy's Garante per la Protezione dei Dati Personali moved quickly, issued an emergency ban, conducted a multi-year investigation, and on November 2, 2024, issued provvedimento n. 755 - a €15 million fine alongside a mandatory six-month media awareness campaign to run across Italian radio, television, newspapers, and internet platforms. According to legal scholars Theodore Christakis and Giulio Monga, writing on June 4, 2026 on the European Law Blog after the full grounds of the judgment became available on May 28, 2026, the Tribunale Ordinario di Roma annulled that decision entirely on a single jurisdictional point, declared all other grounds of appeal "absorbed," and never examined whether OpenAI had actually complied with the GDPR.

As PPC Land reported when the reasoning was published on May 28, the court "does not reach the substantive GDPR violations alleged by the Italian authority. It does not assess whether OpenAI failed to notify the Garante of the March 20, 2023 data breach. It does not determine whether ChatGPT's training data processing lacked a valid legal basis." The substance was irrelevant. The machinery had been turned against the regulator.

A corporation, a date, and a vanishing case

The key event was not the data breach of March 2023, nor the enforcement proceeding opened in January 2024. It was a recognition letter. On February 15, 2024, the Irish Data Protection Commission formally recognised OpenAI Ireland Limited as the company's single establishment in the European Economic Area. OpenAI Ireland had been incorporated on March 24, 2023 - four days after the breach that triggered the Italian investigation. But as PPC Land's analysis of the case noted, "incorporation is an act of company law that brings a legal entity into existence... whereas 'main' or 'single establishment' is an autonomous concept of EU data protection law, turning on the effective and real exercise of activity through stable arrangements." The two need not coincide in time, and in this case they did not - nearly a year separated OpenAI Ireland's incorporation and its recognition as the single EEA establishment.

That gap became the decisive legal event. Under Article 56(1) of the GDPR, the supervisory authority of a controller's main or single establishment holds exclusive competence over cross-border processing. The Court of Rome, relying on EDPB Opinion 8/2019, held that lead competence can switch to a newly competent authority at any time before a final decision is reached. Because no final decision had been taken by February 15, 2024, the Garante should have transferred the case to Dublin. Its November 2024 decision was therefore issued by an authority that had, on the court's reasoning, already lost its right to act.

According to Christakis and Monga, the Garante did the investigation. It gathered the evidence. It built the case over more than a year. And then, on a jurisdictional technicality tied to the timing of a corporate registration, the entire result was voided. PPC Land's reporting on the case put it plainly: nine months of Italian enforcement work culminating in a €15 million order "was voided on that basis, without any ruling on whether the underlying conduct was lawful."

The Garante's case, in full

The Italian investigation was not superficial. As PPC Land documented, the Garante's findings covered a wide range of alleged violations across the period from November 30, 2022, forward: an unreported data breach in violation of Article 33 GDPR; an absence of identified lawful bases for training under Articles 5(2) and 6; inadequate privacy disclosures under Articles 12 and 13; missing age verification systems under Articles 24 and 25(1); and a failure to carry out the awareness campaign already mandated under provvedimento n. 114 in April 2023, itself a violation of Article 83(5)(e).

OpenAI raised ten grounds of appeal. The court examined one. Having found the first - jurisdictional competence - decisive, it absorbed the remaining nine without examination. The proportionality of the fine, the lawfulness of OpenAI's training practices, the transparency shortcomings, the age verification failures: all remain formally unanswered.

What other EU regulators did is also instructive. PPC Land's reporting noted that "other European data protection authorities which had also opened investigations into OpenAI's GDPR compliance transferred their files to the Irish DPC after February 15, 2024 - the date on which OpenAI Ireland was formally recognised as the EEA establishment. This, the court found, confirmed the correct interpretation of the one-stop-shop rules. Italy stood alone in pressing to a final decision."

Italy's persistence was penalised. Every other authority that recognised the jurisdictional shift and stepped back was vindicated procedurally. The Garante, which had been the most aggressive European regulator on AI and had done the most investigative work, was the one left with nothing.

The playbook every non-EU provider now has

This is not an abstract legal problem. It is a replicable sequence. A foreign provider enters the EU market with no establishment, processes data across the continent, absorbs whatever provisional measures land during the early enforcement phase - emergency bans, information requests, compliance orders - and then, if enforcement pressure intensifies, incorporates a genuine EEA subsidiary and has it recognised in the most congenial member state before any pending proceeding reaches a final decision. Every open case is then funnelled toward that chosen authority.

According to Christakis and Monga, the judgment hands any non-EEA provider a clear structural option: once a genuine EEA subsidiary is recognised, every pending national proceeding that has not yet ended in a final decision is funnelled toward a single chosen authority. Given the breadth of parallel enforcement fronts that major AI launches now generate, that consolidation prize is substantial.

The destination of choice has long been Ireland. As PPC Land has documented extensively, major US technology platforms - Meta, Google, Apple, LinkedIn, TikTok - established their European headquarters in Dublin to take advantage of Ireland's corporate tax environment, automatically making the Irish Data Protection Commission their lead GDPR regulator across all 450 million European users. The one-stop-shop mechanism, designed to prevent fragmented enforcement, instead concentrated regulatory power in a single jurisdiction and created a structural incentive to establish there.

PPC Land's analysis of the Rome ruling framed the connection directly: "The timing and sequence of those steps can determine, as this case shows, whether a multimillion-euro penalty stands or falls."

Forty percent of €7.1 billion never existed

The Rome ruling did not arrive alone. It came within days of Luxembourg's Administrative Court annulling the €746 million fine imposed on Amazon by the National Commission for Data Protection - a case in which the court confirmed Amazon had violated GDPR but struck down the fine because the regulator had applied strict liability without assessing negligence, as required by Court of Justice of the European Union case law. PPC Land reported the Luxembourg ruling on March 13, 2026 and subsequently published a detailed legal breakdown of the decision. In one week in March 2026, €761 million was erased from the GDPR enforcement ledger without a single finding that either company had complied with the regulation.

That pattern is not an anomaly. According to PPC Land's eight-year enforcement analysis, drawing on data compiled by Alliance Risk, European regulators have announced €7.1 billion in GDPR fines since May 2018, but roughly €2.8 billion of that total - nearly 40% - has been either annulled or is actively contested before courts. The framework is, in Alliance Risk's words, "being rewritten while it's still being tested." Meta's €1.2 billion penalty for illegal US data transfers - still the largest individual GDPR fine ever issued - remains under active appeal in the Irish courts.

GDPR enforcement statistics published earlier by PPC Land found that only 1.3% of GDPR cases resulted in monetary penalties between 2018 and 2023. The ratio between investigations opened and fines collected tells a different story than the headline numbers suggest.

Ireland: the lead authority problem

Ireland's Data Protection Commission holds a position in European privacy enforcement with no equivalent anywhere in the regulation. Because the GDPR's one-stop-shop mechanism designates a company's lead authority based on where its main establishment sits, and because Ireland's corporate tax environment attracted Google, Meta, Microsoft, Apple, and dozens of other major technology platforms to Dublin, the Irish DPC functions as the primary GDPR regulator for a disproportionate share of global internet services.

The nominal fine totals from Ireland are large. But the gap between imposed and collected is stark. According to privacy organisation noyb, only 0.6% of fines nominally issued against major companies had actually been collected - with billions under active judicial appeal. PPC Land's reporting on the Rome case noted the figure directly: noyb characterised a pattern in which the Irish DPC had "de facto not enforced the GDPR against US Big Tech. While officially issuing billions on fines, only 0.6% of them were ever collected."

The delay problem is also documented in the courts. In January 2025, the EU General Court ruled that the Irish DPC had acted unlawfully by refusing to investigate a complaint about Meta's data practices - a complaint originally filed on May 25, 2018, the first day GDPR came into force. Seven years elapsed between complaint and a court order requiring the DPC to act. The same pattern appeared in the WhatsApp enforcement case, where eleven national data protection authorities raised formal objections to the Irish DPC's draft decision on transparency violations, and the EDPB ultimately had to issue a binding decision requiring the fine to be substantially higher than the DPC's initial assessment.

The structural conflict of interest argument gained new visibility in September 2025 with the appointment of Niamh Sweeney as the third Data Protection Commissioner after nearly eight years at Meta, including as head of public policy at Facebook Ireland and director of public policy for Europe at WhatsApp. Noyb's public response: "We now literally have a US big tech lobbyist policing US big tech for Europe." As PPC Land's analysis of the Rome ruling concluded on this point, "whether or not that characterisation is fair as a complete account of the DPC's work, the statistical record is clear enough on its own terms."

The enforcement vacuum no one wants to acknowledge

The most troubling aspect of the ruling, according to Christakis and Monga, is what it does not do. The court holds that the Garante lost its competence. It does not hold that the Irish DPC gained competence over conduct completed before February 15, 2024.

That distinction matters enormously for the data breach charge specifically. The breach occurred on March 20, 2023, and the notification duty under Article 33 fell due seventy-two hours later - at a point when OpenAI had no EU establishment and OpenAI Ireland had not yet even been incorporated. As PPC Land's reporting noted, the Garante "classified that infringement as consumed and retained it, forwarding to Ireland only the continuing matters." But the court annulled the entire decision, consumed infringements included, without addressing whether the Irish authority could actually exercise jurisdiction over conduct predating its own existence.

The result is not a transfer of enforcement. It is the elimination of it. According to Christakis and Monga, the realistic outcome is a negative conflict of competence: the Garante is shut out, and it is far from clear that Ireland is brought in for the pre-establishment conduct. Not a slower forum, but no forum at all. The procedural coherence the court optimised for comes at the cost of any substantive outcome for the data subjects whose information was processed during ChatGPT's launch period.

The attempt to fix what is broken

As PPC Land reported in April 2025, the EU's attempt to address the cooperation mechanism through a new GDPR Procedural Regulation risked creating "unprecedented complexity that will further delay privacy enforcement across Europe." Rather than streamlining the system, the proposed regulation threatened to add approximately ten different types of GDPR procedures. Germany, France, Spain, and Italy had all formally expressed concerns about Ireland's enforcement record. The European Commission's proposal was criticised for shielding the Irish DPC from meaningful accountability to other national authorities through what commentators called an "inquisitorial system" approach.

The Rome judgment lands as those reform negotiations continue. The European Commission is simultaneously attempting to rewrite substantive parts of GDPR through the Digital Omnibus legislative package, proposing new legitimate interest bases for AI training and redefining what constitutes personal data. The system is being contested at every level at once - in court, in parliament, and in the soft-law opinions that regulators rely on to resolve jurisdictional disputes.

According to Christakis and Monga, the reach of Article 56 over conduct predating an establishment is unsettled law and warrants a preliminary reference to the Court of Justice of the European Union under Article 267 TFEU. The Rome judgment is a first-instance ruling by a single judge of the Tribunale di Roma. The Garante may yet appeal before the Corte di Cassazione, Italy's supreme court. But until that higher court speaks - or until Luxembourg does - the mechanism documented by the Rome court remains intact.

PPC Land's analysis of the ruling captured the endpoint precisely: a case in which a €15 million fine, "issued by a major European authority, has been annulled not because the conduct was found lawful, but because no one agreed on who had the right to judge it." Eight years of GDPR enforcement, one final decision on a generative AI launch, and that decision no longer exists.

Timeline

  • November 30, 2022 - OpenAI launches ChatGPT publicly with no EU establishment
  • February 1, 2023 - ChatGPT Plus subscription tier introduced
  • March 20, 2023 - Data breach exposes some users' conversation titles
  • March 24, 2023 - OpenAI Ireland Limited incorporated, four days after the breach
  • March 30, 2023 - Italy's Garante issues emergency processing ban on ChatGPT (provvedimento n. 112)
  • April 11, 2023 - Garante suspends ban, orders compliance measures; ChatGPT reinstated in Italy
  • May 25, 2018 - January 2025 - Noyb's Meta complaint, filed on GDPR's first day, remains unresolved until the EU General Court forces an investigation seven years later
  • January 26, 2024 - Garante formally opens sanctioning proceeding against OpenAI
  • February 15, 2024 - Irish DPC formally recognises OpenAI Ireland as the company's single EEA establishment; Garante's competence, on the court's reasoning, ends here
  • November 2, 2024 - Garante issues final €15 million decision against OpenAI (provvedimento n. 755)
  • September 2025 - Ireland appoints former Meta executive as Data Protection Commissioner; noyb states only 0.6% of announced Irish fines ever collected
  • March 12-13, 2026 - Luxembourg court annuls Amazon's €746 million GDPR fine; PPC Land reports and publishes legal breakdown
  • March 18, 2026 - Tribunale Ordinario di Roma annuls Garante's €15 million fine against OpenAI; PPC Land reports the outcome
  • May 28, 2026 - Full grounds of the Rome judgment published; PPC Land publishes detailed analysis
  • May-June 2026 - PPC Land reports nearly 40% of €7.1B in GDPR fines annulled or challenged
  • June 4, 2026 - Theodore Christakis and Giulio Monga publish first substantive analysis of the full judgment reasoning on the European Law Blog, arguing the ruling opens a replicable enforcement vacuum for non-EU AI providers

Summary

Who: The Tribunale Ordinario di Roma, Italy's Garante per la Protezione dei Dati Personali, OpenAI OpCo LLC, the Irish Data Protection Commission, and legal scholars Theodore Christakis (professor of international, European and digital law, University of Grenoble Alpes) and Giulio Monga (Italian data protection lawyer), writing on June 4, 2026 on the European Law Blog.

What: The Court of Rome annulled the only GDPR fine ever imposed on a generative AI launch on a single jurisdictional point - that the Garante lost competence once OpenAI's Irish subsidiary was recognised on February 15, 2024. The June 4, 2026 scholarly analysis argues the ruling maps a replicable sequence allowing any non-EU AI provider to neutralise pending national enforcement by timing a corporate establishment correctly. Combined with Ireland's documented collection record, the EU's stalled procedural reform, and nearly €2.8 billion in GDPR fines already erased by courts, the Rome judgment is a data point in a broader pattern in which GDPR enforcement against major AI providers has produced, after eight years, exactly one final sanctioning decision - and that decision no longer stands.

When: Underlying conduct from November 2022 to March 2023. Garante's fine issued November 2, 2024. Court's ruling issued March 18, 2026. Full grounds published May 28, 2026. First substantive scholarly analysis published June 4, 2026.

Where: Rome, Italy - with jurisdictional consequences spanning the entire EEA and centering on the boundary between Italian and Irish regulatory competence under the GDPR one-stop-shop mechanism, a boundary set by a corporate recognition letter issued in Dublin on February 15, 2024.

Why: The ruling matters because it confirms a structural vulnerability in European privacy enforcement: non-EU AI providers can launch without an EU presence, generate data processing events across the continent during the most legally sensitive window of their growth, and then establish in a favourable jurisdiction before enforcement concludes - potentially leaving launch-period conduct with no competent authority anywhere in the EU. The judgment optimises for legal certainty at the cost of enforcement effectiveness at precisely the moment when the GDPR's application to generative AI remains the most contested and consequential open question in European digital law.