Reacting to the news
A brief newsletter
Hello, dear reader, and welcome to another issue of AI, Law, and Otter Things! Today’s newsletter will be a bit short: I am feeling kinda tired, so I will share some shorter thoughts on topics I’ve been working on rather than a longer essay. After that, the usual: reading recommendations, opportunities, and otters. Hope you enjoy!
The clocks march on…
Over the past few weeks, we have seen quite a bit of drama on whether and how the timetable for EU legislation—especially the AI Act—would be adjusted amid delays in standardization and codes of practice (as well as geopolitical pressures). Last week, the Commission came out strongly, and perhaps a bit surprisingly, against the idea, sticking by the current timetable. While the official position is that simplification remains necessary, they argue that this should not lead to delays in implementation or to laws such as the AI Act or the DSA to become bargaining chips with the US.
The simplification effort can itself be rather questionable, depending on its intended execution, and I had the pleasure of adding my expert voice1 to an open letter urging the Commission not to turn simplification into fast-track de-regulation.2 But, if the law stays the same, it will be necessary to ramp up the Commission’s efforts to provide guidance on how to implement those acts. To some extent, they are already doing so: the Code of Practice for General-Purpose AI was released today, and the Commission keeps its not so subtle calls for CEN and CENELEC to speed up their harmonized technical standards for AI systems. Will that be enough to provide legal clarity any time soon? I am somewhat unconvinced. But at least my colleagues in legal practice will rake up quite a few billable hours on that.
…to the eternal recurrence
If the AI Act’s clock keeps moving forward, timekeeping in other parts of Berlaymont seems to be moving in the opposite direction. Early in June, the European Commission presented its “Roadmap for effective and lawful access to data for law enforcement”. Coming straight out of the 1990s, the roadmap proposes measures to extend data retention—as if the recent weakening of Digital Rights Europe in order to allow retention for non-serious crimes was not enough—and enable the decryption of communications, with a series of milestones to be achieved before 2030. To the extent that achieving those timelines is feasible, they are likely to empower massive erosion of fundamental rights, especially (but not just) as various EU Member States slide towards a greater degree of surveilling citizens and third-country nationais in its territory.
In particular, it will be curious to see how the Commission will square the circle with its recent embrace of quantum technologies as an area where the EU can secure a global competitive advantage. Having just proposed a roadmap for the transition towards post-quantum cryptography—that is, the use of cryptographic algorithms that are resistant to attacks powered by quantum tech—the Commission now seems to also pursue access goals that are undermined by the additional obstacles that a successful transition would create for decryption. Some degree of technical workarounds and legal gymnastics might render those goals formally reconcilable. But, at the end of the day, one thing or the other will likely have to give. As has been the case everytime somebody comes up with a clever solution to ensure the “good guys” can break cryptography at will.
Recommendations
Sacha Alanoca and others, ‘Comparing Apples to Oranges: A Taxonomy for Navigating the Global Landscape of AI Regulation’, Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency (Association for Computing Machinery 2025).
Martin B Carstensen and Vivien A Schmidt, ‘Power through, over and in Ideas: Conceptualizing Ideational Power in Discursive Institutionalism’ (2016) 23 Journal of European Public Policy 318.
Eduardo Dargent Bocanegra and Gabriela Spanghero Lotta, ‘Expert Knowledge in Democracies: Promises, Limits, and Conflict’ (2025) 28 Annual Review of Political Science 115.
ETSI, ‘Guide to Cyber Security for AI Models and Systems’ (European Telecommunications Standards Institute 2025) Technical Report TR 104 128.
Riccardo Fidato and Luigi Lonardo, ‘The Foreign Affairs Aspects of the Artificial Intelligence Policy of the European Union’ (2025) 30 European Foreign Affairs Review.
Arto Lanamäki and others, ‘What to Expect from the Upcoming EU AI Act Sandboxes: Panel Report’ (2025) 4 Digital Society 42.
Henrik Nolte, Miriam Rateike and Michèle Finck, ‘Robustness and Cybersecurity in the EU Artificial Intelligence Act’, Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency (Association for Computing Machinery 2025).
Dominic Paulger, ‘Understanding Japan’s AI Promotion Act: An “Innovation-First” Blueprint for AI Regulation’ (Future of Privacy Forum, 5 July 2025).
Alessandra Porcari, ‘Il “principio” di neutralità tecnologica nella Transizione Verde. L’Unione Europea e la regolazione della filiera dell’idrogeno’ (Dottorato di Ricerca in Studi Giuridici Comparati ed Europei, Università di Trento 2025).
Ludek Stavinoha, Apostolis Fotiadis and Lola Hierro, ‘Frontex Unlawfully Shared Thousands of People’s Personal Data with Europol’ (Solomon, 7 July 2025).
Alina Wernick and Kristof Meding, ‘Beware! The AI Act Can Also Apply to Your AI Research Practices’ (arXiv, 3 June 2025).
Opportunities
The OECD’s Directorate for Public Governance is looking for a Policy Analyst to work on matters of agile governance, better regulation in the digital age and the ilk. No deadline is specified, but the job description mentions written tests/video-recorded interviews are foreseen in August 2025.
For the German speakers out there, Sandra Wachter is hiring teaching assistants for her course on „Recht für Ingenieure" with a focus on EU digital law. Applications for this part-time job are due by 10 August 2025.
The UK Government AI Community will hold a conference on AI in Government and Academia. The event will take place on 11 September 2025, and papers are invited by 15 August 2025.
Tilburg University is looking for a Associate Professor in Cybersecurity Law and Governance. If that could be you, send them your application by 24 August 2025.
The GrUE - Groupe de recherche sur l'Union européenne at the University of Strasbourg will host a workshop on 2-3 December 2025 on ‘(De)regulation: an interdisciplinary look at changes in EU government’. Proposals for papers are due by 1 September.
Last but not least, an otter
Thanks for your attention! Hope you found something interesting above, and please consider subscribing if you haven’t done so already:
Do not hesitate to hit “reply” to this email or contact me elsewhere to discuss some topic I raise in the newsletter. Likewise, let me know if there is a job opening, event, or publication that might be of interest to me or to the readers of this newsletter. Hope to see you next time!
A bit like my usual one, but a bit less nasal.
As somebody who is usually more market-friendly than my peers, I am not unsympathetic to the idea of reducing the reach of regulation. And I certainly believe that some of those regulations, in particular the AI Act, are hot messes that could be made simpler to interpret and implement. Still, the early signs of what that de-regulation entail are not particularly encouraging, as they seem to be geared towards creating the impression of a leaner framework by removing the mandatory character of things that regulatees will need to do anyway in order to fully discharge their obligations (see, e.g., the discussion on eliminating certain GDPR reporting requirements).