Documented enforcement actions where regulators invoked a rule against a deploying organisation, with the primary-source case record and the lesson the field has drawn from each.
FTC investigation of OpenAIUS · 2023 · ongoing
Federal Trade Commission v. OpenAI — Civil Investigative Demand alleging consumer-protection violations: misleading claims about ChatGPT capabilities, training-data privacy, and consumer harm from hallucinations.
Lesson: First US federal enforcement action against a frontier-AI developer. Establishes that pre-AI-statute consumer-protection authority (FTC §5) can be applied to AI services — supports the US 'sectoral / ex-post liability' regime (vs EU's ex-ante AIA). Action remains pending; no judgment yet.
Mobley v. Workday (US AI-hiring class action)US · 2023 · ongoing
Mobley v. Workday, Inc., No. 3:23-cv-00770 (N.D. Cal.)
Private civil class action; EEOC amicus participation v. Workday Inc. — Workday's algorithmic hiring tools allegedly screened out applicants on disability, age, and race. Class action seeks to certify Workday as an 'employment agency' under Title VII so disparate-impact theory applies to the algorithm's outputs rather than only its developers.
Lesson: First major US AI-hiring class action with EEOC amicus support. If Workday is certified as an 'employment agency', US sectoral approach (EEOC + Title VII) substantially expands AI-hiring liability without requiring an AI statute. This is the load-bearing test of whether US 'principles + ex-post liability' approach can substitute for EU AIA Annex III §4 (high-risk employment AI obligations).
Source record →regulator landing Texas AG v. Pieces Technologies (healthcare AI deceptive practices)US · 2024–2024
Texas Attorney General v. Pieces Technologies, Inc. — Pieces marketed its generative-AI clinical-summary product to Texas hospitals with materially misleading accuracy claims (alleging severe-hallucination rates orders of magnitude lower than measured in deployment).
Lesson: First US state-attorney-general action against a generative-AI vendor under state UDAP/UDTPA authority. Settlement (Sep 2024) required: (1) clear disclosure of AI involvement to end-users, (2) accurate marketing-claim substantiation, (3) ongoing monitoring of model output for hallucination rates. Establishes that state AGs can reach AI deployment claims without an AI-specific state statute — through long-standing consumer-protection authority. Likely template for parallel actions by other state AGs.
Source record →regulator landing EDPB ChatGPT TaskforceEU · 2023–2024
European Data Protection Board (EDPB) — coordinated DPA action v. OpenAI — Italian Garante temporarily banned ChatGPT (Mar-Apr 2023) over alleged lack of legal basis for training-data processing, missing age-verification, and inability to honour data-subject rights. EDPB convened taskforce to coordinate DPA responses.
Lesson: First EU-wide AI enforcement coordination predating the EU AIA. Established that GDPR applies fully to LLM training + deployment + that DPAs would coordinate via EDPB rather than fragment. ChatGPT resumed Italian service after age-verification + Article-15 right-of-access endpoint additions. Direct precedent for EU AIA Art. 53 implementation timeline.
MEITY deepfake takedown advisoriesIN · 2023–2024
Ministry of Electronics and Information Technology (MEITY) v. Multiple intermediaries — Meta, YouTube/Google, X, several Indian social platforms — Failure to take down political deepfake content within statutory windows (36 hours under IT Rules 2021). MEITY's Mar-2024 advisory additionally required pre-deployment-approval for AI models above unspecified capability thresholds; rescinded Apr-2024 after frontier-lab pushback.
Lesson: India's compressed legislative cycle: a sweeping pre-deployment-approval requirement (closer to CN registration than US sectoral) was rescinded within 5 weeks after industry + civil-society pushback. Demonstrates that Global South AI regulation is in active design AND that even nationally-coercive states face frontier-lab leverage. Indian regulatory approach now favours post-deployment incident reporting + IT-Rules takedown.
CN CAC algorithm-recommendation rectification campaignCN · 2022–2023
Cyberspace Administration of China (CAC) v. Multiple platforms: Douyin, Kuaishou, Xiaohongshu, Weibo, Taobao (named in CAC public action) — Unregistered or non-compliant algorithm-recommendation systems. Failure to provide opt-out mechanisms. Failure to register algorithms with CAC under the Algorithm Recommendation Provisions.
Lesson: First operational implementation of pre-deployment AI registration regime. Demonstrated that CAC has enforcement bandwidth + technical capability to audit recommender algorithms at scale. Platforms responded by significantly altering algorithm transparency + opt-out flows. Cited as the working counter-example to the 'registration regimes are unenforceable' claim.
UK ICO live-facial-recognition post-mortemUK · 2022–2023
Information Commissioner's Office (ICO) v. South Wales Police + Metropolitan Police (cross-force assessment) — Live facial recognition deployments in public spaces without adequate proportionality assessment, transparency, or appeal mechanisms. Disparate accuracy across demographic groups.
Lesson: Mandatory pre-deployment data-protection-impact-assessment + ongoing accuracy reporting for police LFR. Demonstrated that principles-based UK regime can produce binding outcomes via sector-regulator action — but slowly (action initiated 2019, settled 2023). Cited as evidence FOR the principles-based regime (operationally adapts to context) AND AGAINST it (slow + uneven coverage).
EEOC v. iTutorGroup (AI age-discrimination consent decree)US · 2022–2023
EEOC v. iTutorGroup, Inc., No. 1:22-cv-02565 (E.D.N.Y.)
Equal Employment Opportunity Commission (EEOC) v. iTutorGroup, Inc. — iTutorGroup's recruiting software automatically rejected female applicants aged 55 and older, and male applicants aged 60 and older, regardless of qualifications.
Lesson: First US EEOC-as-party suit against an AI-mediated hiring tool resolved by consent decree ($365,000 settlement + 5-year monitoring; required revised non-discriminatory application processes; mandatory anti-discrimination training; right to re-apply for rejected applicants). Establishes that pre-AI civil-rights statutes (ADEA, Title VII, ADA) can be applied to algorithmic hiring outputs without requiring a dedicated AI statute — the load-bearing precedent for the US 'sectoral / ex-post liability' regime in employment AI.
Source record →regulator landing Italian DPA — Clearview AIEU · 2021–2022
Garante per la protezione dei dati personali (Italian DPA) v. Clearview AI Inc. — Mass scraping of publicly-available facial images + biometric processing without legal basis under GDPR. Provision of services to Italian users without GDPR-compliant data-processing arrangements.
Lesson: €20M fine + mandatory deletion of Italian-resident facial-recognition data. Established that GDPR provides binding enforcement authority for biometric-AI applications even where no AI-specific instrument exists. Replicated in France (2022) + UK (2022) + Greece (2022) — the only successful cross-jurisdictional AI enforcement so far.
France CNIL — Clearview AIEU · 2020–2023
Commission nationale de l'informatique et des libertés (CNIL) v. Clearview AI Inc. — Mass scraping of facial images of French residents + biometric processing without lawful basis. CNIL imposed €20M fine + 5x €100k/day penalty for non-compliance with deletion order.
Lesson: Parallel to Italian Garante action; both fined identical €20M amount within 6 months. CNIL added 5x €100k/day non-compliance penalty when Clearview refused deletion — escalation pattern that EU AIA Art. 99 (penalties up to 7% global turnover) extends. Multi-DPA replication confirms GDPR is enforceable against US-based AI providers serving EU residents.
HUD / DOJ v. Facebook (ad-targeting Fair Housing Act)US · 2018–2022
US Department of Housing and Urban Development (HUD) + Department of Justice (DOJ) v. Meta Platforms, Inc. (Facebook) — Facebook's ad-delivery and ad-targeting tools (including 'Special Ad Audience' / Lookalike Audiences) allowed advertisers to exclude users on the basis of protected classes (race, colour, religion, sex, familial status, national origin, disability), and the platform's algorithmic delivery further skewed ad reach.
Lesson: First major US federal settlement holding a platform liable for discriminatory algorithmic delivery under a pre-AI civil-rights statute. DOJ settlement (June 2022) required Meta to develop a new 'Variance Reduction System' to redress racially-skewed ad delivery + sunset the Special Ad Audience tool. Establishes that algorithmic-delivery discrimination — not just user-facing targeting options — is reachable under FHA. Subsequently cited as the template for analogous reasoning under ECOA (lending) and ADEA (employment).
Source record →regulator landing