Hundreds of millions of people now confide in AI chatbots as though the conversation were private. In law, it is not. The concluding part of our consumer-AI privacy project follows a single conversation into the four places it can surface, a police referral, a government demand, a courtroom and a data breach, and asks what providers and regulators should do, including whether confidentiality can be built into the architecture itself.

The Court of Rome has annulled the only GDPR fine ever imposed on a generative-AI launch, holding that Italy’s Garante lost competence once OpenAI’s Irish establishment was recognised. A launch-period enforcement gap, and perhaps a question for the Court of Justice.

Discover how the forthcoming Europol reform is transforming the agency into an AI-enabled, infrastructure-driven model for European law enforcement, balancing operational integration with constitutional limits.

Meta’s new Incognito Chat with Meta AI is the first mass-market deployment of a chatbot the provider cannot read. We examine the architecture, the moderation trade-off, the liability consequence, and what it means for the Going Dark debate

The health agent rush may be the most consequential AI development of 2026. Yet, it has not received serious academic or regulatory attention. Until now.

Hundreds of millions of people confide their most intimate secrets to AI chatbots every day. The interface invites intimacy; the fine print reserves broad rights most users will never read. This first-of-its-kind study maps what really happens to your words across ChatGPT, Gemini, Claude, Grok, and DeepSeek. Read more

On February 11, 2026, the German Cabinet approved the German AI Draft Bill entitled ‘Gesetz zur Durchführung der Verordnung über künstliche Intelligenz’ (Law on the Implementation of the Regulation on Artificial Intelligence) to implement the EU AI Act in Germany. It regulates the national competent authorities, organises measures to promote innovation and the penalty regime, and specifies the amendments to be made to German law.

In his article published by the IAPP, Professor Christakis examines the “China data question” in greater depth, focusing on direct data collection, open-source deployment, and the limits of extraterritorial enforcement under EU law.

France has opted, in its draft designation of market surveillance authorities, for a decentralised market surveillance organisation based on authorities already identified by operators, with coordination led by the Ministry of the Economy. Despite the publication of the draft designation of MSAs, progress in the implementation of the EU AI Act in France remains unclear and appears significantly delayed.

This study seeks to provide an overview of current progress in the designation of national competent authorities, and to analyse how national governance frameworks are being developed. The study shows that one week prior to the deadline, the majority of member states were behind schedule. A few draft governance frameworks, some of them unofficial, were announced. These present a centralised architecture for notifying authorities, but a fragmented one for market surveillance, with most authorities already identified.

On 8 May 2025, the Danish Parliament adopted a bill aimed at introducing additional provisions for the regulation of artificial intelligence in Denmark, in accordance with the EU AI Act. The text lays down the designation of national competent authorities and the penalties for violations of the EU AI Act, the law as well as related national legislation and implementing acts.

The French data protection authority (CNIL) published two new practical fact sheets designed to help actors developing AI systems to comply with the GDPR. The CNIL shares its recommendations on the use of legitimate interest as a legal basis for the development of AI systems and focuses on the collection of data through web scraping.