Welcome to April's Algorithm Governance Roundup. In this month's Community Spotlight, AWO's Laureline Lemoine discusses the European Commission’s first non-compliance decision under the Digital Services Act (DSA), which imposed a €120 million fine on X. Laureline explains the Commission’s infringement findings, its evidentiary approach, and what it means for civil society organisations. This follows Laureline’s webinar on the topic with EU DisinfoLab.

As a reminder, we take submissions: we are a small team who select content from public sources. If you would like to share content please reply or send a new email to algorithm.newsletter@awo.agency. Our only criterion for submission is that the update relates to algorithm governance, with emphasis on the second word: governance.

We would love to hear from you!

Many thanks and happy reading!

Esme Harrington and Laureline Lemoine

In the EU, the European Parliament and the Council failed to reach an agreement on the Digital Omnibus on AI. A key point of disagreement is the proposal to remove industrial AI already subject to machinery regulations from the scope of the AI Act.

The European Commission (EC) has announced that its age verification app is ready for deployment. However, security researchers reportedly identified vulnerabilities in the software within hours of the announcement. While the EC will recommend that Member States adopt the app, several have indicated a preference to use their own existing applications.

Google has filed a legal challenge against the EC over the methodology used to count users of its Google Shopping service under the DSA. The case centres on the EC’s refusal to revise the service’s status despite Google’s arguments regarding the user-count methodology.

The EC has sent Google preliminary findings setting out proposed measures to comply with the Digital Markets Act (DMA). Under the measures, Google should allow third party search engines to access search data – such as ranking, query, click and view data – on fair, reasonable and non-discriminatory terms.

The EC has issued Meta a further charge sheet on interim measures to reverse exclusion of third-party AI assistants from WhatsApp. Previously, the EC sent a Statement of Objections setting out its preliminary view that Meta breached EU competition rules by excluding third-party assistants from accessing and interacting with users on WhatsApp.

The EC has published a draft Delegated Act on data centres under the Energy Efficiency Directive. This establishes a framework for rating data centres across Europe. From August 2027, every data center will be required to carry a label rating both its power and water use from A to G.

In France, the government has notified the EC of its law restricting children’s access to social media. The notified law prohibits under-15s from accessing social media platforms identified as harmful to children’s development. The blacklist of platforms will be issued by the Minister for Digital Affairs in consultation with ARCEP, the telecoms regulator. The EC has until 10 July to examine the law and determine whether it is compatible with EU law.

In Denmark, advocacy group SOMI has filed a class action lawsuit against Meta on behalf of minors, alleging that Facebook and Instagram are designed to be addictive and expose children to harm. The claim cites breaches of EU and national law, including the GDPR and DSA, and seeks platform design changes, stricter age verification and compensation for affected users.

In the UK, Ofcom has launched a formal investigation into Telegram under the Online Safety Act (OSA), following evidence that child sexual abuse material (CSAM) is being shared on the app. Ofcom has also opened investigations into Teen Chat and Chat Avenue in relation to the risk of those sites being used to groom children.

Ofcom has issued formal information requests to 30 providers, covering 43 online services, for their year-two illegal content and children’s risk assessments under the OSA. Providers must assess and mitigate the risk of users encountering illegal content and of under-18s being exposed to harmful material. Responses are due by 31 July and failure to provide a sufficient response may result in enforcement action.

The Information Commissioner’s Office (ICO) has opened a consultation on draft guidance about automated decision-making including profiling. The updates follow the introduction of the Data (Use and Access) Act 2025. The consultation deadline is 29 May.

The UK AI Security Institute (AISI) has published a technical analysis of Anthropic's Mythos model. AISI received early access to the model and found it is capable of autonomously attacking small, weakly defended enterprise systems where network access has already been obtained, but was unable to assess its effectiveness against well-defended systems. Anthropic has only made Mythos available  to a limited number of technology partners, citing its advanced capability to identify and exploit cybersecurity vulnerabilities.

In the US, the Attorney General of Florida has launched a criminal investigation into OpenAI. This follows prosecutors’ initial review of the chat logs between ChatGPT and the individual who was responsible for a shooting at Florida State University in 2025.

Seven families have also filed lawsuits against OpenAI in California court. The lawsuits, brought by the families of victims killed or injured in the Canadian Tumbler Ridge mass shooting, allege that the company and executives were negligent and aided and abetted the attack. The lawsuits allege that the shooter had discussed gun violence scenarios with ChatGPT, that these were flagged to OpenAI's safety team, and that the safety team sought to report the individual to local police but was overruled by senior leadership.

The Governor of California has issued an executive order establishing AI standards for state procurement. Companies must demonstrate they have responsible use policies covering exploitation or distribution of illegal content, bias, and violations of civil rights and free speech, and must also comply with privacy and security standards. The order also directs the California Department of Technology to develop recommendations for watermarking AI-generated content.

2026 AI Index Report, Stanford Institute for Human-Centered Artificial Intelligence

AI Agents Under EU Law, Luca Nannini, Adam Leon Smith, Michele Joshua Maggini, Enrico Panai, Sandra Feliciano, Aleksandr Tiulkanov, Elena Maran, James Gealy and Piercosma Bisconti

Alignment Whack-a-Mole: Finetuning Activates Verbatim Recall of Copyrighted Books in Large Language Models, Xinyue Liu, Niloofar Mireshghallah, Jane C. Ginsburg, Tuhin Chakrabarty

Ask Don't Tell: Reducing Sycophancy in Large Language Models, Magda Dubois, Cozmin Ududec, Christopher Summerfield, Lennart Luettgau, UK AI Security Institute

Beware of Geeks Bearing Gifts: Building True EU Frontier AI Sovereignty, Nick Moës, Toni Lorente, Amin Oueslati, Jonathan Schmidt, Robin Staes-Polet and Radina Kraeva, The Future Society

Bystanders and Reporters: Who Acts Against Illegal Online Content? Friederike Quint, Yannis Theocharis, Spyros Kosmidis and Margaret E. Roberts

Cambridge Commentary on EU General-Purpose AI Law, Leverhulme Centre for the Future of Intelligence at the University of Cambridge and the Institute for Law & Al

Civil Disobedience in Digitally Networked Spaces: Migrant Protest, Criminalisation and International Human Rights Standards, Lila Schwab and Francesca Fanucci, European Center for Not-for-Profit Law

Data Not Found: Social Media Data Transparency for Information Integrity, R. Marie Santini, Hugo Leal, Débora Salles, Adriano Belisário, Bruno Mattos, Danielle Pinho, Anita Cuteanu, Raphael Hernandes, Fernando Ferreira, Felipe Grael, João Gabriel Haddad, Lucas Murakami, Rafael Cardoso, Vinicius Branco, Minderoo Centre for Technology and Democracy and NetLab UFRJ

Harassment as Infrastructure: How Telegram’s Design Enables TFGBV, Dr. Silvia Semenzin, Natalie Kerby, Miazia Schüler, Salvatore Romano, Mario Baldi and Katya Viadziorchyk, AI Forensics

Human Rights and Artificial Intelligence: Handbook of the Steering Committee for Human Rights, Council of Europe

Indonesia and the Politics of Platform Governance, Irma Garnesia, Global Voices

Observations on the General Scheme of the Regulation of Artificial Intelligence Bill 2026, Coimisiún na hÉireann um Chearta an Duine agus Comhionannas

Open-World Evaluations for Measuring Frontier AI Capabilities, Sayash Kapoor and Arvind Narayanan

Momentum for Age-Appropriate Design Grows Across Latin America, 5Rights Foundation

Navigating the Future: A Landscape Review of AI in Career Guidance for Young People, Emily Tanner and Renate Samson, Ada Lovelace Institute and Nuffield Foundation

Recent Methodologies on AI and Labour: A Desk Review, Dr Eleni Papagiannaki and Joana Geisler, Institute for the Future of Work

Why Bans Fail: Tipping Points and Australia’s Social Media Ban, Leonardo Bursztyn, Angela Duckworth, Rafael Jiménez-Durán, Aaron Leonard, Filip Milojević, Christopher Roth, and Cass R. Sunstein, University of Chicago Becker Friedman Institute for Economics

The UK Information Commissioner’s Office is hiring a Director of Technology Regulation to provide strategic, visible and authoritative leadership across the ICO’s Technology directorate. The role is hybrid and based out of the Manchester office.

CurrentAI is hiring an Interim Chief of Staff to focus on strategic alignment, leadership team effectiveness and CEO leverage. The role operates at the intersection of strategy, communication, design, and relationship management.

Laureline Lemoine is a Senior Associate at AWO. We discussed the European Commission’s first non-compliance decision under the Digital Services Act (DSA) against X. This follows Laureline’s webinar on the topic with EU DisinfoLab.

Laureline: In December 2025, the European Commission imposed a €120 million fine on X for breaching several of the Digital Services Act’s (DSA) core obligations. This was the EC’s first formal non-compliance decision under the DSA.

The decision is significant for two main reasons. First, it marks a turning point in the enforcement of the DSA. Until now, the Commission had primarily operated in a supervisory capacity, focusing on monitoring compliance and engaging with platforms. This case signals a clear shift toward formal findings of non-compliance and the imposition of financial penalties. It is both the first non-compliance decision and the first fine issued under the DSA.

Second, it provides one of the earliest and most detailed indications of how the Commission will interpret and apply the DSA in practice. The decision therefore provides guidance not only to platforms, but also to regulators, researchers and civil society actors about what kinds of conduct will be considered non-compliant and how evidence will be assessed.

The case focuses on three specific areas: the misappropriation of X’s blue checkmark and account verification system, the functionality of its advertising repository, and its approach to providing data access to researchers. These are all central elements of the DSA’s broader framework for transparency, accountability and user protection.

At the same time, the decision has unfolded in a highly politicised transatlantic context. The DSA has become a focal point for criticism from some U.S. policymakers, who frame it as a form of censorship. European institutions have consistently rejected that characterisation, but the broader political environment is clearly influencing how these enforcement actions are perceived.

This political backdrop has shaped how the decision has been received and even how it became public. Notably, the full decision has not yet been officially published by the Commission and only became accessible after being subpoenaed and released by the U.S. House Judiciary Committee.

Laureline: The Commission identified three main infringements, all of which relate to provisions that it considers “self-executing”: Article 25(1) on interface design, Article 39 on ad repositories and Article 40(12) on researcher access to data.

The first infringement concerns Article 25(1) and X’s blue checkmark and verification system. Historically, the blue checkmark signified that an account had been verified as authentic and notable such as public figures, journalists and organisations. Under X’s new model, the checkmark is tied to a paid subscription. The Commission found that this redesign misappropriates the historical meaning of the verification badge and departs from cross-industry standards, thereby misleading users about the authenticity and reliability of accounts.

The Commission’s reasoning is particularly detailed here. It points to the persistence of legacy visual cues, the lack of clear information about the meaning of the badge, and the role of algorithmic amplification in promoting paid accounts. It also highlights evidence that malicious actors were able to exploit the system, including in areas such as financial fraud.

The second infringement concerns Article 39, which requires very large online platforms to provide a functional and accessible ad repository. The Commission found that X’s repository was effectively unusable: it lacked meaningful search functionality, did not allow multi-criteria queries, omitted required information, and suffered from reliability issues. These shortcomings undermined the very purpose of the provision, which is to ensure transparency around online advertising.

The third infringement relates to Article 40(12), which governs access to platform data for researchers. The Commission found that X dismantled its previous academic access programme and replaced it with a restrictive and largely ineffective system. It imposed fees, applied overly narrow eligibility criteria, rejected the vast majority of applications, and failed to provide meaningful communication or justification for those rejections.

Laureline: This case focuses on relatively “easy” and straightforward infringements as these provisions are self-executing. This means infringements are clear, can be factually well-documented, and legally unambiguous, which is not the case for all DSA provisions. For example, the risk assessment obligation under Article 34 presents greater complexity.

On this basis, the Commission explicitly rejected X’s argument that the absence of detailed guidance created legal uncertainty. The Commission emphasised that its power to issue guidance is discretionary, and that these ‘self-executing’ provisions are binding as written and do not depend on further clarification.

The Commission adopted a proportional approach to the evidence, arguing that this category of obligation should not require an excessive burden of proof, drawing on analogies with consumer protection law, where misleading practices can be assessed based on the perspective of the average user, without requiring exhaustive technical evidence. At the same time, the Commission stressed that evidence must be methodologically sound and factually relevant. It relied on a combination of its own observations, expert input, platform documents and third-party research. Notably, civil society reports, complaints and interviews played a significant role in supporting its findings.

The Commission used this framing to justify a relatively assertive enforcement posture. It found that X acted intentionally or, at a minimum, negligently, stressing that a platform of its size and experience cannot claim ignorance of clear legal obligations. This finding was central to the imposition of a financial penalty.

In calculating the €120 million fine, the Commission drew on established principles from EU competition law, including the concept of a “single economic unit.” This allowed it to take into account the broader corporate structure surrounding X, rather than limiting the assessment to a single legal entity. It also assessed the seriousness of the infringements by reference to their nature, scope, and impact. It found that the interface design infringement was particularly serious because it directly deceives users, while the other infringements undermined the effectiveness of the DSA as a whole. It also considered the widespread use of X in the EU and the need for deterrence.

This approach has important implications. It suggests that, at least for certain types of infringements, the Commission is willing to act decisively on the basis of publicly observable evidence. It also confirms that external actors, such as researchers and civil society organisations, can meaningfully contribute to enforcement.

Procedurally, the case now moves to the EU courts, as X has appealed the decision. This process is likely to take significant time. In the meantime, X is required to comply with the decision, and already paid the fine or provided a financial guarantee. The Commission also retains the power to impose periodic penalty payments if X fails to comply, and in extreme cases, to pursue further enforcement measures. However, some of these more drastic tools, such as access restrictions, are subject to very high thresholds and are unlikely to be used in this context. A last-resort enforcement measure such as a ban can only be deployed for criminal offences posing a threat to life or safety of persons, which is not the case for the infringements in this case.

Laureline: This decision demonstrates that the Commission can identify and sanction clear violations using relatively accessible forms of evidence.

It also highlights the importance of selecting cases strategically. By focusing on provisions that are self-executing and factually straightforward, the Commission was able to establish an early precedent without becoming entangled in more complex or contested areas of the law.

Another important implication concerns the role of third parties. The decision shows that civil society organisations and researchers can play a meaningful role in enforcement by documenting non-compliance and providing methodologically sound evidence. Because these types of infringements are observable without access to confidential data, external actors can help bridge the information gap between platforms and regulators.

At the same time, the case raises open questions about the future of DSA enforcement. It remains to be seen how the courts will respond to the Commission’s reasoning, how the Commission will approach more complex obligations, and whether enforcement will remain consistent in a politically charged environment.