Enforcement tracker: AI & privacy in practice
A running overview of enforcement and case law on AI and data processing in Europe. Real AI Act enforcement is just beginning; most cases still run through the GDPR applied to AI systems. Every case is traceable to its primary source.
| Date | Party | Authority | Framework | Outcome | Source |
|---|---|---|---|---|---|
| Nov 2025 | Digital Omnibus โ high-risk deferralCommission proposal (19 Nov 2025) to move the application date of the high-risk obligations (Annex III) from 2 August 2026 to 2 December 2027 (Annex I products to 2 August 2028). A simplification, still in the legislative process. | European CommissionEU | AI Act | Proposal: deferral to 2 Dec 2027 | Source → |
| Jul 2025 | GPAI Code of PracticeVoluntary code of practice for providers of general-purpose AI models (Art. 53/55), with three chapters: transparency, copyright and safety/security. Signatories (incl. Anthropic, Google, Microsoft, OpenAI, IBM) use it to demonstrate compliance; Meta did not sign. | AI Office / European CommissionEU | AI Act | Code of practice (voluntary) | Source → |
| Feb 2025 | Guidelines on prohibited AI practicesThe Commission's official guidance on the prohibited practices (Art. 5): manipulation, exploitation of vulnerabilities, social scoring, untargeted facial scraping, emotion recognition at work/education, biometric categorisation and certain real-time biometric identification. Non-binding; the CJEU has the final say. | European CommissionEU | AI Act | Guidance (non-binding) | Source → |
| Feb 2025 | Prohibition (no formal case yet)The ban on AI emotion recognition in the workplace and education applies since 2 February 2025 (Art. 5 AI Act). Enforcement is still nascent โ no major formal case yet. Fines for prohibited practices are the highest in the regulation. | EC / national authoritiesEU | AI Act | up to โฌ35M or 7% of turnover | Source → |
| Dec 2024 | OpenAI (ChatGPT)ChatGPT trained on personal data without a valid legal basis, breach of transparency duties, failure to report a data breach (March 2023) and missing age verification. | Garante (IT)Italy | GDPR | โฌ15M + awareness campaign | Source → |
| Sep 2024 | Clearview AIUnlawful database of billions of facial images scraped from the internet for facial recognition, without a valid legal basis; processing of biometric personal data. | Dutch DPA (AP)Netherlands | GDPR | โฌ30.5M fine | Source → |
| Dec 2021 | BelastingdienstYears of unlawful and discriminatory processing of applicants' (dual) nationality for childcare benefits; nationality wrongly used as a risk indicator. | Dutch DPA (AP)Netherlands | GDPR | โฌ2.75M fine | Source → |
| Feb 2020 | SyRI (Nederlandse staat)The SyRI welfare-fraud risk system breaches Article 8 ECHR: insufficiently transparent and not proportionate. Use prohibited. | District Court of The HagueNetherlands | ECHR | Legislation struck down (no fine) | Source → |
Factual analysis, not legal advice. Amounts and dates per the cited primary source.