CompanyScope
by Janus Compliance

AIR-2026-006 · AI Agent Incident Register

Garante v Luka: Italy's €5M fine on the Replika chatbot for processing without a legal basis

Incident: 2025-04-10 · Parties: Garante per la protezione dei dati personali (Italian DPA); Luka Inc. (US-based provider of the Replika chatbot)

Liability locus: Deployer-carried. the organisation that deployed the agent answers for its output.

Legal analysis by Michael K. Onyekwere, CIPP/E · Janus Compliance · Published 2026-07-11 · Last reviewed 2026-07-11. Analysis of public facts. Not legal advice.

Share this AIR-2026-006 profile:Share on XBluesky

What happened

On 10 April 2025 the Italian data protection authority (the Garante) adopted provvedimento n. 232, fining Luka Inc., the US company behind the "AI companion" chatbot Replika, €5 million. The Garante announced the decision on 19 May 2025. It was the Authority's second intervention against the service: on 2 February 2023 it had ordered an urgent limitation of Replika's processing of Italian users' data, citing risks to children, and the 2025 decision assesses Luka's compliance as it stood on that date.

Replika is marketed as an emotional-support companion: users hold ongoing, often intimate, conversations with a persistent AI persona. To run that, Luka processes a continuous stream of personal data, and the conversations routinely include relationship, sexual, and mental-health content. Luka is established in the United States and offered the service to users in Italy.

The Garante found three core failures. First, Luka had not identified a valid legal basis for its processing. The privacy policy gestured at contract, consent, and a catch-all "otherwise authorised under data protection law", without tying any basis to any specific processing operation, and the notice was inadequate in several further respects. Legitimate interest surfaced only later, in the impact assessment Luka produced in May 2023, as the claimed basis for model development. Second, the information given to users did not meet the transparency standard: it did not clearly explain the purposes or the legal bases, and the Authority noted it did not distinguish the two different kinds of processing at work, running the chatbot conversation and developing the underlying model. Third, despite stating that the service was for adults only, Luka had implemented no age-verification mechanism. Registration asked only for a name, email, and gender, and a user who declared they were under 18 was not actually prevented from using the service.

The €5 million penalty was the headline. The Authority then added a second act: it expressly reserved, for a separate and autonomous proceeding, the question of whether the processing used to train the generative-AI model underlying Replika was lawful across the model's entire lifecycle.

The duty engaged

This is a pure data-protection entry, and it is useful precisely because the regulator has already named the duties.

Legal basis (Articles 5(1)(a) and 6). Every processing operation needs a lawful basis, identified before it starts. The Garante's finding is the one AI builders most underestimate: a privacy policy that scatters possible bases — here contract, consent, and a catch-all "otherwise authorised by law" — without saying which applies to which operation does not identify a legal basis at all. For an AI companion the operations are plural. Running the conversation is one; using those conversations to improve or train the model is a different one that needs its own basis. Luka had mapped neither.

Transparency (Articles 5(1)(a), 12, 13). Users have to be told, clearly and before processing, what is done with their data and why. A notice available only in English, vague on purposes, and silent on the training-versus-conversation distinction fails Articles 12 and 13. Transparency does real work here: a user cannot exercise a right they do not know they have.

Minimisation, accountability, and data protection by design (Articles 5(1)(c), 24, 25(1)). Article 25 requires privacy to be built into the design of the processing. A service aimed, on paper, at adults that collects intimate data with no age gate and no basis is the textbook by-design failure. The controls were never built into the architecture in the first place.

The minors dimension. The absence of age verification is what raises this above a paperwork case. An emotional companion any child can reach, processing their most sensitive disclosures with no lawful basis, is the harm the GDPR's heightened protections for children exist to prevent.

The liability chain

The allocation here is unusually clean, which is what makes it good teaching material.

Luka Inc. carries it, as controller. Luka determined the purposes and means of the processing, so it is the data controller, and the controller answers under Article 24. There is no deploying customer to share the load and no processor to point at. Luka builds the model, runs the service, and collects the data directly from consumers. When the maker of an AI is also the operator of the consumer service, the provider and the deployer are the same entity, and the liability does not divide. That is the lesson for any company shipping a first-party AI product straight to users: you are the controller for the whole of the processing, service and model alike. (The register tags this entry deployer because Luka operated the consumer service, and the operation is where these duties bit — even though it is also the model's maker.)

Territorial reach. Luka is US-based, but it offered the service to people in Italy, which brought it within the GDPR's territorial scope under Article 3(2). "We are a US company" is not a defence to processing the data of people in the EU.

The part still open. The Garante deliberately split off the training question, and that signals where enforcement is heading. The lawful basis for reusing conversation data to train the model is a distinct, harder question than the basis for running the chat, and regulators are now pursuing it on its own track. An operator that has fixed its consumer-facing notice has not necessarily fixed its training-data basis. The Garante is already walking that road: on 3 July 2026 it fined Character Technologies, the US company behind Character.AI, €158,000, including a finding that it had failed to inform users their data was used to pre-train the underlying model.

What would have prevented it

Mapped controls

Sources

Corrections


Cite this entry as AIR-2026-006 (https://companyscope.io/register/air-2026-006). Entry IDs are stable; corrections publish as dated addenda on this page.

Share this AIR-2026-006 profile:Share on XBluesky

Talk to Michael about your agent deployment — or your AI vendor governance more broadly

CompanyScope's public profiles cover the general picture. Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance, and writes one-off CIPP/E-reviewed Vendor Risk Notes for specific procurement decisions. Tell him what you're actually trying to clear.

A sentence or two is plenty.

Your context goes only to Michael. We don't share with the vendor or anyone else. Privacy notice.

Subscribe to the AI Agent Incident Register

Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.

Subscribe — free

Delivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.

This analysis is the work Janus Compliance does for clients before the incident. For a fixed-scope read of your own EU AI Act Article 50 exposure, see the Article 50 teardown; for ongoing agent governance, Janus DPO-as-a-Service. Browse the full register or the vendor compliance index.