my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Europe's Week: Fining Musk's AI, Rejecting Surveillance Powers, and Getting Hacked

John Z Black Mar 28, 2026 Policy, Law & Governance #eu #xai #grok #csam #european-commission #dutch-police #privacy #ai-regulation #breach #netherlands

Europe had a strange 48 hours. An Amsterdam court threatened xAI with 100,000 euros a day in fines. The EU Parliament voted to let CSAM scanning effectively go dark. The European Commission confirmed a breach of its AWS cloud environment. The Dutch police disclosed they got phished.

You can read that as chaos. It’s also just an honest snapshot of where things stand.

The Grok ruling is the cleanest story. A Dutch court issued a preliminary injunction: xAI can’t generate or distribute sexual images of people without their explicit consent, backed by daily fines up to 10 million euros total. xAI “categorically rejected” the claims, which is language companies use when they’re planning to fight something. The case continues. But a European court just told an AI company what its model can produce, with financial teeth attached.

The CSAM vote is harder to frame. Parliament voted 311 to 228 to not extend a temporary ePrivacy derogation that allowed voluntary CSAM scanning. That derogation expires April 3. After that, platforms may face legal exposure for detecting child sexual abuse material at all. Detection could go dark across the EU.

The coalitions were unusual. Privacy advocates and encryption proponents pushed to block extension. On the other side: German Chancellor Merz, law enforcement, Meta, and Google. The “extend” team included some of the most prominent surveillance advocates in tech. The “block” team was worried about encryption getting gutted as a side effect. Neither side is wrong about the specific thing they’re worried about. The vote didn’t resolve the underlying tension. It just moved the deadline.

Then the Commission disclosed it was breached through its Amazon cloud environment. The attacker claims 350 GB stolen. The Commission confirmed the attack, not that figure. The irony: the EU body that regulates American tech companies runs significant infrastructure on an American tech company’s cloud. That’s common across governments worldwide. It’s a particular kind of exposure when regulator and regulated share infrastructure and the regulator just got hit through it.

The Dutch police then disclosed a phishing-linked breach. “Limited” impact. Citizens’ data “not affected.” They have a dedicated cybersecurity training program. They still got phished.

Regulatory posture and organizational security are different things. Having one doesn’t confer the other. That’s not a contradiction. It’s just how large institutions work, and this week made it unusually visible.

The full picture: Grok fines, CSAM votes, a Commission breach, and what it all adds up to