AIR-2026-006 · AI Agent Incident Register
Garante v Luka: Italy's €5M fine on the Replika chatbot for processing without a legal basis
Incident: 2025-04-10 · Parties: Garante per la protezione dei dati personali (Italian DPA); Luka Inc. (US-based provider of the Replika chatbot)
Liability locus: Deployer-carried. the organisation that deployed the agent answers for its output.
Legal analysis by Michael K. Onyekwere, CIPP/E · Janus Compliance · Published 2026-07-11 · Last reviewed 2026-07-11. Analysis of public facts. Not legal advice.
What happened
On 10 April 2025 the Italian data protection authority (the Garante) adopted provvedimento n. 232, fining Luka Inc., the US company behind the "AI companion" chatbot Replika, €5 million. The Garante announced the decision on 19 May 2025. It was the Authority's second intervention against the service: on 2 February 2023 it had ordered an urgent limitation of Replika's processing of Italian users' data, citing risks to children, and the 2025 decision assesses Luka's compliance as it stood on that date.
Replika is marketed as an emotional-support companion: users hold ongoing, often intimate, conversations with a persistent AI persona. To run that, Luka processes a continuous stream of personal data, and the conversations routinely include relationship, sexual, and mental-health content. Luka is established in the United States and offered the service to users in Italy.
The Garante found three core failures. First, Luka had not identified a valid legal basis for its processing. The privacy policy gestured at contract, consent, and a catch-all "otherwise authorised under data protection law", without tying any basis to any specific processing operation, and the notice was inadequate in several further respects. Legitimate interest surfaced only later, in the impact assessment Luka produced in May 2023, as the claimed basis for model development. Second, the information given to users did not meet the transparency standard: it did not clearly explain the purposes or the legal bases, and the Authority noted it did not distinguish the two different kinds of processing at work, running the chatbot conversation and developing the underlying model. Third, despite stating that the service was for adults only, Luka had implemented no age-verification mechanism. Registration asked only for a name, email, and gender, and a user who declared they were under 18 was not actually prevented from using the service.
The €5 million penalty was the headline. The Authority then added a second act: it expressly reserved, for a separate and autonomous proceeding, the question of whether the processing used to train the generative-AI model underlying Replika was lawful across the model's entire lifecycle.
The duty engaged
This is a pure data-protection entry, and it is useful precisely because the regulator has already named the duties.
Legal basis (Articles 5(1)(a) and 6). Every processing operation needs a lawful basis, identified before it starts. The Garante's finding is the one AI builders most underestimate: a privacy policy that scatters possible bases — here contract, consent, and a catch-all "otherwise authorised by law" — without saying which applies to which operation does not identify a legal basis at all. For an AI companion the operations are plural. Running the conversation is one; using those conversations to improve or train the model is a different one that needs its own basis. Luka had mapped neither.
Transparency (Articles 5(1)(a), 12, 13). Users have to be told, clearly and before processing, what is done with their data and why. A notice available only in English, vague on purposes, and silent on the training-versus-conversation distinction fails Articles 12 and 13. Transparency does real work here: a user cannot exercise a right they do not know they have.
Minimisation, accountability, and data protection by design (Articles 5(1)(c), 24, 25(1)). Article 25 requires privacy to be built into the design of the processing. A service aimed, on paper, at adults that collects intimate data with no age gate and no basis is the textbook by-design failure. The controls were never built into the architecture in the first place.
The minors dimension. The absence of age verification is what raises this above a paperwork case. An emotional companion any child can reach, processing their most sensitive disclosures with no lawful basis, is the harm the GDPR's heightened protections for children exist to prevent.
The liability chain
The allocation here is unusually clean, which is what makes it good teaching material.
Luka Inc. carries it, as controller. Luka determined the purposes and means of the processing, so it is the data controller, and the controller answers under Article 24. There is no deploying customer to share the load and no processor to point at. Luka builds the model, runs the service, and collects the data directly from consumers. When the maker of an AI is also the operator of the consumer service, the provider and the deployer are the same entity, and the liability does not divide. That is the lesson for any company shipping a first-party AI product straight to users: you are the controller for the whole of the processing, service and model alike. (The register tags this entry deployer because Luka operated the consumer service, and the operation is where these duties bit — even though it is also the model's maker.)
Territorial reach. Luka is US-based, but it offered the service to people in Italy, which brought it within the GDPR's territorial scope under Article 3(2). "We are a US company" is not a defence to processing the data of people in the EU.
The part still open. The Garante deliberately split off the training question, and that signals where enforcement is heading. The lawful basis for reusing conversation data to train the model is a distinct, harder question than the basis for running the chat, and regulators are now pursuing it on its own track. An operator that has fixed its consumer-facing notice has not necessarily fixed its training-data basis. The Garante is already walking that road: on 3 July 2026 it fined Character Technologies, the US company behind Character.AI, €158,000, including a finding that it had failed to inform users their data was used to pre-train the underlying model.
What would have prevented it
- Map every processing operation to a named legal basis before launch. List them out: account operation, conversation delivery, model training, analytics. Each gets its own Article 6 basis, in writing. A blanket clause listing every basis the GDPR might offer identifies none of them.
- Separate the training basis from the service basis, explicitly. Tell users, in the notice, that conversation data may be used to develop the model, and identify the basis for that operation specifically. It is the one regulators are now targeting.
- Build the age gate into the architecture. If the service excludes minors, a self-declared checkbox does nothing; age assurance proportionate to the risk, and for intimate-companion AI the risk is high, has to be a technical barrier.
- Write the notice for the audience. Plain language, in the users' language, covering purposes and bases. Transparency is the precondition for every other right.
- Run a DPIA before launch and act on it. Intimate data, vulnerable users, possible access by children, and model training together make a DPIA mandatory under Article 35, and its whole purpose is to catch these gaps before launch. Luka produced one only after the Garante had moved, and could not show it predated the processing; the Authority held it could neither prove pre-launch analysis nor substitute for the notice.
Mapped controls
- NIST AI RMF: primarily a GOVERN failure. The lawful-basis, transparency, and age-assurance controls were never established as policy. Secondarily a MAP failure, in not recognising that processing to train the model was a distinct, higher-risk operation from processing to run the conversation.
- Singapore IMDA Model AI Governance Framework for Agentic AI (v1.5, May 2026): a partial fit, flagged as such: the nearest of its four dimensions is "Enable end-user responsibility" — users given clear information about what the agent does with their data, the same transparency gap the Garante found. The lawful-basis failure sits in data-protection law, which no agentic-security framework indexes; covering that gap is what this register's legal layer is for.
- The general rule the decision stands for: a consumer-AI operator is the controller for everything its model processes, and running the conversation and training the model are two operations that need two separate legal bases. It is the register's first showing of what crystallised liability looks like as an actual penalty, alongside the professional-accountability line in Ayinde and the tribunal allocation in Moffatt.
Sources
- Garante per la protezione dei dati personali, provvedimento n. 232 of 10 April 2025 against Luka Inc. (docweb 10130115) — the decision text; finds violations of Articles 5(1)(a), 5(1)(c), 6, 12, 13, 24 and 25(1) GDPR, assessed as at 2 February 2023; the published text redacts the sanction figure — checked 11 July 2026 [primary]
- Garante press release, "AI: Il Garante sanziona la società che gestisce il chatbot 'Replika'", 19 May 2025 (docweb 10132048) — states the €5 million fine — checked 11 July 2026 [primary]
- Garante, urgent limitation of processing against Luka Inc., 2 February 2023 (docweb 9852214) — the earlier order whose date fixes the assessment point — checked 11 July 2026 [primary]
- European Data Protection Board, "AI: the Italian Supervisory Authority fines company behind chatbot 'Replika'" (national news) — checked 1 July 2026; URL verified 11 July 2026 [corroborating]
- Garante, provvedimento of 3 July 2026 against Character Technologies Inc. (docweb 10269571) — the Character.AI decision cited in "The part still open", including the Article 14 pre-training-transparency finding; the €158,000 figure is in the press release of 9 July 2026 (docweb 10269594) — checked 11 July 2026 [primary]
Corrections
- 11 July 2026 (same day as publication, following the full post-publication audit): the description of Luka's privacy policy previously said it gestured at "contract, consent, and legitimate interest"; the policy the Garante assessed invoked contract, consent, and a catch-all "otherwise authorised under data protection law" — legitimate interest appeared only later, in Luka's May 2023 impact assessment, as the claimed basis for model development. The share-text hook was also tightened: the decision establishes the absence of any age barrier, and the entry should not imply a finding that minors' data was in fact collected. Both corrected against the provvedimento.
Cite this entry as AIR-2026-006 (https://companyscope.io/register/air-2026-006). Entry IDs are stable; corrections publish as dated addenda on this page.
Talk to Michael about your agent deployment — or your AI vendor governance more broadly
CompanyScope's public profiles cover the general picture. Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance, and writes one-off CIPP/E-reviewed Vendor Risk Notes for specific procurement decisions. Tell him what you're actually trying to clear.
Your context goes only to Michael. We don't share with the vendor or anyone else. Privacy notice.
Subscribe to the AI Agent Incident Register
Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.
Subscribe — freeDelivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.
This analysis is the work Janus Compliance does for clients before the incident. For a fixed-scope read of your own EU AI Act Article 50 exposure, see the Article 50 teardown; for ongoing agent governance, Janus DPO-as-a-Service. Browse the full register or the vendor compliance index.