🔴 Act now

The ICO’s consultation on automated decision-making closes in eight days, at 23:59 on May 29.

Two editions ago, this was in “Heads up” with 22 days to go. It’s here now because eight days go fast if you haven’t started.

This is the first detailed interpretation of what the Data (Use and Access) Act actually requires from companies using AI to make or assist decisions about individuals. Whatever the ICO finalises becomes your compliance floor for UK data protection on automated decisions. Hiring tools, credit scoring, content moderation, benefits assessment, and customer pricing. If your product touches individual-level decisions for UK users, this guidance addresses you.

The ICO’s own “Recruitment Rewired” research, published alongside the consultation, found that many employers using AI hiring tools are making “solely automated decisions” without realising it. The definition is broader than most people expect. A CV-scoring system that shortlists candidates without meaningful human involvement qualifies. That triggers rights to explanation and human review under the reformed UK GDPR. If you’re building in hiring or similar contexts, you need to know which category your product falls into before final guidance lands.

The draft guidance covers three things in practice: what transparency notices you need to give users when AI is making or informing decisions, when you’re required to offer human review and what documentation you’re expected to keep. None of this is impossible to comply with. Most of the work is about being explicit in your product design and maintaining records of how decisions are made.

Responding to a consultation isn’t a big lift. Reading the draft takes a few hours. Submitting a response through ico.org.uk takes a bit more. The window is eight days. If you use AI in decisions about individuals and you haven’t engaged with this, that’s the thing to do this week.

🟡 Heads up

🇪🇺 EU | Article 50 transparency guidelines consultation closes June 3

On May 8, the Commission published its draft guidelines on transparency obligations under Article 50 of the AI Act. Thirteen days until the consultation closes. The 40-page document from the AI Office is the first official interpretation of what Article 50 actually requires: disclosure when users interact with AI systems, machine-readable labelling for AI-generated content and what deployers must tell individuals exposed to deepfakes or emotion recognition systems. Non-binding, but it will guide enforcement from August 2 and set expectations for market surveillance authorities. If your product generates content, powers chatbots or interfaces with individuals, read it. Respond if you think the Commission has got something wrong. The targeted consultation form is on the Commission’s digital strategy site.

🇪🇺 EU | The Omnibus delay still isn’t law

The political agreement reached on May 7 has not been published in the Official Journal. Until it is, none of the amended dates is legally operative. Formal Parliament and Council endorsement, then publication, takes two to three months from a provisional agreement. A May 7 deal lands in the Official Journal in July or August at the earliest. For high-risk AI companies counting on the December 2027 extension to protect them from August 2, that extension needs to be in the Official Journal before August 2. Don’t stand down your compliance work on the assumption that the delay is already in force. And GPAI obligations under Articles 51-55 weren’t moved by the Omnibus at all. That August 2 date was always yours.

In focus

🇪🇺 | The EU’s new high-risk classification guidelines: the 148-page answer to the question founders keep getting wrong

On May 19, two days ago, the Commission published its draft guidelines on classifying high-risk AI systems under Article 6 of the AI Act. The consultation runs until June 23. If you haven’t determined whether your product is high-risk under EU law, this is the document that helps you do it. August 2 is 73 days out. The timing matters.

The classification shapes everything. High-risk AI systems face conformity assessments, human oversight requirements, registration in the EU database, and detailed record-keeping obligations. The December 2027 deadline from the Omnibus deal applies to these obligations, but only once the Omnibus is published in the Official Journal, which still hasn’t happened. Until it does, August 2 is the live date.

There are two routes into high-risk status under Article 6. The first is if your AI is a safety component of a regulated product under Annex I (medical devices, machinery, aviation equipment). The second, and more relevant for most founders, is if your system falls into one of the eight Annex III use-case categories: biometric identification, critical infrastructure, education, employment, access to essential services, law enforcement, migration, or administration of justice.

Those categories sound clear until you try to apply them. An AI tool that filters job applications is high-risk. An AI writing assistant used in an HR department that doesn’t inform hiring decisions probably isn’t. A credit-scoring model that feeds into a lending decision is high-risk. A customer segmentation model used for marketing probably isn’t, even if it processes financial data. The line runs through whether the AI influences a decision with significant effects on a specific individual.

The Commission’s draft introduces a structured three-step approach: identify your system’s intended purpose and outputs, assess whether that purpose falls within an Annex III category, then determine whether the system contributes to decisions with legal or similarly significant effects. If all three, you’re high-risk.

That’s the test. Most of the grey area lives in step three.

What the guidelines also address is the “solely a narrow procedural tool” carve-out. Data extraction layers, notification systems, and narrow infrastructure tools that don’t themselves contribute to a consequential decision may sit outside high-risk classification even when used within a high-risk workflow. The guidelines give examples, but they’re carefully hedged, and the examples tend to be industry-specific rather than universally applicable.

Getting classification wrong in either direction creates problems. Under-classify and you skip conformity assessments that the AI Office will check for when its supervisory mandate starts in August. Over-classify and you impose unnecessary compliance burden, potentially misrepresent your product’s risk profile to customers and waste runway that could go elsewhere.

The June 23 consultation deadline is worth engaging with if your product sits in an ambiguous Annex III category. The Commission does use these responses and the guidelines that come out the other side are more useful when they address the edge cases that real products encounter. A brief submission on where the current drafting creates uncertainty for your specific use case costs relatively little and might produce clearer guidance that benefits your entire sector.

🟢 On the radar

• 🇺🇸 USA | Bartz v. Anthropic approaching final approval. Anthropic’s supplemental brief on late opt-outs was due today. Judge Martínez-Olguín is expected to issue final approval shortly after reviewing it. The ~$3,000 per book benchmark becomes the operative reference point for training data copyright disputes once she does. Claims rate has reached 92.77%.

• 🇬🇧 UK | Children’s online safety consultation closes May 26. Five days. AI chatbots and generative tools accessible to under-16s are in scope. Final obligations land in 2027, but if your product reaches minors, the window to respond is almost closed.

• 🇺🇸 USA | Connecticut SB5 awaiting governor signature. Lamont has confirmed he’ll sign. Employment notification obligations kick in October 1, 2026. If you’re selling hiring automation to US customers, this has been covered across the last three editions — it’s effectively law now.

• 🇺🇸 USA | Colorado SB189 heading to Governor Polis. The legislature passed the replacement AI Act on May 12. Polis has said he’ll sign. The original Colorado AI Act is dead. The new framework, requiring disclosure and human review rights when AI informs adverse decisions, takes effect January 1, 2027.

• 🇪🇺 EU | GPAI Code of Practice: sign it if you haven’t. The AI Office has been clear that supervisory activity from August 2 will focus first on whether GPAI providers are adhering to the Code. Signatories get increased regulatory trust. If you’re a GPAI provider who hasn’t signed, fix that now.

The one thing to do this week

If your product makes or informs decisions about individuals for UK users, read the ICO’s draft ADM guidance and respond by May 29. Eight days.

Deadline tracker

EU | GPAI model enforcement (Articles 51-55: documentation, copyright compliance, training data summaries) | 2 August 2026 | 73 days; confirmed unchanged by Omnibus deal

EU | Article 50 transparency guidelines consultation | 3 June 2026 | 13 days remaining; respond via EC digital strategy portal

EU | High-risk AI classification guidelines consultation | 23 June 2026 | Published May 19; 148-page draft under Article 6; respond via EC portal

EU | AI-generated content watermarking and labelling (Article 50) | 2 December 2026 | Moved by Omnibus from August 2; transitional period for systems already on market

EU | Nudification app ban | 2 December 2026 | New Omnibus prohibition; AI systems generating non-consensual intimate imagery must cease or comply

EU | Annex III high-risk AI systems (employment, credit, biometrics, education) | 2 December 2027 | Subject to Official Journal publication of Omnibus; August 2, 2026 remains legally binding until then

EU | High-risk AI embedded in regulated products (Annex I: medical devices, machinery) | 2 August 2028 | Moved by Omnibus; same publication caveat applies

EU | Digital Omnibus Official Journal publication | Estimated July/August 2026 | Political agreement reached May 7; formal endorsement and publication required before new dates take legal effect

USA | Bartz v. Anthropic copyright settlement | Final approval imminent | Supplemental brief due May 21; ~$3,000/book benchmark; 92.77% claims rate

USA | Connecticut AI Responsibility and Transparency Act: employment notification obligations | 1 October 2026 | Awaiting governor's signature; effectively law; hiring AI in scope

USA | Connecticut AI Responsibility and Transparency Act: companion chatbot and frontier model obligations | 1 January 2027 | Same bill; age verification, manipulative design prohibitions, minor access controls

USA | Colorado SB189 (replacement AI disclosure framework) | 1 January 2027 | Passed May 12; awaiting Polis signature; original Colorado AI Act repealed and replaced

USA | Texas TRAIGA high-risk AI obligations | 1 January 2026 | In force

USA | Oregon SB 1546 / Washington HB 2225 (AI companion chatbots) | 1 January 2027 | Advancing

UK | ICO automated decision-making consultation | 29 May 2026 | 8 days remaining; respond at ico.org.uk

UK | Children’s online safety consultation | 26 May 2026 | 5 days remaining; AI tools accessible to under-16s in scope

UK | ICO Code of Practice on ADM | Late 2026 (estimated) | Draft expected after May 29 consultation closes; will interpret Data (Use and Access) Act obligations

UK | FCA Mills Review report | Summer 2026 | Incoming; AI in financial services

NOT ADVICE

The information is intended to be helpful, but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER