本文目前仅提供英文版本。
AI Enforcement in 2026: The Cases Every Organisation Should Know
Global AI enforcement shifted from guidance to penalties in 2023-26. Regulators in Australia, the EU, UK, and US moved against biometric AI, AI hiring tools, and AI consumer practices. Here are the enforcement actions that set today's compliance expectations.
Key Takeaways
The OAIC's Clearview AI enforcement — upheld on appeal in 2023 — established Australia's Privacy Act applies extraterritorially to overseas companies collecting biometric data about Australians, with no 'publicly available' defence.
The Italian DPA's 2023 ChatGPT suspension established the EU enforcement template: lawful basis, data subject rights, age verification, and transparency obligations are all enforceable against AI providers.
The FTC's 2023 settlement with Rite Aid — banning facial recognition use for five years — established that deploying AI in consumer-facing contexts without adequate accuracy and bias testing violates US consumer protection law.
The UK ICO's enforcement against Southern Co-op's live facial recognition (2023) established that LFR in retail requires a DPIA, a very high legitimate interests bar, and governance most retail deployments could not demonstrate.
The EU AI Office's first prohibited AI enforcement actions (from 2 February 2025) focused on social scoring, subliminal manipulation, and biometric identification.
Pattern across all jurisdictions: regulators are using existing law to act on AI misuse without waiting for AI-specific legislation.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
Australia: OAIC and Clearview AI
The OAIC's enforcement against Clearview AI found that collecting facial images of Australians without consent breached the Privacy Act. The Administrative Appeals Tribunal upheld the OAIC's findings in 2023. The "publicly available" defence was rejected. The enforcement order required Clearview to cease collecting data about Australians and delete existing data. Practical implication: physical presence in Australia is not required for Privacy Act obligations.
EU: ChatGPT and DPA enforcement
The Italian DPA's temporary suspension of ChatGPT in March 2023 established the EU enforcement template — concerns including no clear legal basis for training data collection, no effective age verification, and absence of a compliant Data Processing Agreement. OpenAI's negotiations to restore service set the template subsequently adopted in France, Spain, and Ireland.
UK: ICO and live facial recognition
The ICO's enforcement notices against Southern Co-op and Facewatch in 2023-24 established that LFR in retail requires a DPIA, a high-bar legitimate interests justification, specific transparency, and documented accuracy and bias testing. The ICO has signalled most current retail LFR deployments fall short of required standards.
US: FTC and Rite Aid
The FTC's December 2023 settlement with Rite Aid banned the pharmacy chain from using facial recognition for five years after finding: deployment with high false positive rates; disproportionate misidentification of women and people of colour; and use of AI alerts to surveil individuals who had committed no offence. The enforcement signal: deploying AI without documented accuracy and bias testing is an unfair trade practice.