Wiki · Enforcement timeline
Catalog dashboard
Enforcement timeline
Chronologically-ordered enforcement actions linked to the instruments and topics tracked in the Policy Window catalog. Closed cases sort by their resolution year; ongoing cases sort by initiation. Each entry links to the catalog topics + the catalog instruments the case touches, and (where possible) to the best-available primary source for the action.
13 catalogued cases total · 13 match the current filter.
Filters
Cases (13)
- Settlement with remedy
- Fine imposed
- Consent decree
- Withdrawn
- Ongoing
- Open arrow = ongoing (no resolution year yet)
- Consent decree
2024 · CN
CAC Doubao deep-synthesis enforcement
Enforcer: Cyberspace Administration of China (CAC)
Target: ByteDance (Doubao)
Violation alleged: Doubao deployed deepfake-generation feature without prior CAC algorithm registration; failed to embed mandatory deep-synthesis content-provenance label per Deep Synthesis Provisions Art. 16. CAC requested feature removal pending registration.
Lesson: First named CN-GENAI-2023 enforcement against a frontier-tier Chinese AI developer. Demonstrates: (1) CN registration regime applies pre-deployment + has bite even against domestic champions; (2) cross-instrument enforcement (GenAI rules + Deep Synthesis rules) is operative; (3) remediation is rapid (weeks not years) but private — no consent decree text published.
Source: http://www.cac.gov.cn/2024-01/29/c_1709169093555820.htm
- Settlement with remedy
2023 → 2024 · EU
EDPB ChatGPT Taskforce
Enforcer: European Data Protection Board (EDPB) — coordinated DPA action
Target: OpenAI
Violation alleged: Italian Garante temporarily banned ChatGPT (Mar-Apr 2023) over alleged lack of legal basis for training-data processing, missing age-verification, and inability to honour data-subject rights. EDPB convened taskforce to coordinate DPA responses.
Lesson: First EU-wide AI enforcement coordination predating the EU AIA. Established that GDPR applies fully to LLM training + deployment + that DPAs would coordinate via EDPB rather than fragment. ChatGPT resumed Italian service after age-verification + Article-15 right-of-access endpoint additions. Direct precedent for EU AIA Art. 53 implementation timeline.
- Withdrawn
2023 → 2024 · IN
MEITY deepfake takedown advisories
Enforcer: Ministry of Electronics and Information Technology (MEITY)
Target: Multiple intermediaries — Meta, YouTube/Google, X, several Indian social platforms
Violation alleged: Failure to take down political deepfake content within statutory windows (36 hours under IT Rules 2021). MEITY's Mar-2024 advisory additionally required pre-deployment-approval for AI models above unspecified capability thresholds; rescinded Apr-2024 after frontier-lab pushback.
Lesson: India's compressed legislative cycle: a sweeping pre-deployment-approval requirement (closer to CN registration than US sectoral) was rescinded within 5 weeks after industry + civil-society pushback. Demonstrates that Global South AI regulation is in active design AND that even nationally-coercive states face frontier-lab leverage. Indian regulatory approach now favours post-deployment incident reporting + IT-Rules takedown.
Source: https://www.meity.gov.in/writereaddata/files/Advisory%201%20March%202024.pdf
- Settlement with remedy
2024 · US
Texas AG v. Pieces Technologies (healthcare AI deceptive practices)
Enforcer: Texas Attorney General
Target: Pieces Technologies, Inc.
Violation alleged: Pieces marketed its generative-AI clinical-summary product to Texas hospitals with materially misleading accuracy claims (alleging severe-hallucination rates orders of magnitude lower than measured in deployment).
Lesson: First US state-attorney-general action against a generative-AI vendor under state UDAP/UDTPA authority. Settlement (Sep 2024) required: (1) clear disclosure of AI involvement to end-users, (2) accurate marketing-claim substantiation, (3) ongoing monitoring of model output for hallucination rates. Establishes that state AGs can reach AI deployment claims without an AI-specific state statute — through long-standing consumer-protection authority. Likely template for parallel actions by other state AGs.
Source: https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-secures-settlement-healthcare-technology-company-pieces-technologiesregulator landing
- Consent decree
2022 → 2023 · CN
CN CAC algorithm-recommendation rectification campaign
Enforcer: Cyberspace Administration of China (CAC)
Target: Multiple platforms: Douyin, Kuaishou, Xiaohongshu, Weibo, Taobao (named in CAC public action)
Violation alleged: Unregistered or non-compliant algorithm-recommendation systems. Failure to provide opt-out mechanisms. Failure to register algorithms with CAC under the Algorithm Recommendation Provisions.
Lesson: First operational implementation of pre-deployment AI registration regime. Demonstrated that CAC has enforcement bandwidth + technical capability to audit recommender algorithms at scale. Platforms responded by significantly altering algorithm transparency + opt-out flows. Cited as the working counter-example to the 'registration regimes are unenforceable' claim.
Source: http://www.cac.gov.cn/2022-03/01/c_1647248428128290.htm
- Consent decree
2022 → 2023 · US
EEOC v. iTutorGroup, Inc.
EEOC v. iTutorGroup (AI age-discrimination consent decree)
E.D.N.Y. · No. 1:22-cv-02565
Enforcer: Equal Employment Opportunity Commission (EEOC)
Target: iTutorGroup, Inc.
Violation alleged: iTutorGroup's recruiting software automatically rejected female applicants aged 55 and older, and male applicants aged 60 and older, regardless of qualifications.
Lesson: First US EEOC-as-party suit against an AI-mediated hiring tool resolved by consent decree ($365,000 settlement + 5-year monitoring; required revised non-discriminatory application processes; mandatory anti-discrimination training; right to re-apply for rejected applicants). Establishes that pre-AI civil-rights statutes (ADEA, Title VII, ADA) can be applied to algorithmic hiring outputs without requiring a dedicated AI statute — the load-bearing precedent for the US 'sectoral / ex-post liability' regime in employment AI.
Source: https://www.eeoc.gov/newsroom/itutorgroup-pay-365000-settle-eeoc-discriminatory-hiring-suitregulator landing
- Ongoing
2023 → ongoing · US
Mobley v. Workday, Inc.
Mobley v. Workday (US AI-hiring class action)
N.D. Cal. · No. 3:23-cv-00770
Enforcer: Private civil class action; EEOC amicus participation
Target: Workday Inc.
Violation alleged: Workday's algorithmic hiring tools allegedly screened out applicants on disability, age, and race. Class action seeks to certify Workday as an 'employment agency' under Title VII so disparate-impact theory applies to the algorithm's outputs rather than only its developers.
Lesson: First major US AI-hiring class action with EEOC amicus support. If Workday is certified as an 'employment agency', US sectoral approach (EEOC + Title VII) substantially expands AI-hiring liability without requiring an AI statute. This is the load-bearing test of whether US 'principles + ex-post liability' approach can substitute for EU AIA Annex III §4 (high-risk employment AI obligations).
Source: https://www.eeoc.gov/newsroom/eeoc-files-amicus-brief-supporting-mobley-v-workdayregulator landing
- Fine imposed
2020 → 2023 · EU
France CNIL — Clearview AI
Enforcer: Commission nationale de l'informatique et des libertés (CNIL)
Target: Clearview AI Inc.
Violation alleged: Mass scraping of facial images of French residents + biometric processing without lawful basis. CNIL imposed €20M fine + 5x €100k/day penalty for non-compliance with deletion order.
Lesson: Parallel to Italian Garante action; both fined identical €20M amount within 6 months. CNIL added 5x €100k/day non-compliance penalty when Clearview refused deletion — escalation pattern that EU AIA Art. 99 (penalties up to 7% global turnover) extends. Multi-DPA replication confirms GDPR is enforceable against US-based AI providers serving EU residents.
Source: https://www.cnil.fr/en/facial-recognition-cnil-fines-clearview-ai-eur20-million
- Ongoing
2023 → ongoing · US
FTC investigation of OpenAI
Enforcer: Federal Trade Commission
Target: OpenAI
Violation alleged: Civil Investigative Demand alleging consumer-protection violations: misleading claims about ChatGPT capabilities, training-data privacy, and consumer harm from hallucinations.
Lesson: First US federal enforcement action against a frontier-AI developer. Establishes that pre-AI-statute consumer-protection authority (FTC §5) can be applied to AI services — supports the US 'sectoral / ex-post liability' regime (vs EU's ex-ante AIA). Action remains pending; no judgment yet.
Source: https://www.washingtonpost.com/technology/2023/07/13/ftc-openai-chatgpt-sam-altman-lina-khan/news secondary
- Ongoing
2023 → ongoing · US
New York Times v. OpenAI + Microsoft
Enforcer: New York Times Company (private civil litigation)
Target: OpenAI Inc. + Microsoft Corp.
Violation alleged: Unauthorised reproduction of NYT-copyrighted articles in GPT training corpora; output of substantially similar text on prompted query; removal of copyright-management information.
Lesson: First major frontier-foundation-model copyright lawsuit by a primary news source. Discovery has surfaced disclosure of training-data composition that the EU AIA Art. 53 transparency requirements would have surfaced ex-ante. The case is the highest-stakes ex-post-liability action testing whether US sectoral approach can substitute for ex-ante regulation on training-data rights — outcome will inform 2025-2027 regulatory debates.
Source: https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html
- Settlement with remedy
2022 → 2023 · UK
UK ICO live-facial-recognition post-mortem
Enforcer: Information Commissioner's Office (ICO)
Target: South Wales Police + Metropolitan Police (cross-force assessment)
Violation alleged: Live facial recognition deployments in public spaces without adequate proportionality assessment, transparency, or appeal mechanisms. Disparate accuracy across demographic groups.
Lesson: Mandatory pre-deployment data-protection-impact-assessment + ongoing accuracy reporting for police LFR. Demonstrated that principles-based UK regime can produce binding outcomes via sector-regulator action — but slowly (action initiated 2019, settled 2023). Cited as evidence FOR the principles-based regime (operationally adapts to context) AND AGAINST it (slow + uneven coverage).
- Settlement with remedy
2018 → 2022 · US
HUD / DOJ v. Facebook (ad-targeting Fair Housing Act)
Enforcer: US Department of Housing and Urban Development (HUD) + Department of Justice (DOJ)
Target: Meta Platforms, Inc. (Facebook)
Violation alleged: Facebook's ad-delivery and ad-targeting tools (including 'Special Ad Audience' / Lookalike Audiences) allowed advertisers to exclude users on the basis of protected classes (race, colour, religion, sex, familial status, national origin, disability), and the platform's algorithmic delivery further skewed ad reach.
Lesson: First major US federal settlement holding a platform liable for discriminatory algorithmic delivery under a pre-AI civil-rights statute. DOJ settlement (June 2022) required Meta to develop a new 'Variance Reduction System' to redress racially-skewed ad delivery + sunset the Special Ad Audience tool. Establishes that algorithmic-delivery discrimination — not just user-facing targeting options — is reachable under FHA. Subsequently cited as the template for analogous reasoning under ECOA (lending) and ADEA (employment).
Source: https://www.justice.gov/opa/pr/justice-department-secures-groundbreaking-settlement-agreement-meta-platforms-formerly-knownregulator landing
- Fine imposed
2021 → 2022 · EU
Italian DPA — Clearview AI
Enforcer: Garante per la protezione dei dati personali (Italian DPA)
Target: Clearview AI Inc.
Violation alleged: Mass scraping of publicly-available facial images + biometric processing without legal basis under GDPR. Provision of services to Italian users without GDPR-compliant data-processing arrangements.
Lesson: €20M fine + mandatory deletion of Italian-resident facial-recognition data. Established that GDPR provides binding enforcement authority for biometric-AI applications even where no AI-specific instrument exists. Replicated in France (2022) + UK (2022) + Greece (2022) — the only successful cross-jurisdictional AI enforcement so far.
Source: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9751362
Editorial scope
This timeline reflects enforcement cases tracked in the Policy Window catalog. It is not exhaustive; coverage focuses on high-precedent matters relevant to the catalogued instruments (currently 13 cases across EU, US, UK, China, India, Italy, France). The catalog deliberately omits routine regulator letters and ongoing investigations whose materials are not public.
For the inclusion rubric (when a case enters the catalog, what level of source-defensibility is required, how jurisdictional balance is managed), see /wiki/methodology. Cases marked “ongoing” remain editorial-watch items; outcomes get backfilled as the public record settles.