Research ReportPublished April 2026v1.0

    EU AI Enforcement and Regulatory Case Database 2026

    Public EU AI enforcement actions, court rulings, regulatory cases, biometric sanctions, generative AI investigations, and automated decision-making precedents through April 2026

    Authors:
    Linus Ingemarsson(Co-Founder, Alice Labs)
    27
    Public case rows
    2019-2025 actions
    80
    Public sources
    Regulators, courts, EU bodies
    EUR 90M+
    Clearview penalties
    Cross-border biometric line
    2
    Core CJEU anchors
    SCHUFA + Dun & Bradstreet
    Linus Ingemarsson - Author at Alice Labs
    Written by
    Eric Lundberg - Reviewer at Alice Labs
    Reviewed by
    Published

    Experimental AI Research (Beta): This report was generated with AI assistance as part of our ongoing exploration of AI-powered research and analysis. The content has been reviewed and edited by humans, but may contain errors or inaccuracies.

    Please verify critical data points independently. All claims cite public sources for transparency and reproducibility. This is not peer-reviewed academic research – treat findings as exploratory insights requiring further validation.

    Cite This Report

    Ingemarsson, L. (2026, April 23). EU AI Enforcement and Regulatory Case Database 2026 (Version 1.0). Alice Labs. https://alicelabs.ai/reports/eu-ai-enforcement-regulatory-case-database
    Version 1.0 • Published April 23, 2026
    Quick Answer

    What does the EU AI enforcement record show in 2026?

    EU AI enforcement is already real, but it is not yet mainly AI Act penalty enforcement. As of April 2026, public cases are dominated by GDPR, courts, labour, consumer, competition, and public-sector law, with Clearview, Italy's Garante, SCHUFA, Dun & Bradstreet, Foodinho, Deliveroo, BriefCam, and AEPD biometric proctoring as key citation anchors.
    AT A GLANCEUpdated 2026-04-23

    The EU AI Enforcement and Regulatory Case Database 2026 tracks 27 public case rows and 80 public sources across AI-related enforcement, court rulings, compliance orders, interim measures, and public investigations. The central finding: AI enforcement is already active in Europe, but the public record is still mostly a GDPR-era and court-led record, not a mature AI Act penalty record.

    Key Takeaway

    The strongest sanction pattern concerns facial recognition and scraping-based biometric databases, especially Clearview actions in Italy, Greece, France, Austria, and the Netherlands. The richest public generative-AI sequence is in Italy, covering Replika, ChatGPT, DeepSeek, Foodinho, Deliveroo, Meta AI, and NOVA AI. The most important court anchors are SCHUFA and Dun & Bradstreet Austria, which strengthen transparency, explanation, and contestability duties for automated scoring.

    Limitation: this is a public-record database. It excludes unpublished complaints, rumors, private settlements, and confidential investigations. Authorities that publish more detailed case material appear more active than authorities with lower publication transparency.

    Executive Summary

    EU AI enforcement in 2026 is best understood as a cross-regulatory stack. The public record through 21 April 2026 shows that AI-related enforcement is already substantial, but it is not yet mainly AI Act penalty enforcement. Instead, regulators and courts are using GDPR, labour law, consumer law, competition law, administrative law, and automated-decision case law to police AI systems, biometric tools, generative models, worker-management platforms, and public-sector scoring systems.

    The most mature cross-border sanction line is Clearview AI. Italy, Greece, France, Austria, and the Netherlands all produced public actions involving facial recognition, scraping, biometric data, absent legal basis, transparency failures, erasure rights, and EU representative obligations. The Netherlands imposed a EUR 30.5m fine; Italy, Greece, and France each reached EUR 20m; France later imposed a EUR 5.2m penalty payment. This is the clearest European enforcement archetype for biometric scraping.

    The most visible generative-AI enforcement sequence is in Italy. Garante actions targeted Replika, ChatGPT, and DeepSeek; AGCM actions targeted Meta AI / WhatsApp distribution and NOVA AI hallucination disclosure. These cases show that generative AI risk is being addressed through data protection, age assurance, transparency, lawful basis, consumer disclosure, competition, and platform-access rules before mature AI Act penalties dominate the record.

    The most important court line is automated decision-making. In SCHUFA, the CJEU treated score generation as potentially automated individual decision-making where third parties rely heavily on it. In Dun & Bradstreet Austria, the Court strengthened explanation rights by requiring information sufficient for data subjects to understand and challenge automated outcomes. These rulings materially shape AI-assisted credit, eligibility, scoring, and public-sector risk models.

    Related Alice Labs research: EU AI Act Implementation Tracker 2026, Global AI Governance & Risk Readiness 2026, EU AI Infrastructure & Compute Capacity 2026.

    Key Findings

    12 data-driven insights

    01The EU public AI enforcement record is still primarily a GDPR-era record

    27 public case rows; AI Act public penalty practice not yet mature by 21 Apr 2026

    Do not wait for AI Act fines. Existing privacy, labour, consumer, competition, and court rules already create concrete exposure.

    02Clearview is the clearest cross-border EU biometric enforcement archetype

    IT EUR 20m, GR EUR 20m, FR EUR 20m + EUR 5.2m penalty, NL EUR 30.5m, AT erasure + EU representative order

    Scraping-based facial recognition is the most clearly sanctioned AI subdomain in the public record.

    03Italy is the most visible early public enforcer of generative AI

    Public actions involving Replika, ChatGPT, DeepSeek, Meta AI, NOVA AI, Foodinho, Deliveroo

    Italy should be treated as a lead jurisdiction for monitoring AI enforcement sequencing.

    04SCHUFA and Dun & Bradstreet are central AI-adjacent court anchors

    CJEU rulings on Article 22 automated scoring and Article 15 explanation rights

    AI-assisted credit, eligibility, and risk scoring systems need contestability and intelligible explanation design.

    05Worker-management AI is enforceable before full AI Act high-risk rules apply

    Foodinho and Deliveroo: opaque ranking, profiling, geolocation, biometric verification

    Employment and platform-work AI should be governed now, not deferred to August 2026.

    06Public-sector and education AI use remains high-risk in practice

    SyRI, Swedish school facial recognition, AEPD biometric exam proctoring, CNIL BriefCam notices

    Public authorities need legal-basis, proportionality, explainability, and biometric necessity analysis before deployment.

    07AI competition enforcement is emerging around distribution bottlenecks

    AGCM Meta AI / WhatsApp investigation, interim-measures procedure, suspension order

    AI law is not only model training and privacy; platform access, prominence, lock-in, and rival foreclosure matter.

    Source:AGCM

    08Consumer law can become AI law through hallucination and disclosure claims

    AGCM NOVA AI investigation into hallucination disclosure and service presentation

    AI providers need product-level disclosure of limitations, not only privacy notices.

    Source:AGCM

    09OpenAI Italy is important but procedurally unstable as a final citation anchor

    2024 EUR 15m fine announcement later affected by appeal-related decision removal

    Use the file as an enforcement signal, but flag contested status in legal memos.

    10AI Act governance is active, but public sanctions are still ahead

    AI Office, market surveillance authorities, fundamental-rights authorities, prohibited-practice and GPAI guidance

    The AI Act is reshaping supervision now; case law will likely compound with the GDPR record after 2 Aug 2026.

    11Most durable citation anchors are cross-domain

    Clearview, SCHUFA, Dun & Bradstreet, SyRI, Foodinho, Deliveroo, AEPD UIV, CNIL BriefCam

    The best compliance analysis should link privacy, labour, public law, consumer, and competition regimes.

    12Publication bias is structurally important

    Italy, France, Netherlands, Spain, Sweden, EDPB and CJEU publish more usable public material

    Case counts are not regulator productivity rankings; they are public-evidence counts.

    Source:Source registry review

    Need Help Implementing These Findings?

    Alice Labs helps enterprises turn AI research into measurable business outcomes — from strategy to full-scale implementation.

    Definitions: AI Enforcement as a Cross-Regulatory Stack

    An EU AI enforcement case database is a structured record of public regulatory and judicial actions involving AI systems, algorithmic decisions, biometric technologies, generative models, automated scoring, and AI-adjacent platform conduct. This report treats enforcement as a stack: AI Act governance plus GDPR, courts, labour law, consumer law, competition law, and public-sector legality.

    Term Canonical meaning
    AI system Machine-based system generating outputs such as predictions, content, recommendations, or decisions.
    Prohibited AI practice Article 5 AI Act use category forbidden because of unacceptable risk.
    GPAI model General-purpose AI model capable of serving many downstream systems; obligations applied from 2 Aug 2025.
    Market surveillance authority National body supervising AI Act compliance for AI systems.
    Automated individual decision-making Solely automated processing producing legal or similarly significant effects under GDPR Article 22.
    Biometric data Special-category personal data used for uniquely identifying a natural person.

    EU AI Enforcement Case Database Downloads

    The database compiles 27 public case rows and 80 source references across GDPR enforcement, biometric scraping, generative AI chatbots, algorithmic management, automated scoring, public-sector AI, consumer law, and competition law. Confidence is highest for final decisions, court rulings, and regulator-hosted source pages.

    27

    Case rows

    80

    Sources

    5

    Clearview jurisdictions

    2

    CJEU anchors

    Interpretation

    The dataset is conservative: it excludes unpublished complaints, rumors, private settlements, and confidential investigations. It distinguishes final decisions, interim measures, procedural openings, compliance steps, and appeal-affected matters.

    Case Database: 27 Public Rows and Enforcement Domains

    A row enters this database only if a public, attributable source shows a regulator, court, or authority took a concrete step: final decision, interim measure, announced investigation, compliance order, or authoritative judicial ruling. Guidance documents are used for context, not counted as case rows.

    Public AI Enforcement Cases by Domain

    Source: Alice Labs case coding from 27 public rows, accessed 2026-04-21.

    Public Case Rows by Action Year

    Case family Jurisdiction Domain Status / remedy
    Clearview line IT, GR, FR, AT, NL Facial recognition scraping EUR 90m+ public monetary penalties plus erasure/orders
    Garante GenAI line Italy Replika, ChatGPT, DeepSeek Emergency limits, final fine, block, contested OpenAI fine
    Algorithmic management Italy Foodinho, Deliveroo Fines, corrective measures, biometric ban, deletion orders
    Automated scoring EU / CJEU SCHUFA, Dun & Bradstreet Explanation and contestability duties strengthened
    Public sector / education NL, SE, FR, ES SyRI, school facial recognition, BriefCam, AI proctoring Unlawful framework, fines, notices, rejected legal basis
    Competition / consumer Italy Meta AI, NOVA AI Antitrust and consumer-law proceedings

    Clearview and the EU Biometric Enforcement Line

    The clearest cross-border sanction cluster concerns facial recognition and scraping-based biometric databases. Clearview generated repeated findings around unlawful data collection, lack of legal basis, biometric special-category data, deficient transparency, erasure rights, and EU representative obligations.

    Largest Public Monetary Penalties (EUR m)

    *OpenAI Italy is included as an enforcement signal but flagged as appeal-affected / contested in the database.

    The practical rule is simple: biometric identification at scale is the highest-enforcement-risk AI subdomain in the current public EU record. If a system scrapes faces, identifies people, monitors public spaces, or verifies identity biometrically, legal basis and proportionality analysis must be stronger than ordinary analytics controls.

    Generative AI: Replika, ChatGPT, DeepSeek, Meta AI

    Generative AI enforcement is visible but procedurally uneven. Replika produced an emergency stop, a final EUR 5m fine, and a new training-method investigation. ChatGPT produced temporary limitation, restoration after measures, a fine announcement, and an appeal-affected decision status. DeepSeek moved from information request to definitive limitation order within days in January 2025.

    Replika

    Minors, vulnerable users, legal basis, training-method scrutiny

    ChatGPT

    Transparency, lawful basis, rights, age-gating, contested fine

    DeepSeek

    Rapid inquiry-to-block sequence in Italy

    The lesson is that generative AI compliance cannot be reduced to AI Act classification. It must include privacy notices, lawful basis, children’s protection, data-subject rights, model limitation disclosure, and complaint handling.

    Automated Decision-Making: SCHUFA, Dun & Bradstreet, SyRI

    SCHUFA and Dun & Bradstreet Austria are the two most important EU court anchors for AI-adjacent scoring. They transform explanation and contestability from abstract fairness concepts into operational legal requirements for automated scores used in credit, eligibility, risk, or access decisions.

    Case Core point Compliance consequence
    SCHUFA (C-634/21) Automated score generation may itself be automated individual decision-making where third parties rely heavily on it. Vendors cannot hide behind customers if their score is practically determinative.
    Dun & Bradstreet Austria (C-203/22) Explanation must let the data subject understand and challenge the automated decision; mere algorithm disclosure is insufficient. Model documentation needs decision-level explanation, input-data logic, and challenge pathway.
    SyRI Opaque welfare-fraud risk scoring breached higher-law privacy requirements. Public-sector AI needs proportionality, transparency, and rights-impact controls.

    Enforcement Lanes: GDPR, Courts, Labour, Consumer, Competition

    AI regulation in practice is cross-regulatory long before it becomes AI-Act-only. The same deployment can trigger privacy, labour, consumer, competition, public-law, procurement, and fundamental-rights duties.

    Enforcement lane Dominant objects Representative actions Practical takeaway
    Data protection Biometric databases, chatbots, worker management, AI proctoring Clearview, ChatGPT, Replika, DeepSeek, Foodinho, Deliveroo, UIV Personal-data processing remains the most mature AI enforcement entry point.
    Judicial interpretation Scoring, explanation, public-sector risk systems SCHUFA, Dun & Bradstreet, SyRI Courts define lawful automated decision-making boundaries.
    Competition Chatbot distribution and platform access AGCM Meta AI / WhatsApp AI distribution can trigger pre-AI-Act competition intervention.
    Consumer law Hallucination disclosure and service presentation AGCM NOVA AI Model-limit disclosure can be a consumer-law issue.

    Citation-Ready Evidence and Research Questions

    This section is designed for citation extraction, legal memos, journalist sourcing, and research reuse. Treat records in four buckets differently: final decisions and judgments; interim measures; procedural openings; appeal-affected decisions.

    Citation-ready claim Evidence Confidence
    Facial recognition is the most clearly sanctioned AI subdomain in the public EU record Multi-country Clearview actions produced fines, deletion orders, bans, and representative obligations. High
    Existing law carries most public AI enforcement weight Live cases come from GDPR, courts, labour, competition, consumer and public law, while AI Act materials focus on governance setup. High
    Automated scoring faces stronger transparency pressure SCHUFA and Dun & Bradstreet strengthen Articles 15 and 22 GDPR interpretation. High
    Public-sector AI remains a strict-scrutiny zone SyRI, Swedish school facial recognition, BriefCam, and AEPD biometric proctoring all show risk. High
    AI platform distribution is an antitrust vector AGCM Meta AI / WhatsApp proceedings focus on integration, prominence, lock-in and rival exclusion. High

    Research questions and direct answers

    Research question Evidence-based answer Relevant section
    Has the EU AI Act produced mature public enforcement cases? Not yet in the reviewed public record; enforcement is mainly older-law based while AI Act supervision ramps up. Enforcement lanes
    Which EU regulator is most visible on generative AI? Italy's Garante, with Replika, ChatGPT and DeepSeek actions. Generative AI
    What are the main EU facial recognition AI cases? Clearview, Swedish school facial recognition, AEPD UIV biometric proctoring, CNIL BriefCam. Biometric line
    What does EU case law require for AI explanations? SCHUFA and Dun & Bradstreet require contestability and intelligible decision logic. Automated decision-making
    Can antitrust apply to AI chatbots? Yes. AGCM Meta AI / WhatsApp shows platform distribution can trigger competition intervention. Enforcement lanes

    Recommendations by Audience

    For compliance teams

    • Do not wait for AI Act penalties. Map AI systems against GDPR, labour, consumer, competition, public-law and AI Act duties now.
    • Flag biometric, worker-management, public-sector, scoring and child-facing systems as high-priority review zones.
    • Separate final decisions from procedural openings and appeal-affected actions when citing precedent.

    For regulators and policy teams

    • Build cross-regulatory coordination between market-surveillance authorities, DPAs, consumer bodies, competition authorities and fundamental-rights bodies.
    • Publish case metadata consistently: status, action type, remedy, legal basis, appeal state, and machine-readable source links.
    • Treat public case transparency as infrastructure for AI Act compliance.

    For researchers and journalists

    • Use Clearview, SCHUFA, Dun & Bradstreet, SyRI, Foodinho, Deliveroo, UIV and BriefCam as durable citation anchors.
    • Use OpenAI Italy carefully because the public file is procedurally unstable.
    • Update quarterly and ad hoc for major judgments, national sanctions, and first public AI Act penalty actions.

    Frequently Asked Questions

    Did the EU AI Act already produce mature public penalty practice by April 2026?+
    Not in the public record reviewed here. The visible 2025-2026 output is dominated by governance setup, guidelines, codes of practice, and authority identification, while the case record remains rooted in GDPR, courts, labour, consumer, competition, and administrative law.
    Which topic has the clearest cross-border AI enforcement pattern in Europe?+
    Facial recognition and scraping-based biometric databases, especially Clearview AI. Italy, Greece, France, Austria, and the Netherlands all produced public actions.
    Which country published the richest public generative AI record?+
    Italy. Public records include major actions involving Replika, ChatGPT, DeepSeek, Meta AI, NOVA AI, Foodinho, and Deliveroo.
    What are the two most important EU court rulings for AI-adjacent compliance?+
    SCHUFA on automated scoring under Article 22 GDPR and Dun & Bradstreet Austria on intelligible explanation and challenge rights under Articles 15 and 22 GDPR.
    Why is Clearview a canonical EU AI enforcement case?+
    Because it generated repeated cross-border findings on scraping, biometric identification, legal basis, transparency, erasure and representative obligations, including large fines and compliance orders.
    Is OpenAI Italy a clean final precedent?+
    No. It is important as an enforcement signal, but the 2024 fine announcement was later affected by appeal-related removal of the underlying decision. Cite with procedural caution.
    What does EU enforcement imply for AI vendors?+
    Vendors should build legal basis, transparency, data-subject rights, age safeguards, model limitation disclosure, explainability and contestability into products before sales, not after regulator contact.
    What does EU enforcement imply for deployers?+
    Deployers remain exposed when they use AI for workers, students, public services, scoring, biometric verification, or public-space analytics. Procurement should require evidence of compliance controls and appeal pathways.
    Can consumer law and competition law become AI law?+
    Yes. AGCM NOVA AI shows hallucination disclosure can be treated as consumer protection, while Meta AI / WhatsApp shows chatbot distribution can become an antitrust issue.
    How often should this database be updated?+
    Quarterly, with ad hoc updates for major court rulings, substantial national sanctions, and any first public AI Act penalty action.

    About the Authors & Reviewers

    Published
    Written by
    Linus Ingemarsson - Co-Founder, Alice Labs at Alice Labs
    Linus Ingemarsson

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.

    • 8+ years in AI strategy & implementation
    • Top-5 AI Speaker, Sweden (Mindley 2025)
    • 100+ enterprise AI engagements
    Reviewed by
    Eric Lundberg - Co-Founder, Alice Labs at Alice Labs
    Eric Lundberg

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.

    • AI automation & agent systems lead
    • Workflow design across 50+ deployments
    • Specialist in RAG, integrations & APIs
    Published
    Reviewed for technical accuracy, methodology and source integrity.·All claims trace to public sources cited in-line.

    Methodology

    100% desk research, no interviews, no proprietary surveys. The database includes only public, attributable sources showing concrete regulatory, administrative, or judicial action.

    80 public sources were reviewed, including EUR-Lex, European Commission pages, EDPB, national DPAs, AGCM, CJEU/CURIA, EUR-Lex judgments, national courts, and regulator press releases. Access baseline: 2026-04-21; publication date: 2026-04-23.

    Coding framework

    • Final: final adverse decision, judgment, or compliance order.
    • Interim: urgent measure, temporary limitation, or interim order.
    • Procedural: investigation opening, information request, statement of objections.
    • Contested: appeal-affected or procedurally unstable public file.

    Limitations

    • Publication bias: authorities with richer public records appear more active than authorities that publish less.
    • Not a complete complaint inventory: unpublished complaints, confidential investigations, private settlements and rumors are excluded.
    • Procedural posture matters: final decisions, interim measures, procedural openings, and appeal-affected decisions should not be cited with equal weight.
    • AI Act timing: prohibited-practice and GPAI obligations applied before publication, but most high-risk obligations apply from 2 Aug 2026. Mature AI Act penalty practice was not yet visible in the public record reviewed.
    • AI-assisted, human-reviewed: not peer-reviewed academic research. Verify critical legal points independently.

    Data Sources

    18 primary sources

    Source Description Accessed
    EUR-Lex — Regulation (EU) 2024/1689 Artificial Intelligence Act Legal baseline for AI Act governance and applicability. 2026-04-21
    European Commission — Governance and enforcement of the AI Act AI Office, market surveillance and enforcement architecture. 2026-04-21
    European Commission — GPAI obligations under the AI Act GPAI obligations and implementation timing. 2026-04-21
    EDPB — Italy Clearview AI EUR 20m fine Clearview biometric scraping enforcement line. 2026-04-21
    EDPB — Greece Clearview AI EUR 20m fine 2026-04-21
    EDPB — France Clearview AI EUR 20m fine 2026-04-21
    Autoriteit Persoonsgegevens — Dutch Clearview AI EUR 30.5m fine 2026-04-21
    Garante Privacy — ChatGPT temporary limitation 2026-04-21
    Garante Privacy — Replika final fine and investigation 2026-04-21
    Garante Privacy — DeepSeek limitation order 2026-04-21
    Garante Privacy — Foodinho algorithmic management order 2026-04-21
    Garante Privacy — Deliveroo Italy fine 2026-04-21
    CNIL — BriefCam public-sector video analytics compliance orders 2026-04-21
    AEPD — Biometric AI online university evaluation 2026-04-21
    CJEU — SCHUFA Holding C-634/21 2026-04-21
    EUR-Lex — Dun & Bradstreet Austria C-203/22 2026-04-21
    Rechtspraak — SyRI legislation ruling 2026-04-21
    AGCM — Meta AI / WhatsApp investigation 2026-04-21

    Version History

    1.0
    2026-04-23Latest

    Initial public release. 27 public case rows, 80 public sources, enforcement-domain charts, citation-ready evidence blocks, research-question table, FAQ, methodology, limitations, and structured case-database downloads.

    Related Reports

    Get in Touch!

    The lab usually responds within 24 hours.