This May, the EU approved the first major AI law, while Colorado introduced a comprehensive AI Act, the first of its kind in the US. Dive into these key stories and more from last month.


EU green lights world's first major AI law

European Union member states gave final approval to the world’s first major AI regulation, the AI Act, establishing comprehensive rules for artificial intelligence. The new regulation will prohibit certain AI practices deemed “unacceptable” due to their high-risk levels, such as manipulative techniques and systems that categorise individuals using biometric data like fingerprints based on race or religion. Read more


Colorado adopts comprehensive AI Act

On May 17, Colorado Governor Jared Polis signed the Colorado Artificial Intelligence Act (SB 205) into law, marking the first comprehensive AI legislation in the United States. Passed by the legislature on May 8, this act is set to take effect on February 1, 2026. The Act addresses both intentional and unintentional algorithmic discrimination by introducing comprehensive notice, disclosure, risk mitigation, and opt-out requirements for developers and deployers of “high-risk” AI systems. Read more


EC launches investigation into Meta's potential DSA violation

The European Commission is investigating Meta, the parent company of Facebook and Instagram, for possible violations of the Digital Services Act regarding child protection. Concerns include algorithms promoting addictive behaviour and issues with age verification methods. In February this year, the EC opened a formal probe on TikTok related to the protection of minors. Read more 


The EDPB taskforce releases findings on ChatGPT

The European Data Protection Board’s (EDPB’s) AI taskforce released its preliminary findings on how the EU’s data protection framework will apply to OpenAI’s ChatGPT. The taskforce noticed that “Although the measures taken to comply with the transparency principle are beneficial to avoid misinterpretation of the output of ChatGPT, they are not sufficient to comply with the data accuracy principle”. Read more


Australian officials commit to Privacy Act overhaul

In a joint statement, the Australian government officials, including the prime minister and attorney-general, announced plans to propose new legislation in August to reform the Privacy Act. The statement highlighted the critical need to revamp the current privacy system to offer survivors of domestic abuse “greater control and transparency over their personal information.” Read more


FCC fines Verizon, T-Mobile and AT&T $200 million for sharing location data

The Federal Communications Commission (FCC) has fined US mobile carriers  AT&T, Verizon, T-Mobile, and Sprint $200 million for illegally sharing customer location data without consent. The fines, stemming from a 2020 claim, address the carriers’ practice of selling data to aggregators, who resold it to third-party location-based service providers without obtaining valid customer consent. Read more


Ticketmaster breach affects more than half a billion users

In a regulatory filing, Live Nation disclosed that its subsidiary, Ticketmaster, experienced a data breach. Hacking group ShinyHunters claimed responsibility for the cyberattack on Ticketmaster via a post on BreachForums, a site used for facilitating and sharing data breaches. The group is reportedly seeking $500,000 for the 1.3TB database, which they allege contains names, addresses, phone numbers, and credit card details of 560 million users. Read more


UK watchdog investigates Microsoft AI taking screenshots

The UK’s Information Commissioner’s Office (ICO) is investigating Microsoft’s new feature, Recall, which captures screenshots of your laptop every few seconds. Designed for the upcoming Copilot+ PCs, Recall stores these encrypted snapshots locally. However, the ICO is seeking more details from Microsoft regarding the safety of this feature, as privacy advocates have labelled it a potential “privacy nightmare.” Read more


Spain blocks Meta's election features on privacy concerns

Meta has been prohibited from launching Facebook and Instagram features to gather voter data in Spain ahead of the European Elections. The Spanish data protection authority, AEPD, invoked emergency GDPR powers to protect user privacy, ordering Meta to halt these features for up to three months. Meta confirmed its compliance with the order. Read more


UK adopts Investigatory Powers (Amendment) Act

The UK’s Investigatory Powers (Amendment) Act (IPAA) recently became law, raising concerns over potential mass surveillance and privacy violations. This legislation broadens the government’s authority to collect bulk communications data, potentially including millions of facial images and social media posts. Despite government arguments, critics worry about weakened safeguards and increased surveillance capabilities. Read more