This Week in AI Regulations - April 26, 2026

Welcome to This Week in AI Regulations for April 26, 2026. Starting in the European Union, the European Data Protection Supervisor, or EDPS, has taken on new market surveillance and notified body roles under the AI Act specifically for AI systems used by EU institutions. The EDPS issued joint opinions supporting stronger cybersecurity rules and the European Biotech Act, emphasizing privacy safeguards. EU institutions are now required to cooperate fully with EDPS investigations, document personal data processing operations, and implement corrective measures as directed by the EDPS’s final decisions. In Spain, new clarifications have been issued regarding AI voice transcription services. Organizations using AI for voice transcription are designated as data controllers under the General Data Protection Regulation, or GDPR. They must ensure compliance with GDPR principles, including accuracy, transparency, and rights management. The guidance stresses proactive responsibility and continuous diligence in selecting and managing AI transcription tools. Controllers and processors are required to exercise due diligence in choosing AI transcription services, implement technical and organizational measures to prevent, detect, and correct transcription errors, and inform data subjects about their rights and the use of AI transcription. Moving to Germany, the Bundesbank has adopted a new AI strategy alongside an updated cloud strategy. The focus is on sovereignty, multi-cloud approaches, and the use of European and open-source solutions. The Bundesbank established internal AI governance frameworks that define rules for AI software procurement, development, and usage. Transparency and validation of AI outputs by users are mandated, and the use of AI for sensitive applications, such as evaluating job applicants, is explicitly prohibited. In Belgium, a draft law has been proposed to amend the 1998 organic law governing intelligence and security services. The modifications aim to modernize data collection methods and establish a clear legal framework for the use of AI by intelligence and security services. The draft law emphasizes human-centered, trustworthy AI use and seeks to equip intelligence services with the legal tools necessary to counter emerging cyber threats effectively while protecting fundamental rights. In Portugal, Banco de Portugal updated its supervisory priorities emphasizing operational resilience measures focusing on digitalization and AI strategies. Turning to the United States, the Securities and Exchange Commission, or SEC, secured a final judgment permanently enjoining AI Investment Education Foundation Limited from violations of the Investment Advisers Act of 1940. The injunction prohibits the firm from filing Form ADV as an Exempt Reporting Adviser and requires payment of a civil penalty. Finally, in the United States state of California, written comments were submitted critiquing the proposed California Privacy Protection Agency’s rules under the California Privacy Protection Act, or CPPA. The comments recommend aligning the rules with existing laws such as the California Consumer Privacy Act, or CCPA, narrowing definitions related to behavioral advertising and profiling, and refining risk assessment and automated decision-making tool requirements. That wraps up today's regulatory updates. Visit carveragents.ai for more information.