Europol denies bypassing EU data protection rules

Europol has rejected allegations that it operated a ‘secret’ or ‘shadow’ database outside the EU data protection rules.

In a new fact-check, the agency said recent reports misrepresented two long-established operational environments used to support digital investigations and online information analysis.

Europol said its Computer Forensic Network is used to analyse complex digital evidence securely in support of criminal investigations.

It also said the Internet-Facing Operational Environment is used to collect and triage publicly available online information before relevant material is transferred to Europol’s operational systems in accordance with applicable legal requirements.

The agency said neither environment was created to bypass oversight or data protection obligations.

Europol also published a timeline showing that both systems have existed for many years and have evolved alongside changes to its legal framework, governance and supervisory arrangements.

The agency said it has worked with the European Data Protection Supervisor on governance improvements, technical modernisation and safeguards, including after regulatory changes introduced in 2022.

Europol said public debate on law enforcement and privacy should be based on accurate descriptions of operational systems and their oversight.

Why does it matter?

The dispute highlights the tension between law enforcement’s need to process large volumes of digital evidence and the privacy safeguards required under the EU law. Europol’s response is important because operational data systems used in cybercrime, terrorism and serious organised crime investigations can affect fundamental rights if oversight, retention and access rules are unclear. The case also shows why transparency about investigative infrastructure matters for public trust, especially as law enforcement agencies modernise their data-processing capabilities.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Reddit expands AI moderation to combat spam and harmful content

Reddit has expanded its automated moderation systems to reduce spam, inauthentic activity and harmful content across the platform.

The company said it is using AI to detect manipulated and spam-like behaviour through new signals and faster enforcement.

Reddit said suspicious accounts can now be identified from the moment they are created, while large language models help detect coordinated fake behaviour and artificial hype that older systems may miss.

According to the company, updated automated systems are blocking 23 million spam views each day before they reach users.

They are also identifying around 25,000 new spam posts and comments daily and revoking nearly two million inauthentic votes per day.

Reddit said user exposure to spam fell by about 20% from January to March 2026 compared with the previous three months, followed by a further 10% to 15% decline in overall spam account exposure.

The company has also expanded automated enforcement against hate and violent content across all English-language text on Reddit.

The average enforcement time for such content has fallen to under 5 seconds, while enforcement actions have increased by more than 200%, according to Reddit.

The company said faster enforcement has reduced exposure to potentially harmful content by more than 40%, while false removals have also fallen by over 40%.

Reddit said AI-based tools remain part of a wider moderation model that includes site-wide safety teams, volunteer community moderators and user voting.

Why does it matter?

Reddit’s update shows how major platforms are using AI not only to generate or recommend content, but also to police authenticity, spam and harmful behaviour at scale. Faster automated enforcement can reduce user exposure before content spreads, but it also raises familiar governance questions around transparency, false positives, appeals and the balance between automation and human moderation. The company’s emphasis on layered moderation suggests that AI is becoming central to platform safety, while still depending on human teams, volunteer moderators and community signals.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK firms sign Cyber Resilience Pledge amid rising AI threats

The UK government has launched a voluntary Cyber Resilience Pledge, with more than 60 businesses and strategic government suppliers committing to strengthening their cyber defences.

Founding signatories include companies from retail, finance, media, technology and utilities, including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte, Accenture UK, Vodafone Group and VodafoneThree.

The pledge asks organisations to take three practical steps: make cybersecurity a board-level responsibility, register for the National Cyber Security Centre’s Early Warning service and take a risk-based approach to requiring Cyber Essentials certification across supply chains.

The government said the pledge is designed mainly for medium and large organisations, but is open to organisations of all sizes and sectors.

Signatories will be asked to publish a signed pledge letter and provide an annual update on progress.

The launch comes ahead of the government’s National Cyber Action Plan, which is expected to set out further cooperation with industry on cyber resilience in the AI era.

According to the government, cyberattacks cost UK organisations an estimated £14.7 billion a year, while the NCSC handled 204 nationally significant incidents in the year to September, up from 89 the previous year.

Officials also warned that AI is lowering barriers for attackers by helping them find software weaknesses, write exploit code and scale attacks more quickly.

Why does it matter?

The pledge elevates cyber resilience to board-level corporate governance, rather than treating it solely as an IT function. Its supply-chain focus is also important because major cyber incidents often spread through vendors, service providers and connected business partners. By linking the pledge to AI-enabled threats, the UK government is signalling that basic cyber hygiene, governance and supply-chain assurance remain essential even as attacks become faster and more automated.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Alberta uses Claude Code to review government systems

The Government of Alberta has used Anthropic’s Claude Code to review and secure provincial government systems, according to a case study published by the company. Anthropic said Alberta’s Ministry of Technology and Innovation used Claude Code with its Opus and Sonnet models to analyse code, identify vulnerabilities and support remediation.

According to Anthropic, the ministry scanned 466 million lines of code in about 20 hours, covering systems used across 27 provincial ministries. Around 50 AI agents worked in parallel to identify security vulnerabilities, infrastructure weaknesses and documentation gaps.

The ministry manages about 1,280 applications and 3,400 code repositories supporting services including social services, public safety and wildfire response. Anthropic said many had never undergone comprehensive security reviews, resulting in accumulated technical debt and incomplete documentation.

Alberta used a two-stage review process. A rules engine first identified known patterns, after which Claude Code analysed the results and cited the relevant files and lines for each finding. Anthropic said the approach uncovered issues that conventional automated scanning tools had missed.

Claude Code was also used to generate fixes, write tests where needed and assist with modernising legacy systems. Anthropic said ministry engineers reviewed and approved all proposed patches before deployment, maintaining human oversight throughout the remediation process.

Alberta also developed specialised Claude-based review agents for continuous security testing during software development. These include red-team agents that probe applications for vulnerabilities, blue-team agents that assess compliance with security standards, and additional agents that review code quality and public-facing content.

Why does it matter?

The case illustrates how governments are beginning to use AI coding agents to modernise and secure large portfolios of legacy software, an area that has traditionally required significant time and specialised expertise. If these tools prove reliable, they could help public administrations reduce technical debt, improve cybersecurity and accelerate software maintenance across critical public services.

At the same time, the deployment highlights the importance of governance in public-sector AI adoption. Alberta’s reported use of human review before implementing AI-generated changes reflects a growing emphasis on combining AI-assisted development with oversight, accountability and established security practices.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia records highest data breach notifications since 2018

Australia recorded its highest annual number of data breach notifications in 2025 since mandatory reporting began in 2018, according to the Office of the Australian Information Commissioner.

The regulator received 1,205 notifications under the Notifiable Data Breaches scheme in 2025, an 8% increase from 1,112 in 2024.

Organisations covered by the Privacy Act must notify the OAIC of data breaches that are likely to result in serious harm to affected individuals.

Malicious or criminal activity remained the leading cause of reported breaches, accounting for 716 notifications. Cyber hacking continued to be the main cause of reported incidents.

Health service providers were the most affected sector, reporting 225 breaches, or 19% of the annual total. Financial services, Australian government agencies, business and professional associations, education providers and legal, accounting and management services were also among the most affected sectors.

The OAIC has released a new quick reference guide to help organisations assess potential breaches, decide whether notification is required and understand how to report incidents.

Privacy Commissioner of Australia, Carly Kind, said the threat posed by data breaches to Australian businesses and organisations is substantial and rising year on year.

The regulator’s latest privacy attitudes survey also found that data breaches remain the top privacy concern for Australians, with 82% expressing concern, up from 74% in 2023.

Why does it matter?

Rising breach notifications show that data protection is becoming a persistent operational and regulatory challenge for Australian organisations. The dominance of malicious activity and cyber hacking links privacy compliance directly to cybersecurity preparedness, especially in sensitive sectors such as health. OAIC’s new guide also signals a push towards faster, clearer breach assessment and notification, which matters for affected individuals as well as regulated entities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Sysdig reports first documented agentic ransomware case

Cloud security firm Sysdig says it has documented the first known case of agentic ransomware, after observing an AI-driven extortion operation it tracks as JADEPUFFER.

According to Sysdig, the operation began with exploiting CVE-2025-3248 on an internet-facing Langflow instance. Langflow is an open-source framework for building LLM-driven applications and agent workflows.

The attacker then pivoted towards a production database server running MySQL and Alibaba Nacos.

Sysdig said the operation was driven by a large language model rather than a traditional human-led toolkit. The agent carried out reconnaissance, credential harvesting, lateral discovery, persistence and destructive database activity.

The company said JADEPUFFER executed more than 600 distinct payloads and adapted to failures in real time. In one case, the agent moved from a failed login attempt to a corrected working approach in 31 seconds.

CyberScoop later reported Sysdig’s clarification that the attack was not fully human-free. A person still set up and directed the operation, provisioned command-and-control and staging infrastructure, chose the victim, and supplied credentials likely obtained through a prior compromise.

Sysdig also said API keys for OpenAI, Anthropic, DeepSeek and Gemini were among the material the agent collected from the compromised environment. That does not confirm which model powered the attack.

The case is notable less for novel techniques than for automation. Sysdig said the attack relied on known vulnerabilities and exposed infrastructure, but an AI agent chained the steps together quickly and carried out a ransomware-style database extortion workflow.

Why does it matter?

JADEPUFFER shows how agentic AI could change cybercrime by automating work that previously required skilled operators. Even if humans still choose targets and set up infrastructure, agents can speed up reconnaissance, credential theft, lateral movement and destructive activity once access is available. The defensive lesson is immediate: exposed AI tools, unpatched systems, leaked credentials, and internet-facing databases become more dangerous when attackers can automate exploitation and adaptation at machine speed.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

MEPs to debate EU AI cybersecurity strategy

Members of the European Parliament are set to question the European Commission on its latest AI and cybersecurity proposals, including a new AI cybersecurity strategy expected to be unveiled on 7 July.

According to the European Parliament’s plenary newsletter, the Commission’s action plan is expected to include measures to help EU member states and companies address AI-related cybersecurity risks.

The strategy is also expected to strengthen Europe’s AI cybersecurity capabilities as policymakers examine how AI is reshaping both cyber threats and cyber defence.

The debate follows the European Commission’s welcome of the G7 cybersecurity declaration on strengthening global cyber resilience. Parliament is also considering two legislative proposals collectively referred to as the ‘Cybersecurity Act 2‘.

The proposals are expected to address issues including the NIS2 framework, the role of the EU Agency for Cybersecurity (ENISA), the EU cybersecurity certification framework and ICT supply chain security.

The debate is scheduled for 7 July, as part of a European Commission statement followed by parliamentary scrutiny.

Why does it matter?

The debate shows that AI-related cybersecurity risks are becoming part of the EU’s broader cyber resilience agenda. By linking AI policy with NIS2, ENISA, certification and supply chain security, the EU is preparing to treat AI not only as an innovation priority but also as a cybersecurity concern.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Hong Kong launches AI privacy sandbox for schools

Hong Kong’s Office of the Privacy Commissioner for Personal Data and the Digital Policy Office have launched an AI privacy sandbox to support responsible AI adoption in schools.

The Safeguarding Personal Data AI Sandbox will provide a collaborative platform for schools exploring AI solutions while managing the risks to personal data protection.

The first phase will run for six months and select 15 school applicants. It is open to publicly funded primary and secondary schools, with applications accepted until 30 October 2026.

Selected schools will receive guidance from the Privacy Commissioner’s office on compliance with the Personal Data (Privacy) Ordinance.

They will also receive support from the Digital Policy Office on Hong Kong’s Generative Artificial Intelligence Technical and Application Guideline.

Cyberport, Hong Kong, and the Hong Kong Productivity Council will provide technical advice.

A briefing session for interested schools is scheduled for 28 August 2026.

Why does it matter?

Schools are increasingly exploring AI tools, but their use of student data creates specific privacy, safety and governance risks. Hong Kong’s sandbox offers a practical way to test AI adoption in education while giving schools regulatory and technical support. The initiative also shows how governments can move beyond broad AI principles by creating sector-specific support mechanisms for institutions that may lack in-house expertise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

SDAIA, DCO and ICAIRE to discuss responsible AI implementation in Geneva

A side event at the first session of the Global Dialogue on AI Governance will focus on responsible AI implementation, exploring how ethical AI commitments can be translated into practical governance and delivery models.

The session, titled Responsible, Trusted, and Safe AI for Prosperity: From Principles to Practice will take place on 7 July at Palexpo in Geneva. It is being organised by the Saudi Data and Artificial Intelligence Authority (SDAIA), the Digital Cooperation Organization (DCO), and the International Center for Artificial Intelligence Research and Ethics (ICAIRE).

According to the concept note, the discussion will explore how governments and their partners can move from shared AI principles to institutional models that support the safe, trusted, and inclusive deployment of AI. Topics will include national AI readiness, public-sector adoption, governance frameworks, capacity-building and cross-border cooperation.

The organisers frame responsible AI implementation as a public value issue, linking it to stronger public services, national development priorities and sustainable digital prosperity. The session will also highlight SDAIA’s role in building national AI capabilities, ICAIRE’s work connecting AI ethics with research, and the DCO’s efforts to strengthen international digital cooperation.

The agenda includes keynote remarks from DCO Secretary-General Deemah AlYahya and a senior representative of SDAIA. A high-level panel featuring representatives from the DCO, ICAIRE and participating governments will be followed by a question-and-answer session with the audience.

Why does it matter?

The discussion reflects a broader shift in international AI governance from developing high-level principles to building the institutions, skills and regulatory frameworks needed to implement them effectively. As more countries publish AI strategies and governance commitments, the challenge is increasingly how to translate those ambitions into practical public-sector capabilities.

The session also highlights the growing importance of international cooperation in AI governance. By bringing together governments and international organisations to exchange implementation experiences, the event aims to support more consistent, trusted and inclusive approaches to AI adoption across different countries.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IWF and NCA urge parents to protect children’s photos from AI misuse

The Internet Watch Foundation (IWF) and the UK’s National Crime Agency (NCA) have launched new guidance urging parents and carers to better protect images of their children online, warning that criminals are increasingly using AI to turn publicly available photographs into child sexual abuse material.

The campaign responds to a sharp rise in AI-generated child sexual abuse material and aims to help families make more informed decisions about sharing children’s image online and obtaining their consent.

The guidance accompanies a public awareness campaign across Facebook, Instagram and YouTube, encouraging families to review privacy settings, reconsider who can access children’s photographs and discuss image consent with young people.

Parents are encouraged to regularly review whether they are comfortable sharing images online, limit access through private groups where appropriate, and talk openly with their children about AI-generated imagery, deepfake nudes and online safety.

The campaign follows growing evidence that offenders are exploiting publicly accessible family and school photographs.

The IWF recently helped prevent the circulation of more than 100 AI-generated sexual images created from photographs taken from a UK school’s website after criminals attempted to blackmail the school. According to the organisations, even ordinary family photographs can now be manipulated into realistic abuse material without the knowledge of children or their parents.

The scale of the threat has grown significantly. The IWF identified 8,029 AI-generated child sexual abuse images and videos in 2025, a 14% increase on the previous year.

AI-generated videos increased from just 13 identified in 2024 to 3,443 in 2025, with nearly two-thirds classified as the UK’s most severe Category A abuse material.

The IWF argues that technology companies must strengthen safeguards around AI image generation tools before release, while continuing to support law enforcement efforts to combat online child exploitation.

Why does it matter?

Generative AI has made it significantly easier to create realistic child sexual abuse material from ordinary photographs, fundamentally changing the online child protection landscape. Images shared on social media, school websites or other public platforms can now be manipulated without a child’s knowledge, creating new risks for families and increasing the burden on law enforcement and child protection organisations.

The campaign also highlights that preventing AI-enabled abuse requires more than criminal enforcement. Stronger safeguards in AI image-generation tools, improved privacy practices, greater parental awareness and better digital literacy around image sharing and consent are all becoming essential components of online child safety.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!