The Italian data protection authority (DPA) shut down ChatGPT in the country, alleging the artificial intelligence (AI) chatbot violates European Union privacy laws and has no controls to stop it interacting inappropriately with young children.

Garante ordered OpenAI, the U.S.-based developer of the chatbot, to cease processing the data of Italian citizens while it investigates the company’s activities in the country. ChatGPT, launched in November, is programmed to hold conversations and answer questions about thousands of topics.

“[T]here appears to be no legal basis underpinning the massive collection and processing of personal data in order to ‘train’ the algorithms on which the platform relies,” Garante said in a translated press release Friday.

ChatGPT doesn’t impose any age verification on users, despite being designed for people older than 13 years, the DPA said. This “exposes children to receiving responses that are absolutely inappropriate to their age and awareness,” the regulator said.

Garante also cited a data breach ChatGPT experienced last month believed to have compromised subscribers’ payment information and conversations.

OpenAI must respond to the DPA’s concerns within 20 days or face a potential fine of up to 20 million euros (U.S. $21.8 million) or 4 percent of annual turnover under the General Data Protection Regulation (GDPR).

OpenAI posted a letter to users in Italy saying it would offer refunds to subscribers and temporarily halt any new subscriptions or renewals in the country, according to a report from TechCrunch.

“We of course defer to the Italian government and have ceased offering ChatGPT in Italy (though we think we are following all privacy laws),” said OpenAI Chief Executive Sam Altman on Twitter.

ChatGPT is also banned in China, Iran, North Korea, and Russia.