On May 28, 2026, the full reasoning of the Court of Rome's judgment annulling Italy's €15 million GDPR fine against OpenAI became public — and it confirmed that Europe's single completed generative-AI privacy enforcement action fell not on its merits, but on a question of competence. The court held that the Italian data protection authority, the Garante, lost the power to sanction OpenAI once Ireland's Data Protection Commission was recognized as OpenAI's lead supervisory authority under the GDPR's one-stop-shop mechanism. The substantive allegations — training ChatGPT without a valid legal basis, transparency failures, no age verification, an unreported 2023 breach — were never tested.
What the court actually decided
The Garante's Decision No. 755, announced on December 20, 2024, fined OpenAI €15 million and ordered a six-month media campaign to inform Italians how their data is used (garanteprivacy.it). OpenAI appealed, and the Court of Rome ruled in its favor in March 2026.
The timeline is the whole case. ChatGPT launched in November 2022 with OpenAI holding no EU establishment, so the one-stop-shop did not apply and any national authority could act — which is how the Garante acquired jurisdiction. OpenAI then incorporated OpenAI Ireland Limited, and on February 15, 2024, the Irish DPC was recognized as its single EEA establishment and lead authority. That was months before the Garante issued its final fine. Reading Article 56(1) GDPR, the court concluded that once a lead authority exists, exclusive competence over cross-border processing transfers to it — even mid-proceeding, so long as no final decision has issued (European Law Blog). The Garante, the court found, was acting outside its competence by the time it ruled.
The strongest case for the regulators
The Garante's critics should concede two things. First, the underlying concerns were serious and specific, not a fishing expedition: a model trained on the personal data of millions of Europeans with no articulated legal basis, marketed to the public without meaningful age gating. Second, the structural worry the annulment exposes is real. As the European Law Blog authors put it, a provider can now "enter with no establishment, absorb provisional measures during launch, then establish later and relocate pending sanctions toward a forum of choice." Conduct completed before any EU establishment existed can become unenforceable if competence retroactively shifts to a newly minted lead authority with no genuine connection to that earlier conduct. That is a coherent description of an accountability gap, and it deserves to be taken seriously rather than waved away as corporate gamesmanship.
Why the one-stop-shop is still the right architecture
The temptation now is to read the ruling as proof that the one-stop-shop coddles large platforms and that 27 national regulators should be free to pursue parallel actions. That would be the wrong lesson. The one-stop-shop exists precisely to give cross-border businesses a single accountable supervisor instead of facing 27 simultaneous, potentially contradictory proceedings over the same processing. For an open internet, that legal certainty is not a loophole — it is the feature that lets a startup deploy across the single market without first mapping the enforcement appetite of every member state. Reviving fragmented national enforcement would chill exactly the cross-border deployment the EU says it wants, while doing little to improve the quality of accountability.
The court, on this reading, applied the law correctly. The problem is not that competence consolidated in Ireland; it is that the GDPR never clearly resolved what happens to conduct and proceedings that predate an establishment. That is a drafting gap, and drafting gaps are fixed by drafters, not by inviting every authority to grab jurisdiction before a company can regularize its EU footprint.
The fix is structural, not a return to free-for-all
The more honest verdict is that European authorities produced a single final decision on the most consequential AI deployment in the bloc's history, and that decision is now annulled (Cross-Border Data Forum). The EDPB's ChatGPT Taskforce, convened across every supervisory authority, delivered only preliminary views in its May 2024 report and no coordinated enforcement followed (EDPB). Guidance proliferated; penalties did not.
Closing the gap should mean clarifying Article 56's temporal scope so that competence over pre-establishment conduct does not silently evaporate, and strengthening the Article 60–65 cooperation machinery so a lead authority that inherits a live file is obligated to carry it forward rather than letting it lapse. The EU AI Act, now phasing in, adds a transparency-and-accountability layer aimed squarely at general-purpose models — a more tailored instrument for algorithmic accountability than retrofitted data-protection fines.
The Court of Rome did not let OpenAI off on the merits, and nothing stops Ireland from picking up the substance. Whether it does is the real test. An enforcement regime that depends on a single word in a competence clause is one EU lawmakers, not 27 regulators racing for jurisdiction, should repair.