Weekly AI Governance Brief: 15-21 June 2026
Bringing you the latest developments in the AI governance world.
AI Act Advisory Forum holds its inaugural session
On 19 June 2026, the European Commission recorded the inaugural session of the AI Act Advisory Forum. The Forum is the general advisory body to the Commission and the AI Board under Article 67 of the AI Act.
According to the Commission’s AI Act Advisory Forum page, the Forum has 174 members selected from more than 700 applications. Its membership spans civil society, academia and industry, including SMEs and start-ups. The Commission describes the Forum as a channel for technical expertise on implementation and standardisation issues under the AI Act.
This marks a formal governance step in the operationalisation of the AI Act. It does not itself create new obligations for providers or deployers, but it establishes one of the institutional mechanisms through which technical and implementation questions can be structured.
Why this matters
The Advisory Forum is relevant because it gives practical form to the AI Act’s implementation architecture. As implementation moves from legislative text to operational practice, questions around technical standards, interpretation and institutional coordination require formal channels.
For organisations, the Forum matters less as an immediate compliance trigger than as part of the process through which expectations may become more concrete. Its role may affect how implementation issues are surfaced to the Commission and the AI Board, especially where technical expertise is needed to clarify how AI Act requirements should work in practice.
For regulators and public institutions, the Forum provides a structured interface with external expertise. That is relevant for standardisation, guidance development and the broader coordination of AI Act implementation.
CJEU clarifies the meaning of “public undertaking” under the Open Data Directive
On 18 June 2026, the Court of Justice of the European Union issued its judgment in Case C-575/24, Vodovody a kanalizace Přerov, a.s. v Úřad pro ochranu osobních údajů. The case concerned the interpretation of “public undertaking” under Article 2(3) of Directive (EU) 2019/1024, the Open Data Directive.
The Court held that the concept of “public undertaking” covers an undertaking over which several public sector bodies may jointly exercise a dominant influence. It also held that, for the presumption of dominant influence to apply, it is not necessary to examine whether those public sector bodies act in concert or share common interests.
The judgment links this interpretation to the Directive’s objective of broadly exploiting public sector information, including in the context of advanced digital technologies such as AI.
Why this matters
This is a data-governance clarification with potential relevance for AI and data-driven services. The judgment may widen the range of mixed-ownership or jointly controlled entities that fall within the Open Data Directive’s perimeter.
That matters because the classification of an entity as a public undertaking can affect access, re-use and licensing conditions for certain datasets. Where public-interest information is used to support AI systems or data-driven services, the legal perimeter of the Open Data Directive can shape operational access to data.
The judgment is also institutionally relevant because it clarifies that joint public influence can be sufficient without a separate inquiry into shared intention among public bodies. This gives a broader reading to the Directive’s scope, consistent with the Court’s emphasis on the exploitation of public sector information.
UK brings remaining DUAA data-protection provisions into force and updates regulator guidance
On 19 June 2026, the United Kingdom completed the commencement of the remaining data-protection provisions in the Data (Use and Access) Act 2025. The relevant commencement regulations brought the remaining provisions into force on that date.
The Information Commissioner’s Office stated that, as of 19 June 2026, all data-protection provisions in the Act are in force. The ICO also updated its organisation-facing guidance on the Data Use and Access Act 2025. According to the ICO, the updates include material on ICO powers. The ICO’s guidance pages on AI and individual rights were also updated to reflect the post-DUAA framework, including pages dealing with automated decision-making.
This is both a statutory commencement step and a regulator guidance update. The primary legal change comes through the commencement regulations, while the ICO guidance explains how the regulator presents the updated framework to organisations.
Why this matters
For organisations deploying or procuring AI systems in the UK, this is a concrete compliance milestone. The relevant data-protection framework is no longer only a legislative change awaiting full commencement. It is now in force and reflected in ICO guidance.
The practical relevance is especially clear where AI systems interact with individual rights, automated decision-making or data-processing governance. Organisations operating in the UK now need to understand the post-DUAA framework as an active compliance environment.
The update also matters institutionally because the ICO has aligned its guidance with the live framework. Regulator-facing expectations are therefore being translated into materials that organisations are likely to use when assessing their own data-protection practices.
Canada enacts criminal-law reforms covering sexual deepfakes and platform reporting
On 18 June 2026, Canada’s Bill C-16 received Royal Assent. According to the Department of Justice Canada backgrounder on the Protecting Victims Act, the reforms expand the offence concerning non-consensual distribution of intimate images so that it explicitly applies to non-consensual sexual deepfakes.
The reforms also make it illegal to threaten to distribute intimate images, including sexual deepfakes. The maximum penalty on indictment is increased to 10 years.
The same legislative package amends the Mandatory Reporting Act. The Department of Justice states that the amendments clarify that the Act applies to online platforms and social media services with a connection to Canada. The reforms also increase the preservation period for relevant computer data from 21 days to 12 months and enable annual reporting by the designated law-enforcement body.
Why this matters
This is a material legal development for platforms, intermediaries and service providers handling synthetic intimate content. It brings sexual deepfakes explicitly within the criminal-law framework on non-consensual intimate images.
The operational relevance lies in abuse-response, reporting and preservation workflows. Platforms with a connection to Canada may need to account for longer preservation periods and clearer reporting expectations under the amended framework.
For AI governance, the development is significant because it treats certain synthetic content harms as a matter of criminal law and platform compliance, not only content moderation policy. It also shows how deepfake governance is being integrated into existing legal frameworks dealing with image-based abuse.
G7 leaders endorse child-safety measures addressing conversational AI and synthetic content
On 17 June 2026, G7 leaders released the Leaders’ Call on a Safer Digital Space for Minors through the Council of the EU summit documentation. The document is a joint political declaration rather than binding law.
The leaders called for digital services to embed risk management, assessment and mitigation. The text also supports effective age-assurance mechanisms and default safety settings for children and youth.
The declaration addresses conversational AI tools directly. It states that providers should make such tools safer for minors in a timely manner. It also supports stronger measures to help users distinguish authentic from synthetic content and understand provenance.
The leaders further state that the prohibition of child sexual abuse material and non-consensual intimate imagery, including deepfakes, is a non-negotiable principle in the development and deployment of AI systems and digital services. Ministers were asked to assess progress by the end of the year.
Why this matters
Although the Leaders’ Call is not legally binding, it is a relevant cross-jurisdictional governance signal. It identifies child safety, conversational AI and synthetic-content transparency as areas of shared concern among G7 leaders.
For organisations, the practical relevance is that AI safety for minors is being framed through service design, content provenance and abuse prevention. These are operational issues, not only policy commitments.
For regulators and policymakers, the text indicates a common vocabulary around age assurance, default safety settings and deepfake controls. It also places conversational AI tools within the scope of child-safety governance, rather than treating them as separate from wider digital-service regulation.
Rhode Island Supreme Court adopts interim generative-AI guidance for legal practice
On 17 June 2026, the Rhode Island Supreme Court issued an order titled “In re Amendments to Article V, Rule 1.1 of the Supreme Court Rules (Professional Conduct) and Adoption of Interim Generative AI Guidelines”. The order amends professional-conduct rules and adopts interim guidance on the use of generative AI.
The published order includes guidance for lawyers using generative AI tools. It also includes interim guidance for judicial officers. The text frames the guidance as direction for using generative AI consistently with professional responsibilities under the Rules of Professional Conduct and the Code of Judicial Conduct.
The order also notes that even a single incorrect citation may require reporting in appropriate circumstances.
Why this matters
This is a concrete example of courts moving from general warnings about generative AI toward formal professional-governance instruments. It is relevant for legal teams, outside counsel and litigation functions that use AI tools in legal work.
The practical compliance issue is verification. The order connects generative AI use to professional duties, including competence and candour. That makes AI use a matter of professional responsibility, not only internal technology policy.
For organisations, the development is relevant where legal work is supported by generative AI. It reinforces the need for review processes around AI-generated legal materials, especially where citations, filings or representations to courts are involved.
Looking ahead
The developments this week show AI governance continuing to move through formal institutions. In the EU, the AI Act Advisory Forum and the CJEU judgment both concern the structures that shape implementation and data access. Outside the EU, the UK commencement step shows a revised data-protection framework becoming operational, while Canada’s reforms and the G7 declaration focus on synthetic content harms and child safety. The Rhode Island order adds a professional-governance example from the legal sector.
Across the week, the common pattern is not a single regulatory model. It is the translation of AI-related concerns into existing institutional channels, including courts, regulators, professional bodies and international political processes.
Sources
European Commission — AI Act Advisory Forum
https://digital-strategy.ec.europa.eu/en/policies/ai-advisory-forum
European Commission — AI Act Advisory Forum kick-off meeting
https://digital-strategy.ec.europa.eu/en/news/ai-act-advisory-forum-convenes-its-kick-meeting
EUR-Lex — CJEU judgment, Case C-575/24, CELEX 62024CJ0575
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A62024CJ0575
UK ICO — Data Use and Access Act 2025: what it means for organisations
https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/
UK legislation.gov.uk — Data Use and Access Act 2025 Commencement No. 6 Regulations 2026
https://www.legislation.gov.uk/id/uksi/2026/82
UK legislation.gov.uk — Regulation 3, provisions coming into force on 19 June 2026
https://www.legislation.gov.uk/uksi/2026/82/regulation/3/made
ICO — Rights related to automated decision-making including profiling
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/
ICO — Guidance on AI and data protection
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/
Department of Justice Canada — Protecting Victims Act / Bill C-16 backgrounder
https://www.justice.gc.ca/eng/csj-sjc/pl/c16/index.html
Council of the EU / G7 — Leaders’ Call on a Safer Digital Space for Minors, PDF
https://www.consilium.europa.eu/media/32fnosbz/leader-s-call-on-a-safer-digital-space-for-minors.pdf
Council of the EU — G7 Leaders’ Joint Statements, Evian, France, 16 to 17 June 2026
https://www.consilium.europa.eu/en/press/press-releases/2026/06/17/g7-leaders-joint-statements-evian-france-16-17-june-2026/
Rhode Island Judiciary — Supreme Court order on Rule 1.1 and Interim Generative AI Guidelines
https://www.courts.ri.gov/Miscellaneous%20Orders/Supreme-2026-06_In_reAmendments_Article_V_Rule_1_1_Professional_Conduct.pdf
Rhode Island Judiciary — Opinions, Decisions, and Orders page
https://www.courts.ri.gov/Pages/ood.aspx