Hundreds of millions of people now confide in AI chatbots as though the conversation were private. In law, it is not. The concluding part of our consumer-AI privacy project follows a single conversation into the four places it can surface, a police referral, a government demand, a courtroom and a data breach, and asks what providers and regulators should do, including whether confidentiality can be built into the architecture itself.

The Court of Rome has annulled the only GDPR fine ever imposed on a generative-AI launch, holding that Italy’s Garante lost competence once OpenAI’s Irish establishment was recognised. A launch-period enforcement gap, and perhaps a question for the Court of Justice.

Discover how the forthcoming Europol reform is transforming the agency into an AI-enabled, infrastructure-driven model for European law enforcement, balancing operational integration with constitutional limits.

Meta’s new Incognito Chat with Meta AI is the first mass-market deployment of a chatbot the provider cannot read. We examine the architecture, the moderation trade-off, the liability consequence, and what it means for the Going Dark debate

The health agent rush may be the most consequential AI development of 2026. Yet, it has not received serious academic or regulatory attention. Until now.

Hundreds of millions of people confide their most intimate secrets to AI chatbots every day. The interface invites intimacy; the fine print reserves broad rights most users will never read. This first-of-its-kind study maps what really happens to your words across ChatGPT, Gemini, Claude, Grok, and DeepSeek. Read more

In his article published by the IAPP, Professor Christakis examines the “China data question” in greater depth, focusing on direct data collection, open-source deployment, and the limits of extraterritorial enforcement under EU law.

One year after “AI’s Sputnik moment,” the global regulatory response to DeepSeek has produced a starkly bifurcated outcome: constrained in the West, yet surging 960% worldwide. This comprehensive study documents the regulatory storm, unpacks the legal concerns, and confronts an uncomfortable truth about the limits of extraterritorial enforcement.

This study seeks to provide an overview of current progress in the designation of national competent authorities, and to analyse how national governance frameworks are being developed. The study shows that one week prior to the deadline, the majority of member states were behind schedule. A few draft governance frameworks, some of them unofficial, were announced. These present a centralised architecture for notifying authorities, but a fragmented one for market surveillance, with most authorities already identified.

How should Europe enforce data protection when AI chatbots operate across borders? In a notable move, Berlin’s Data Protection Authority invoked the Digital Services Act (DSA) Article 16 to ask Apple and Google to delist DeepSeek, the famous Chinese AI chatbot, over alleged GDPR-breaching transfers of EU users’ data to China. The request uses a tool designed for illegal online content to tackle a complex AI data-flow issue—raising big questions for AI governance.

How do the AI Act and DSA collide in shaping Europe’s AI future? This paper uncovers hidden gaps in systemic risk oversight, exposing costly “over-assessment” that stifles innovation. By calling for smarter, simplified regulation, it argues for a path that safeguards rights without derailing AI progress in the EU. The analysis offers a blueprint for balancing accountability with competitiveness in the digital era.

This analysis explores the EU AI Continent Action Plan’s approach to implementing the AI Act within a complex multi-level governance system. The paper assesses how simplification efforts can influence consistency, legal clarity, and the broader goal of establishing Europe as a global AI leader.