Writing
Everything Michael K. Onyekwere, CIPP/E has published on CompanyScope — vendor compliance profiles, cross-vendor topic guides, and head-to-head comparisons. Each artifact is dated and refreshed on a quarterly cadence.
Register entry
AIR-2026-006: Garante v Luka: Italy's €5M fine on the Replika chatbot for processing without a legal basis
Italy's data protection authority fined Luka Inc., the US maker of the Replika 'AI companion' chatbot, €5 million for running the service without a valid legal basis, with an inadequate privacy notice, and with no age verification despite barring minors. It is the clearest crystallised-liability entry in the register so far: a regulator naming the duty, the breach, and the penalty, and reserving the harder question of how the model was trained for a separate case.
Last reviewed 2026-07-11
Register entry
AIR-2026-005: Ayinde v Haringey: the UK High Court on lawyers who filed AI-fabricated case law
A Divisional Court of the King's Bench heard two cases together in which lawyers put fabricated, AI-generated case authorities before the court. The ruling sets the UK position plainly: a lawyer is responsible for the accuracy of everything they file, whatever tool produced it, and AI output must be checked against primary sources before it is relied on. It is the professional-accountability counterpart to Moffatt (the agent's output is the principal's responsibility), applied to the people who answer to a regulator.
Last reviewed 2026-07-09
Register entry
AIR-2026-004: EchoLeak: a zero-click exfiltration path demonstrated through Microsoft 365 Copilot
Security researchers showed that a single crafted email could make Microsoft 365 Copilot exfiltrate data from a user's context with no click, the first zero-click attack demonstrated in a widely used generative-AI product. Microsoft fixed it server-side before any real-world exploitation. This entry analyses the liability the technique would have created had it been used against personal data, and why a stack of guardrails that are each individually bypassable does not add up to a defence.
Last reviewed 2026-07-09
Register entry
AIR-2026-003: Moffatt v Air Canada: the airline bound by its chatbot's invented policy
A tribunal held Air Canada liable for negligent misrepresentation after its website chatbot invented a bereavement-fare policy that contradicted the airline's own policy page. The decision rejected what the tribunal characterised as the suggestion that the chatbot was 'a separate legal entity responsible for its own actions': the foundational allocation ruling every agent deployment now has to reckon with.
Last reviewed 2026-07-09
Register entry
AIR-2026-002: Salesloft Drift: stolen agent credentials open more than 700 Salesforce estates
An attacker compromised the vendor behind the Drift AI chat agent and stole the OAuth tokens the agent held for customer integrations, then used those tokens to pull support-case data out of Salesforce instances at more than 700 organizations. No Salesforce vulnerability was involved. The breach is the defining demonstration that an agent's standing credentials are a liability surface the deploying organization owns, wherever the vendor stores them.
Last reviewed 2026-07-09
Register entry
AIR-2026-001: Replit's coding agent deletes a production database during a code freeze
During an explicit code-and-action freeze, Replit's autonomous coding agent ran destructive commands against a live production database, wiping records on 1,206 executives and 1,196+ companies, then told the user rollback was impossible. The data was recovered the next day. The incident is the cleanest public illustration yet of who carries the risk when a natural-language instruction is the only control standing between an agent and production data.
Last reviewed 2026-07-09
Vendor profile
Microsoft 365 Copilot compliance: GDPR, AI Act, DPA, training, transfers
Embedded productivity AI — CIPP/E-reviewed compliance profile.
Last reviewed 2026-06-30
Vendor profile
Google Gemini compliance: GDPR, AI Act, DPA, training, transfers
General-purpose AI / LLM API — CIPP/E-reviewed compliance profile.
Last reviewed 2026-06-29
Vendor profile
Perplexity compliance: GDPR, AI Act, DPA, training, transfers
AI search / RAG-first answer engine — CIPP/E-reviewed compliance profile.
Last reviewed 2026-06-28
Vendor profile
Anthropic compliance: GDPR, AI Act, DPA, training, transfers
General-purpose AI / LLM API — CIPP/E-reviewed compliance profile.
Last reviewed 2026-06-26
Vendor profile
OpenAI compliance: GDPR, AI Act, DPA, training, transfers
General-purpose AI / LLM API — CIPP/E-reviewed compliance profile.
Last reviewed 2026-06-25
Topic guide
HIPAA for AI tools: what a Business Associate Agreement actually covers
Healthcare buyers reading the HIPAA position on AI vendors. Which vendors sign BAAs, on which tiers, and what the BAA does and does not cover for AI deployments. CIPP/E-reviewed.
Last reviewed 2026-06-23
Topic guide
EU AI Act for AI buyers: what you actually have to do
Deployer-side guide to the EU AI Act for buyers procuring AI tools. Role classification, risk tier, the 2027-12-02 high-risk postponement, and where each major vendor sits. CIPP/E-reviewed.
Last reviewed 2026-06-16
Topic guide
DPA for AI vendors: what to actually check before you sign
Buyer-side reference for the AI vendor DPA. What clauses matter, what defaults bite, and where the six biggest vendors land on each. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor comparison
Copilot 365 vs Google Workspace AI: compliance comparison for enterprise buyers
Side-by-side compliance read on Microsoft 365 Copilot and Google Workspace Gemini for enterprise procurement. Tenant model, training defaults, EU Data Boundary, BAA, AI Act deployer obligations. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor comparison
ElevenLabs vs other voice AI vendors: DPA comparison for compliance buyers
Buyer-side compliance comparison of ElevenLabs against the broader voice AI category. DPA, voice-clone consent regime, deepfake labelling under the EU AI Act, training defaults, BAA position. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor comparison
Gemini vs Vertex AI: compliance comparison for Google buyers
Two Google AI surfaces with materially different compliance pictures. Workspace Gemini for office productivity, Vertex AI for developers and integrations. Tenant model, region commitments, BAA, model-garden subprocessor exposure. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor comparison
OpenAI vs Anthropic DPA: side-by-side compliance read for buyers
Head-to-head DPA comparison between OpenAI and Anthropic for commercial API and enterprise buyers. Training defaults, retention, ZDR, subprocessors, EU transfers, consumer-tier exposure. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor comparison
OpenAI vs Copilot enterprise compliance: which one for procurement
Buyer-side compliance comparison of ChatGPT Enterprise and Microsoft 365 Copilot for enterprise procurement. Tenant model, training defaults, EU Data Boundary, BAA, AI Act deployer obligations, subprocessor exposure. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor comparison
Perplexity vs ChatGPT for regulated industries: compliance comparison
Comparison of Perplexity and ChatGPT for buyers in financial services, healthcare, legal, and other regulated industries. Tier eligibility, source-citation evidence trail, training defaults, BAA position. CIPP/E-reviewed.
Last reviewed 2026-05-30
Vendor profile
ElevenLabs compliance: GDPR, AI Act, DPA, training, transfers
AI voice synthesis / voice cloning — CIPP/E-reviewed compliance profile.
Last reviewed 2026-05-02
Looking for ongoing AI compliance support behind the published research? Janus DPO-as-a-Service is the practice. About Michael covers the credentials.