The Court of Rome has annulled the only GDPR fine ever imposed on a generative-AI launch, holding that Italy’s Garante lost competence once OpenAI’s Irish establishment was recognised. A launch-period enforcement gap, and perhaps a question for the Court of Justice.
The Court of Rome’s full reasoning for annulling the OpenAI/ChatGPT fine has now been published, and in this new article on the European Law Blog we offer what we believe is the first substantive analysis of it. On the central jurisdictional question, the Court’s reasoning does not, in our view, persuade.
First, what the Court actually did. OpenAI committed the breaches the Garante complained of around the launch of ChatGPT, in 2022 and 2023, with no establishment anywhere in the EU. Its Irish establishment was recognised only in February 2024, and the Garante’s €15 million decision came later still, in November 2024. The Court annulled that decision in full, not on the merits and not as disproportionate, but on competence alone: because the Irish establishment existed by the time the Garante decided, the one-stop-shop had made Ireland the lead authority. And it reached that result for every breach at once. The Garante had separated the infringements it treated as finished, which it kept, from the one it treated as still continuing, which it sent to Ireland. The Court erased that distinction without examining it, although whether a breach was still continuing or already over is exactly what should decide who can act.
Second, the bigger implication. The Court held that the Garante lost competence, but it never showed how the Irish authority could gain competence over conduct that was over before any Irish establishment existed, and we doubt it could: lead-authority competence flows from the establishment, and the conduct predates it. Shutting the Garante out puts no one else in. Generalised, the concern is broader. OpenAI’s launch-period conduct touched data subjects across the EU, all of it before the Irish establishment existed, so under the Court’s reasoning the authority of every affected Member State is displaced the moment that establishment appears, while Ireland had no connection to the conduct when it happened. A whole window of potential infringements may now sit beyond anyone’s reach: not a slower forum, but an enforcement vacuum.
Third, DeepSeek illustrates the stakes. A dozen European authorities are investigating it in parallel, with no lead authority, because it has no EU establishment. Suppose it set one up and had it recognised one month before one of those authorities issued a fine. On Rome’s reasoning, that fine, and every pending one, would fall. Yet nothing suggests the country of establishment could itself sanction conduct that was over, in other Member States, before that establishment existed. The consolidation would not relocate enforcement; it would dissolve it.
The reach of Article 56 over conduct that predates an establishment seems to us unsettled, not acte clair. It is, perhaps, a question for the Court of Justice.
Read the full article on the European Law Blog: Establish, Then Escape? How the Court of Rome, the One-Stop-Shop and a Single Word Opened an AI Enforcement Gap
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the other members of the AI-Regulation Chair or any partner organisations.
This work has been partially supported by MIAI @ Grenoble Alpes, (ANR-23-IACL-0006) and by the Interdisciplinary Project on Privacy (IPoP) of the Cybersecurity PEPR (ANR 22-PECY-0002 IPOP).
