Hundreds of millions of people now confide in AI chatbots as though the conversation were private. In law, it is not. The concluding part of our consumer-AI privacy project follows a single conversation into the four places it can surface, a police referral, a government demand, a courtroom and a data breach, and asks what providers and regulators should do, including whether confidentiality can be built into the architecture itself.

The Court of Rome has annulled the only GDPR fine ever imposed on a generative-AI launch, holding that Italy’s Garante lost competence once OpenAI’s Irish establishment was recognised. A launch-period enforcement gap, and perhaps a question for the Court of Justice.

Meta’s new Incognito Chat with Meta AI is the first mass-market deployment of a chatbot the provider cannot read. We examine the architecture, the moderation trade-off, the liability consequence, and what it means for the Going Dark debate

The health agent rush may be the most consequential AI development of 2026. Yet, it has not received serious academic or regulatory attention. Until now.

Hundreds of millions of people confide their most intimate secrets to AI chatbots every day. The interface invites intimacy; the fine print reserves broad rights most users will never read. This first-of-its-kind study maps what really happens to your words across ChatGPT, Gemini, Claude, Grok, and DeepSeek. Read more

In his article published by the IAPP, Professor Christakis examines the “China data question” in greater depth, focusing on direct data collection, open-source deployment, and the limits of extraterritorial enforcement under EU law.

One year after “AI’s Sputnik moment,” the global regulatory response to DeepSeek has produced a starkly bifurcated outcome: constrained in the West, yet surging 960% worldwide. This comprehensive study documents the regulatory storm, unpacks the legal concerns, and confronts an uncomfortable truth about the limits of extraterritorial enforcement.

The French data protection authority (CNIL) published two new practical fact sheets designed to help actors developing AI systems to comply with the GDPR. The CNIL shares its recommendations on the use of legitimate interest as a legal basis for the development of AI systems and focuses on the collection of data through web scraping.  

This article examines the intersection of biometric data and facial recognition in the EU, highlighting the legal and cybersecurity frameworks that shape their use. Drawing on GDPR requirements and current debates on ethical deployment, it explores how EU regulations seek to balance innovation with the protection of privacy and fundamental rights.

Insights on how GDPR should adapt to the rise of Generative AI as host Sergio Maldonado interviews Professor Theodore Christakis, director of the MIAI AI-Regulation Chair. They examine the EDPB’s latest Opinion, the DeepSeek case, the challenge of AI “hallucinations,” and the future of AI governance.

The Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, recently published two recommendations to support innovation in the field of artificial intelligence (AI) in accordance with the General Data Protection Regulation (GDPR). It adopts a didactic approach, issuing recommendations, best practice and explanations on how to apply the principles of the GDPR in the context of AI.

The Information Commissioner’s Office (ICO) has published its final response to the public consultation on the application of UK data protection law to generative AI (GAI). The response marks the culmination of an extensive consultation process aimed at clarifying key data protection principles in the context of generative AI systems.