Searchlight AI
European Union

The European General Data Protection Regulation (GDPR) is the EU's framework governing the collection and processing of personal data in the EU. AI systems – whether deployed by an AI provider within or outside of the EU – must comply with the requirements set out in the GDPR if they fall within the scope of the scope of the legislation when collecting and processing the personal data of individuals.

The GDPR grants individuals several important rights, including rights of access, to be forgotten, to object, to rectification, to restrict processing, to data portability, and not to be subject to decisions based solely on automated processing. These ensure that data subjects have control and transparency over how their personal data is used.

The European Data Protection Board (EDPB) helps to ensure that the GDPR is applied consistently between Member States' Data Protection Authorities and facilitates cooperation in enforcement.

• On 17 July 2024, the EDPB issued a statement calling on Member States to designate Data Protection Authorities as Market Surveillance Authorities under Europe's AI Act, with a deadline of 2 August 2025.
• In 2024, the EDPB formed a task force to investigate data processing by OpenAI’s ChatGPT and, on 12 February 2025, expanded its scope to include the Chinese AI platform DeepSeek. A quick response team is being set up to guide and coordinate enforcement actions across different Data Protection Authorities whenever concerns arise related to AI data processing.

The European Data Protection Supervisor (EDPS), established under the GDPR, is responsible for monitoring how institutions and bodies subject to the GDPR process personal data. Within the scope of the AI Act, the EDPS will serve as the competent authority, supervising institutions and bodies subject to the GDPR to ensure their AI activities align with data protection principles and rules.

The (revised) Product Liability Directive establishes a specific type of liability for certain types of damage – strict liability (ie, non-fault based) for defective products causing death, personal injury or damage to personal property.

• The Directive provides for strict liability in relation to defective "products" and defective "components" (that cause their product to be defective).  Both are defined in a way that would include AI systems (namely, "software" and "intangibles"), meaning the Directive applies both to standalone AI systems and AI-enabled products – where the AI system is a component of the product (such as a self-driving car).
• The Directive sets out rebuttable presumptions of defectiveness and causation, including where the claimant faces excessive difficulties due to technical or scientific complexity. It also establishes new rules in relation to disclosure of evidence.
• It entered into force on 8 December 2024. EU countries will have until 9 December 2026 to transpose this directive into national law.

In 2022, the EC had proposed the AI Liability Directive, which focused on providing procedural facilitations for claims related to AI systems under fault-based civil liability regimes in Member States' national laws in relation to the disclosure of evidence and rebuttable presumptions, in particular in relation to establishing the causation element. However, after a very slow progress through the legislative procedure, the EC withdrew the proposal in February 2025, citing a lack of "foreseeable agreement". The EC indicated it would consider whether to adopt another proposal in the future.

The General Product Safety Regulation outlines the EU's new general framework for the safety of non-food consumer products. While there are certain doubts as to the precise scope of the Regulation, the EC has indicated in its Q&A published on 27 November 2024 that it considers the Regulation to apply to "all types of products, including […] software". The Regulation entered into force on 12 June 2023 and has applied since 13 December 2024.

The European Commission – in its capacity as the EU's competition authority – has identified technology and digital markets as a key sector and has made clear that it is committed to ensuring that these markets are competitive and contestable by using tools available to it such as antitrust enforcement, merger control, and the Digital Markets Act.

• In July 2024, the Commission – along with the US Department of Justice and Federal Trade Commission, and the UK's Competition and Markets Authority – issued a joint statement on "Competition in Generative AI Foundation Models and AI Products". It outlined certain risks that AI poses to competition, including concentrated control of key input such as chips, entrenching or extending market power in AI-related markets by incumbent tech companies with an established presence in the AI supply chain, and partnerships and financial investments between AI startups and established tech companies to access (for example) cloud computing power.
• In September 2024, the Commission issued a policy brief on "Competition in Generative AI and Virtual Worlds" which outlines the state of competition in the AI sector and sets out the Commission's concerns and possible theories of harm. These include, most significantly, risk that incumbent large digital players may limit access to key computing infrastructure such as cloud capacity, and risk that the large players offering AI foundation models may "use their market power to limit choice or distort competition in downstream markets" – for example, by leveraging behaviour, tying, refusal to supply, and so on. To ensure that the AI sector remains competitive and contestable, the Commission is taking active steps by monitoring:

• Vertical agreements, between Original Equipment Manufacturers and AI developers for the pre-installation of AI models on mobile devices which may potentially make it more "difficult for other foundation models to be accessed or pre-installed on those devices" (see policy brief at page 6).
• Mergers and acquisitions. The Commission has been exploring the possibility of reviewing transactions which do not meet the EU merger control threshold but which may nonetheless be examined under Article 22 European Union Merger Regulation (EUMR)procedure (see, for example, NVIDIA/Run:ai below). It has also been considering whether investment and partnerships between large digital companies and generative AI developers should be assessed under the EU's merger control rules (see, for example, Microsoft/Open AI and Microsoft/Inflection below, and note policy brief at page 6 and speech by EVP Margrethe Vestager at the European Commission workshop on "Competition in Virtual Worlds and Generative AI" on 28 June 2024).

Algorithmic collusion is also on the Commission's radar. In its Guidelines on Horizontal Cooperation Agreements, the Commission has set out two key principles for the treatment of pricing algorithms. Firstly, if the "pricing practices are illegal when implemented offline, there is a high probability that they will also be illegal when implemented online". And secondly, "firms involved in illegal pricing practices cannot avoid liability on the ground that their prices were determined by algorithms. Just like an employee or an outside consultant working under a firm's "direction or control", an algorithm remains under the firm's control, and therefore the firm is liable even if its actions were informed by algorithms." (Horizontal Cooperation Guidelines at paragraph 379).

While the Digital Markets Act does not explicitly refer to AI as a core platform service, EVP Margrethe Vestager noted at the European Commission workshop on "Competition in Virtual Worlds and Generative AI", on 28 June 2024, that the obligations under the Act will also apply to AI where it is “embedded in designated core platform services such as search engines, operating systems and social networking services.”

• On 23 January 2025, the European Parliament expressed concerns that the EC had not designated any providers of cloud computing services, which is crucial for development of AI.
• On 24 January 2025, the French Government suggested that the scope of the DMA should be extended to cover the entire AI value chain.

• On 1 March 2024, the European Patent Office implemented updated "Guidelines for Examination" that introduce stricter disclosure requirements of sufficiency for AI-related inventions. The guidelines emphasise that AI models must be described in sufficient detail to enable a skilled person to reproduce the claimed invention's technical effect without undue burden. While there is no obligation to disclose the specific training dataset itself, its characteristics must be adequately described if they are necessary to achieve the claimed technical effect.
• As of 1 July 2024, the European Union Intellectual Property Office (EUIPO) established an "Executive Advisory Committee" focused on AI, inclusivity, and sustainability. In alignment with the AIA, the EUIPO is expected to issue specific guidelines addressing the implications of AI on intellectual property, which aim to ensure compliance with EU copyright laws by requiring AI companies to establish policies that respect intellectual property rights - including mechanisms for rights holders to opt out of text and data mining.
• On 7 February 2025, the European Copyright Society published an opinion examining the challenges that generative AI poses to copyright law and the AI Act. The Society highlighted several key areas that require urgent attention from the European Union, including the scope of the text and data mining exception, transparency requirements, rights holders’ ability to opt-out under the AI Act, and fair remuneration of authors and performers. As an independent organisation of copyright experts, the Society emphasises the need for clearer guidelines to ensure a fair balance between fostering AI innovation and protecting intellectual property rights, particularly concerning research exemptions and the interplay between existing copyright regulations.