Enforcement timeline

Chronologically-ordered enforcement actions linked to the instruments and topics tracked in the Policy Window catalog. Closed cases sort by their resolution year; ongoing cases sort by initiation. Each entry links to the catalog topics + the catalog instruments the case touches, and (where possible) to the best-available primary source for the action.

13 catalogued cases total · 4 match the current filter (year = 2023; instrument = EU AI Act) clear all.

Filters

By year

Topic + instrument filters are link-based (?topic=biometric_id, ?instrument=EU-AIA-2024). See “Related catalog rows” on each case below to apply a filter without typing.

Cases (4)

Settlement with remedy
Fine imposed
Ongoing
Open arrow = ongoing (no resolution year yet)

2023 → 2024 · EU
EDPB ChatGPT Taskforce
Settlement with remedy
Enforcer: European Data Protection Board (EDPB) — coordinated DPA action
Target: OpenAI
Violation alleged: Italian Garante temporarily banned ChatGPT (Mar-Apr 2023) over alleged lack of legal basis for training-data processing, missing age-verification, and inability to honour data-subject rights. EDPB convened taskforce to coordinate DPA responses.
Lesson: First EU-wide AI enforcement coordination predating the EU AIA. Established that GDPR applies fully to LLM training + deployment + that DPAs would coordinate via EDPB rather than fragment. ChatGPT resumed Italian service after age-verification + Article-15 right-of-access endpoint additions. Direct precedent for EU AIA Art. 53 implementation timeline.
Topics:Training-Data Rights [filter],Transparency Obligations [filter],Individual Redress [filter],Foundation Models / GPAI [filter]
Instruments:EU AI Act [filter]
Source: https://www.edpb.europa.eu/news/news/2024/edpb-resolves-dispute-controllers-and-adopts-statement-eu-us-data-privacy_en
2023 → ongoing · US
Mobley v. Workday, Inc.
Mobley v. Workday (US AI-hiring class action)
Ongoing
N.D. Cal. · No. 3:23-cv-00770
Enforcer: Private civil class action; EEOC amicus participation
Target: Workday Inc.
Violation alleged: Workday's algorithmic hiring tools allegedly screened out applicants on disability, age, and race. Class action seeks to certify Workday as an 'employment agency' under Title VII so disparate-impact theory applies to the algorithm's outputs rather than only its developers.
Lesson: First major US AI-hiring class action with EEOC amicus support. If Workday is certified as an 'employment agency', US sectoral approach (EEOC + Title VII) substantially expands AI-hiring liability without requiring an AI statute. This is the load-bearing test of whether US 'principles + ex-post liability' approach can substitute for EU AIA Annex III §4 (high-risk employment AI obligations).
Topics:AI in Employment [filter],Individual Redress [filter],Transparency Obligations [filter]
Instruments:Executive Order 14110 on Safe, Secure, Trustworthy AI [filter],EU AI Act [filter]
Source: https://www.eeoc.gov/newsroom/eeoc-files-amicus-brief-supporting-mobley-v-workdayregulator landing
2020 → 2023 · EU
France CNIL — Clearview AI
Fine imposed
Enforcer: Commission nationale de l'informatique et des libertés (CNIL)
Target: Clearview AI Inc.
Violation alleged: Mass scraping of facial images of French residents + biometric processing without lawful basis. CNIL imposed €20M fine + 5x €100k/day penalty for non-compliance with deletion order.
Lesson: Parallel to Italian Garante action; both fined identical €20M amount within 6 months. CNIL added 5x €100k/day non-compliance penalty when Clearview refused deletion — escalation pattern that EU AIA Art. 99 (penalties up to 7% global turnover) extends. Multi-DPA replication confirms GDPR is enforceable against US-based AI providers serving EU residents.
Topics:Biometric Identification [filter],Training-Data Rights [filter],Individual Redress [filter]
Instruments:EU AI Act [filter]
Source: https://www.cnil.fr/en/facial-recognition-cnil-fines-clearview-ai-eur20-million
2023 → ongoing · US
New York Times v. OpenAI + Microsoft
Ongoing
Enforcer: New York Times Company (private civil litigation)
Target: OpenAI Inc. + Microsoft Corp.
Violation alleged: Unauthorised reproduction of NYT-copyrighted articles in GPT training corpora; output of substantially similar text on prompted query; removal of copyright-management information.
Lesson: First major frontier-foundation-model copyright lawsuit by a primary news source. Discovery has surfaced disclosure of training-data composition that the EU AIA Art. 53 transparency requirements would have surfaced ex-ante. The case is the highest-stakes ex-post-liability action testing whether US sectoral approach can substitute for ex-ante regulation on training-data rights — outcome will inform 2025-2027 regulatory debates.
Topics:Training-Data Rights [filter],Transparency Obligations [filter],Foundation Models / GPAI [filter]
Instruments:Executive Order 14110 on Safe, Secure, Trustworthy AI [filter],EU AI Act [filter]
Source: https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html

Editorial scope

This timeline reflects enforcement cases tracked in the Policy Window catalog. It is not exhaustive; coverage focuses on high-precedent matters relevant to the catalogued instruments (currently 13 cases across EU, US, UK, China, India, Italy, France). The catalog deliberately omits routine regulator letters and ongoing investigations whose materials are not public.

For the inclusion rubric (when a case enters the catalog, what level of source-defensibility is required, how jurisdictional balance is managed), see /wiki/methodology. Cases marked “ongoing” remain editorial-watch items; outcomes get backfilled as the public record settles.

Enforcement timeline

13 catalogued cases total · 4 match the current filter (year = 2023; instrument = EU AI Act) clear all.

Cases (4)

Settlement with remedy
Fine imposed
Ongoing
Open arrow = ongoing (no resolution year yet)

2023 → 2024 · EU

EDPB ChatGPT Taskforce

Settlement with remedy

Enforcer: European Data Protection Board (EDPB) — coordinated DPA action

Target: OpenAI

Violation alleged: Italian Garante temporarily banned ChatGPT (Mar-Apr 2023) over alleged lack of legal basis for training-data processing, missing age-verification, and inability to honour data-subject rights. EDPB convened taskforce to coordinate DPA responses.

Lesson: First EU-wide AI enforcement coordination predating the EU AIA. Established that GDPR applies fully to LLM training + deployment + that DPAs would coordinate via EDPB rather than fragment. ChatGPT resumed Italian service after age-verification + Article-15 right-of-access endpoint additions. Direct precedent for EU AIA Art. 53 implementation timeline.

Topics:Training-Data Rights [filter],Transparency Obligations [filter],Individual Redress [filter],Foundation Models / GPAI [filter]

Instruments:EU AI Act [filter]

Source: https://www.edpb.europa.eu/news/news/2024/edpb-resolves-dispute-controllers-and-adopts-statement-eu-us-data-privacy_en

2023 → ongoing · US

Mobley v. Workday, Inc.

Mobley v. Workday (US AI-hiring class action)

Ongoing

N.D. Cal. · No. 3:23-cv-00770

Enforcer: Private civil class action; EEOC amicus participation

Target: Workday Inc.

Violation alleged: Workday's algorithmic hiring tools allegedly screened out applicants on disability, age, and race. Class action seeks to certify Workday as an 'employment agency' under Title VII so disparate-impact theory applies to the algorithm's outputs rather than only its developers.

Lesson: First major US AI-hiring class action with EEOC amicus support. If Workday is certified as an 'employment agency', US sectoral approach (EEOC + Title VII) substantially expands AI-hiring liability without requiring an AI statute. This is the load-bearing test of whether US 'principles + ex-post liability' approach can substitute for EU AIA Annex III §4 (high-risk employment AI obligations).

Topics:AI in Employment [filter],Individual Redress [filter],Transparency Obligations [filter]

Instruments:Executive Order 14110 on Safe, Secure, Trustworthy AI [filter],EU AI Act [filter]

Source: https://www.eeoc.gov/newsroom/eeoc-files-amicus-brief-supporting-mobley-v-workdayregulator landing

2020 → 2023 · EU

France CNIL — Clearview AI

Fine imposed

Enforcer: Commission nationale de l'informatique et des libertés (CNIL)

Target: Clearview AI Inc.

Violation alleged: Mass scraping of facial images of French residents + biometric processing without lawful basis. CNIL imposed €20M fine + 5x €100k/day penalty for non-compliance with deletion order.

Lesson: Parallel to Italian Garante action; both fined identical €20M amount within 6 months. CNIL added 5x €100k/day non-compliance penalty when Clearview refused deletion — escalation pattern that EU AIA Art. 99 (penalties up to 7% global turnover) extends. Multi-DPA replication confirms GDPR is enforceable against US-based AI providers serving EU residents.

Topics:Biometric Identification [filter],Training-Data Rights [filter],Individual Redress [filter]

Instruments:EU AI Act [filter]

Source: https://www.cnil.fr/en/facial-recognition-cnil-fines-clearview-ai-eur20-million

2023 → ongoing · US

New York Times v. OpenAI + Microsoft

Ongoing

Enforcer: New York Times Company (private civil litigation)

Target: OpenAI Inc. + Microsoft Corp.

Violation alleged: Unauthorised reproduction of NYT-copyrighted articles in GPT training corpora; output of substantially similar text on prompted query; removal of copyright-management information.

Lesson: First major frontier-foundation-model copyright lawsuit by a primary news source. Discovery has surfaced disclosure of training-data composition that the EU AIA Art. 53 transparency requirements would have surfaced ex-ante. The case is the highest-stakes ex-post-liability action testing whether US sectoral approach can substitute for ex-ante regulation on training-data rights — outcome will inform 2025-2027 regulatory debates.

Topics:Training-Data Rights [filter],Transparency Obligations [filter],Foundation Models / GPAI [filter]

Instruments:Executive Order 14110 on Safe, Secure, Trustworthy AI [filter],EU AI Act [filter]

Source: https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html