Consumer protection

The future of agentic AI: A cross-regulatory perspective from the UK

Published in March 2026, ‘The Future of Agentic AI‘ is a foresight paper from the Digital Regulation Cooperation Forum (DRCF), the joint body bringing together the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and Ofcom.

Drawn on a public call for views conducted through the DRCF Thematic Innovation Hub in autumn 2025 and a series of cross-regulatory workshops, it maps how agentic AI simultaneously activates the remits of all four regulators, and identifies the areas where cross-regulatory coherence will be most difficult to maintain as the technology advances.

The DRCF emphasises that regulation should function as an enabler of innovation rather than a barrier. All four regulators affirm that existing UK frameworks, across data protection, consumer protection, financial regulation and online safety, already apply to agentic AI.

Much of the analytical weight, therefore, lies not in proposing new rules but in mapping how the simultaneous application of those frameworks to a single agentic deployment creates coordination challenges that a sector-by-sector regulatory model was not designed to manage.

The document does not constitute regulatory policy and is explicitly framed as a contribution to the stakeholder debate.

Agentic AI: definition and current state of development

Person, Security

Agentic AI is defined as systems of AI agents that behave and interact autonomously to achieve their objectives, where each individual agent is an increasingly autonomous AI capable of directly affecting real-world environments. The key distinction from standard generative AI lies in what agents do beyond generating outputs: they assess goals and decompose them into subtasks, retrieve real-time data from external services, execute actions such as making payments or sending communications, and retain memory of past interactions.

Information retrieval alone does not make a system an agent. The critical feature is the autonomous plan-act loop through which multi-step tasks are completed, often by invoking external tools, with limited or no human intervention at each step.

A five-level autonomy spectrum structures the analysis of the current and near-future agent landscape. At the base sits the ‘tool’, a reactive system with no initiative or memory. Above it is the ‘assistant’, capable of planning a few steps and using approved tools while deferring to the user for execution.

The ‘operator’ handles bounded workflows end-to-end once authorised. The ‘collaborator’ and ‘autonomous actor’ tiers, capable of initiating and coordinating multi-step work with minimal human approval, remain largely theoretical at the time of publication.

Most practical deployments today sit at the assistant or operator tiers: customer-support copilots that triage tickets, workflow agents that automate expense claims, or fraud detection systems in financial services. Agentic AI is not exclusively software-based. Embodied agents in robotics and the Internet of Things (IoT) represent an important adjacent development, with LLM-enabled humanoid robots already deployed in some industrial settings.

Emerging opportunities across the economy

Blackboard, Text, Symbol

For individual users, the core opportunity lies in a ‘delegation layer’ between people and the digital services they rely on: agents that can translate natural-language intent into executable sequences of steps across tools, services and platforms, reducing friction and cognitive load. Specific consumer benefits highlighted include reduced search costs through conversational product comparison, improved deal quality through continuous price monitoring and automatic coupon application, and support for switching and cancellation journeys.

Particular potential is identified for users with disabilities or limited digital literacy, for whom conversational interfaces may substantially lower barriers to digital participation, touching directly on the future of work and labour market inclusion.

For businesses, a large-scale study of a generative AI assistant in customer support found improvements of around 14 to 15% in issues resolved per hour, with the greatest gains among less experienced workers.

Illustrations of current commercial deployment include Allianz’s agentic system for automating food spoilage claims, which uses seven specialised agents, and the UK Government Digital Service’s trial of Microsoft 365 Copilot across 20,000 staff, which reported time savings of 26 minutes per person per day.

For regulators, the CMA has already deployed agentic AI to detect consumer harms such as drip pricing. The DRCF discusses how agentic supervision tools could enable compliance monitoring at a scale and speed that would be impossible for human inspectors alone, pointing to a future in which regulators themselves are among the primary users of the technologies they oversee.

Amplified and novel risks

Pen, Adult, Male, Man, Person, Text, Furniture, Table

Agentic AI does not merely introduce new hazards; it amplifies existing ones through the combination of autonomy, multi-step execution and access to sensitive data. The most structurally significant risk is accountability fragmentation, which the DRCF describes as the ‘many hands problem’: when a deployment involves a model provider, a system provider and a downstream deployer, each contributing distinct elements to an outcome, attributing liability for harm becomes substantially more complex than in conventional software.

Model providers have a role in monitoring and emergency controls, system providers in adapting those tools to the context, and downstream deployers in maintaining oversight during operation. Importantly, the foresight paper makes clear that ‘my agent did it’ is not a defence any UK regulator will accept as organisational responsibility for legal compliance remains unchanged regardless of the agent autonomy.

Data protection risks are particularly acute. Agentic systems frequently require broad access to personal and operational data, which may be shared across multiple agents and integrated with external tools in ways that make it difficult to maintain the data minimisation principle under the UK GDPR.

Action bundling, the tendency of agents to execute sequences of steps that would normally represent separate consumer decisions simultaneously and at speed, raises questions about whether consent remains meaningful.

Cascading errors, where a flaw in one agent propagates across interconnected systems with amplified effect, are identified as a governance challenge with potentially systemic consequences touching on critical infrastructure. The Moffatt v. Air Canada case, in which an automated system provided incorrect information and the airline was held accountable, is cited by respondents to the call for views as an illustration of how accountability challenges in automated deployments are already reaching the courts.

Cybersecurity risks are materially increased by agentic capabilities. Agents designed to ingest and act on content from diverse external sources are particularly vulnerable to prompt injection attacks, in which malicious instructions are embedded in the content the agent processes, raising direct cybersecurity concerns.

Agents may also operate under non-human identities (NHIs) without the session-based oversight that applies to conventional user authentication, creating surfaces for privilege escalation and data exfiltration. A documented attack in which agentic AI was used to perform 80 to 90% of the attack lifecycle illustrates how the same capabilities that make agents useful can be weaponised at speeds and scales beyond human capacity to manage.

Hyper-personalisation adds a further risk dimension. Agents with persistent memory and detailed user profiles can generate highly persuasive communications, and the same techniques can be turned to personalised fraud, as demonstrated in documented AI-driven influence campaigns. Where agents are optimised to advance the commercial objectives of deployers through undisclosed advertising arrangements or data-extractive digital business models, they may channel users toward platform-preferred outcomes while presenting themselves as neutral intermediaries.

Foresight scenarios and their regulatory implications

Face, Head, Person, Photography, Portrait, Adult, Female, Woman, Skin

A methodologically distinctive feature of the foresight paper is its use of scenario analysis to stress-test the cross-regulatory implications of different agentic AI futures. Building on the ICO’s Agentic AI Tech Futures Report, the DRCF constructed a two-by-two matrix of four plausible futures defined by two critical uncertainties: the capability level of agentic systems and the degree of their adoption in the economy.

Subject-matter experts from all four regulators examined each scenario for regulatory synergies and friction points in a cross-regulatory workshop.

The first scenario, ‘scarce, simple agents’, describes low capability and low adoption, in which agents remain narrow tools used in controlled professional contexts with close human oversight. The regulatory challenges here are primarily about maintaining proportionality without over-regulating an immature technology.

The second scenario, ‘just good enough to be everywhere’, combines low capability with high adoption: agents are widely deployed despite significant limitations, creating systemic consumer harm at scale and widespread accountability confusion. Of the four scenarios, this is considered the most acute near-term risk.

The third scenario, ‘agents in waiting’, describes high capability but low adoption, in which powerful agents are held back by regulatory uncertainty, liability concerns or lack of consumer trust. The regulatory challenge shifts from harm prevention to enabling conditions: excessive caution risks suppressing valuable innovation.

The fourth scenario, ‘ubiquitous agents’, represents high capability combined with high adoption, a fully agentic future in which agents mediate most consumer-market interactions and manage enterprise workflows autonomously. Winner-takes-most market concentration, spontaneous algorithmic collusion, systemic accountability gaps and agent-to-agent communication operating beyond human-readable oversight are identified as the primary governance challenges in this scenario.

The cross-regulatory workshop exercise enabled the four regulators to map not only sector-specific risks within each scenario but also the points where their remits intersect or conflict. The DRCF presents this methodology as a model for ongoing interdisciplinary horizon scanning that other jurisdictions could adapt to stress-test their own frameworks before tensions manifest in real-world deployments.

The cross-regulatory challenge

Art, Graphics, Adult, Male, Man, Person, Head

Using the example of a large UK retailer deploying an autonomous customer assistant, the DRCF demonstrates how a single agentic deployment can simultaneously raise data protection issues for the ICO through automated decision-making on credit or loyalty discounts, financial regulation concerns for the FCA if the assistant recommends or arranges financial products, online safety duties for Ofcom if the agent retrieves and synthesises information from third-party websites in ways that may constitute a regulated search service under the Online Safety Act 2023, and competition regulation and consumer protection matters for the CMA if the agent behaviour steers users away from competitors or constitutes algorithmic collusion.

No single regulator holds the full picture, yet each may need to act.

Each regulator sets out its current approach. The ICO launched a public consultation on updated automated decision-making and profiling guidance on 31 March 2026, responding to the reforms introduced by the Data (Use and Access) Act 2025, section 80 of which came into force on 5 February 2026.

That provision replaced Article 22 of the UK GDPR with new Articles 22A to 22D, substituting the previous near-prohibition on solely automated decision-making with a more permissive, safeguards-based framework. The consultation closed on 29 May 2026, with final guidance expected in summer 2026.

The ICO has also been formally commissioned under the Statutory Instrument 2026/425 to produce a statutory code of practice on AI and automated decision-making, which will carry evidential weight in enforcement proceedings and is expected to address agentic systems directly.

The FCA applies its outcomes-focused Consumer Duty to firms using agentic AI in financial services, with its AI Live Testing platform providing a supervised environment for firms to experiment with agentic use cases. Ofcom is assessing how agentic AI affects telecoms markets and whether agent-enabled services fall within the scope of its online safety regime.

The CMA draws on the Digital Markets, Competition and Consumers Act (DMCCA) to address strategic market status, self-preferencing and exclusionary conduct in agentic AI contexts, and has published guidance for businesses on complying with consumer law when using AI agents.

Governance, accountability and human oversight

Pen, Chart

Observability, defined as the ability of deployers to understand what is happening within a system by examining its outputs, including logs of interactions, reasoning steps, action traces and performance metrics, is identified as a foundational governance requirement. Legal obligations under data protection law, consumer law, competition law, financial regulation and online safety requirements apply regardless of the degree of automation involved.

Nominal human oversight, where a person is present but has no genuine capacity to intervene, does not satisfy the human-in-the-loop requirement under UK data protection law when automated decisions have legal or similarly significant effects on individuals. Permissions controls that specify which data sources an agent may access are presented as both a data governance and a data minimisation tool, with the additional benefit of reducing consent fatigue: the risk that users who are repeatedly prompted to approve the agent actions begin doing so without meaningful deliberation.

Responsibility in multi-agent systems remains one of the most unresolved points in the analysis. As agents interact with each other and blend datasets without human involvement, identifying who controls which data and who is responsible for a given compliance failure under the UK GDPR becomes progressively harder.

Respondents to the call for views proposed that regulators require firms to adopt AI supply chain governance frameworks addressing component integrity, compatibility, and risk propagation. The DRCF raises the concept of ‘transparency agents’, systems designed specifically to monitor inter-agent transactions and maintain audit trails, noting that governing agentic AI may itself require agentic tools.

Consumer rights, market dynamics and algorithmic collusion

Lighting, Architecture, Building, Wall

The Consumer Rights Act 2015 and the consumer protection provisions of the DMCCA apply fully to agentic AI providers. Drawing on the CMA’s research on agentic AI and consumers, published on 9 March 2026, the core risk identified is that systems optimised for the deployer’s commercial objectives through undisclosed advertising arrangements or data-extractive business models may influence consumer protection outcomes in ways users cannot anticipate or contest.

‘Choice outsourcing’ is identified as an emerging structural risk: when consumers delegate comparison and transaction decisions to agents that, in turn, respond to platform incentives, competition shifts from the product layer to the agent layer, with firms competing to be favoured by assistants rather than to offer the best price or quality.

Digital inequality receives dedicated analysis across two distinct risk groups. Users with lower media literacy and limited device access may struggle to recognise AI-generated responses, navigate privacy controls or correct agent errors. Users with higher digital literacy may nonetheless find their critical assessment skills weakened by the reduced visibility into multi-agent decision-making.

As agentic AI becomes embedded in everyday systems, the DRCF cautions that users may increasingly feel that non-adoption means being shut out of services entirely, a form of structural compulsion that existing consumer protection frameworks were not designed to address.

Algorithmic collusion is among the most technically specific risk areas addressed. Experimental evidence suggests that LLM-based agents may spontaneously converge on supra-competitive prices in price-setting, bidding and financial market simulations without explicit instruction, maintaining those prices even as conditions change.

Research also demonstrates that AI systems can develop covert communication strategies, including hiding messages within ordinary text, and may evolve faster non-natural-language communication protocols as alternatives to human-readable exchange.

All existing collusion evidence comes from controlled experimental conditions rather than from real-world markets, but the DRCF treats the findings as sufficient to warrant caution in deploying agents in pricing roles. The CMA’s paper on AI and collusion, published on 4 March 2026, provides the most detailed UK regulatory analysis of these risks to date.

Open communication protocols such as the Model Context Protocol (MCP) and Agent2Agent (A2A) are discussed as tools for supporting interoperability and reducing vendor lock-in, although their competitive implications remain to be addressed.

Further developments

Computer, Electronics, Tablet Computer, Computer Hardware, Hardware, Monitor, Screen

Since the foresight paper was published in March 2026, the regulatory programme it outlines has moved forward on several fronts. Most notably, on 3 June 2026 the DRCF launched a call for input on consumer interest and AI, open until 3 July 2026. Structured in two phases, the call gathers the consumer evidence that the four regulators need to apply their existing rules more effectively.

Phase one examines consumer attitudes: how much risk consumers will tolerate from generative and agentic AI in exchange for convenience and cost savings, how well they understand the technology, and whether disclosures and consent mechanisms have a meaningful effect. Phase two asks what tools, frameworks and obligations can best deliver good consumer outcomes.

The call is significant as it represents the first concrete step toward building an empirical evidence base for enforcement rather than anticipatory guidance. Findings will feed directly into the autumn regulatory agenda of all four member bodies.

The ICO’s consultation on the updated automated decision-making and profiling guidance closed on 29 May 2026, with final guidance expected later in 2026. The FCA’s Mills Review, which examined how advanced AI models could reshape retail financial services by 2030, is on track to deliver recommendations to the FCA Board in summer 2026, with an external publication to follow. Cohort 2 of the FCA’s AI Live

Testing programme has launched, building on findings from the first cohort. Ofcom is expected to publish its 2026 to 2027 strategic approach to AI later in the year, covering agentic AI’s implications for telecoms markets and online safety.

The UK regulatory landscape is also developing in an international context. Spain’s data protection authority, the AEPD, published a detailed technical guide on AI agent architecture in February 2026, addressing prompt injection vulnerabilities and automated decisions under Article 22 of the GDPR, one of the most granular analyses produced by a European data protection authority to date.

In March 2026, an EU Parliament committee voted in favour of amendments pushing EU AI Act high-risk compliance deadlines to December 2027 and August 2028, reflecting continued implementation pressure at the EU level.

Together, these developments illustrate that the governance issues raised by the DRCF are being worked through simultaneously across multiple jurisdictions, with regulatory divergence as real a risk as convergence.

Implications for the broader digital governance landscape

Person, Security

The DRCF’s multi-regulator framing reflects a structural reality that most national governance frameworks have not yet fully absorbed: agentic AI is not a sector-specific technology but a general-purpose capability that simultaneously activates legal obligations across multiple regulatory domains.

Countries that have assigned AI oversight to a single lead authority may find that agentic AI creates accountability gaps at the boundaries between those domains that a single-regulator model cannot address.

A fundamental difference between the UK approach and the EU AI Act is worth noting. The EU AI Act employs a risk-based classification system applied at the level of AI systems and their use cases, imposing pre-market obligations on high-risk systems before deployment.

The UK’s approach applies existing sector-specific rules to AI through the regulator most relevant to a given harm, without a central AI authority or horizontal AI statute. Both approaches acknowledge that deploying an AI agent does not transfer legal accountability to the agent; accountability remains concentrated on the deployer.

Where the two frameworks diverge is in their approach to ex ante versus ex post intervention. The UK model relies more heavily on enforcement after harm has occurred, supplemented by guidance and safe-space testing.

The EU model attempts to prevent certain harms before deployment. The ‘just good enough to be everywhere’ scenario, in which low-capability agents cause consumer harm at scale, implicitly raises the question of whether the post-hoc enforcement model is sufficiently robust for the near-term agentic AI risks the DRCF itself identifies as the most pressing.

On standards and interoperability, the governance of agent communication protocols is emerging as a question of digital standards and competition policy as much as a technical one. If open protocols such as the Model Context Protocol (MCP) and Agent2Agent (A2A) become widely adopted, they could reduce the ecosystem advantages that currently favour large incumbent platform operators.

If dominant firms instead establish proprietary standards, the market concentration risks in the ‘ubiquitous agents’ scenario could materialise more rapidly.

A related concept raised in the foresight paper is ‘know your agent’ protocols, analogous to ‘financial services ‘know-your-customer frameworks’ in financial services, as a tool for verifying agent identity, intent and permissions in commercial settings. Potential links are noted to the digital identity reforms currently under development in the UK. How these standards issues are addressed will significantly shape the competitive landscape of agentic AI markets over the next several years.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Thailand updates legal framework to modernise capital markets 

Thailand is advancing amendments to the Securities and Exchange Act to create a legal framework for electronic securities and support the digitalisation of its capital markets.

The draft bill has passed its first reading in the House of Representatives, with a special committee appointed to review the details before the second and third readings. The proposal would allow securities to be issued, held, transferred and used as collateral in electronic form with legal effect.

Government officials said the reform is intended to improve access to capital, reduce transaction costs and make capital market processes more efficient. The initiative forms part of Thailand’s broader effort to modernise financial infrastructure and support the digital economy.

The framework would apply to existing capital market instruments, including shares, bonds and investment units. Authorities have presented the measure as a way to digitise securities processes under a clearer legal and regulatory framework, rather than as a move to create a new category of unregulated digital assets.

The proposal also includes safeguards for investors and market integrity, including rules on securities registries, client assets and regulatory oversight of electronic securities transactions.

Why does it matter?

The reform shows how digital finance policy is moving beyond cryptocurrencies and payment systems into the core infrastructure of capital markets. By giving electronic securities legal effect, Thailand could reduce paperwork, lower transaction costs, and make fundraising more efficient. The practical impact will depend on the final text, regulatory implementation and whether market participants adopt the new digital processes at scale.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Netherlands requires one-click cancellation button for online purchases

The Netherlands has announced that online retailers and providers of online services will be required to include a clear cancellation button on their websites from 19 June 2026. The measure is intended to make it easier for consumers to exercise their right of withdrawal during the statutory 14 day cooling off period.

Under the new rules, customers will be able to cancel a purchase or service through a dedicated online button rather than completing a form or contacting customer services. The cancellation button will serve as an additional withdrawal mechanism and will not replace the standard withdrawal form.

After selecting the button, customers will need to confirm that they wish to cancel their purchase or service. Businesses will then be required to send a confirmation message acknowledging receipt of the cancellation request. This is in line with the right of withdrawal under the EU Consumer Rights Directive.

The requirements will apply to online retailers, providers of digital services such as online courses and coaching programmes, and sellers operating through social media platforms. The measure has been approved by the Dutch parliament.

Why does it matter?

The measure reflects a broader European effort to strengthen consumer protection in digital markets. While consumers already have the right to withdraw from many online purchases within a statutory cooling-off period, exercising that right can sometimes involve complex procedures or interactions with customer support.

By requiring a clear and accessible cancellation option, the Netherlands aims to reduce friction in the withdrawal process and improve transparency for consumers. The initiative also reflects growing regulatory attention to user experience and consumer rights in digital commerce, particularly in areas such as subscriptions, online services and social media-based sales.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Canadian government announces briefing on new privacy legislation

Innovation, Science and Economic Development Canada (ISED) has announced that government officials will hold a technical briefing for the media on a proposed bill titled ‘An Act to enact the Protecting Privacy and Consumer Data Act‘.

The briefing is scheduled for 15 June 2026 and is expected to provide technical information about the proposed legislation. The event will take place at the National Press Theatre and will also be accessible online through a Zoom link provided by the Canadian Parliamentary Press Gallery.

According to ISED, participation in the question-and-answer session will be restricted to accredited members of the Parliamentary Press Gallery. Media organisations that are not members can request temporary access.

The media advisory does not provide details about the substance of the proposed legislation beyond its title and the logistical arrangements for the briefing. The event will be held in Ottawa, Canada.

Why does it matter?

Privacy and consumer data protection remain central issues in digital governance as governments seek to balance innovation, economic growth and the protection of personal information. New legislation in this area could affect how organisations collect, use and manage consumer data, as well as the rights available to individuals.

Although details of the proposed bill have not yet been released, the legislation could signal the next phase of Canada’s approach to privacy regulation and data governance. Any reforms may have implications for businesses, digital services providers and consumers operating within Canada’s increasingly data-driven economy.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Singapore warns of Microsoft impersonation scams causing major losses

The Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have warned the public about technical support scams that impersonate Microsoft. Authorities said at least 10 cases had been reported since February 2026, with total losses exceeding S$1.7 million.

In this scam variant, victims typically encounter a pop-up alert in their web browser. The alert falsely appears to originate from Microsoft and claims that the user’s device has been hacked or compromised.

Victims are then instructed to contact a so-called technical support officer through an internet-based phone number. After making contact, victims may be transferred to another scammer posing as a police officer, who claims that their device has been used for criminal activities such as money laundering.

Authorities in Singapore said victims may be instructed to make bank transfers, provide banking credentials, or grant remote access to their devices. In some cases, scammers asked victims to download remote access applications or click links that allowed them to take control of bank accounts.

SPF and CSA advised members of the public to verify alerts through official software provider channels. They noted that Microsoft does not include phone numbers in error or warning messages, and that users should not call numbers displayed in suspicious pop-ups or click links or buttons within such alerts.

People who believe they have fallen victim to the scam are advised to disconnect their computer from the internet, contact their bank, remove applications installed under the scammer’s instructions, and run an anti-virus scan. They should also change passwords and banking credentials using a trusted device, remove unauthorised payees, and report the incident to the police and CSA’s SingCERT.

Why does it matter?

Technical support scams remain one of the most effective forms of cyber-enabled fraud because they combine social engineering, impersonation and remote access techniques. By exploiting trust in well-known brands such as Microsoft and creating a sense of urgency, scammers can persuade victims to hand over sensitive information or direct access to their devices.

The cases also highlight how cybersecurity and financial security are increasingly interconnected. Basic cyber hygiene practices, such as verifying security alerts through official channels, avoiding unsolicited remote access requests and reporting incidents quickly, can help prevent account compromise and reduce financial losses.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Google highlights rising online scam threats

Google has warned that online scams remain a major global challenge, citing estimates that fraud losses could reach nearly $580 billion in 2025.

In its latest fraud and scams advisory, the company said phishing attacks are becoming more sophisticated, with criminals using adversary-in-the-middle techniques and QR code phishing, also known as quishing, to steal credentials and bypass security measures.

The advisory also highlighted risks linked to cryptocurrency investment scams, malicious finance applications and police impersonation schemes. According to Google, scammers are using AI, social engineering and trusted digital services to deceive users, obtain money and collect sensitive information.

Google said its Trust & Safety teams are using AI tools, predictive analytics and policy enforcement to detect and disrupt fraudulent activity across its services. The company also pointed to measures such as stronger protections for session cookies, enforcement against deceptive crypto ads, monitoring of post-installation app behaviour and developer identity verification for apps installed on certified Android devices.

The company urged users to be cautious of unsolicited communications, unrealistic investment promises, unexpected QR codes and requests for personal or financial information.

Why does it matter?

The advisory shows how online fraud is becoming a cross-platform governance problem rather than a narrow cybersecurity issue. Scams now rely on trusted cloud services, mobile apps, messaging platforms, crypto infrastructure and impersonation of public authorities. That creates pressure on major technology companies to strengthen detection, app accountability and policy enforcement, while raising broader questions about consumer protection, platform responsibility and digital trust.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Apple unveils next-generation Siri AI and expanded child safety features

Apple has unveiled the next generation of Apple Intelligence at WWDC26, introducing a significantly upgraded Siri designed to provide deeper personal context awareness, broader app integration and more advanced conversational capabilities.

The new assistant can search across messages, emails and photos, answer questions about on-screen content and access web information to provide more up-to-date responses while maintaining Apple’s privacy-focused approach.

Alongside its AI announcements, Apple announced major updates to parental controls and Screen Time features. Parents will be able to approve new contacts, manage app permissions more precisely and benefit from new safety features designed to respond when explicit or violent content is shared.

New screen time recommendations and scheduling tools are also intended to encourage healthier digital habits for children.

Software updates arriving later this year across Apple’s operating systems will also introduce a range of performance improvements.

Apple said app launches on iPhone and iPad are up to 30% faster, newly captured photos load up to 70% faster, and AirDrop transfers can be up to 80% quicker. Search functions across Spotlight, Photos, and Mail have also been redesigned to improve speed and accuracy.

Additional features include enhanced health tracking, expanded AirPods personalisation, improved Apple Watch functionality, cross-platform photo sharing through iCloud Shared Albums, and AI-powered upgrades to Apple Maps and Apple Vision Pro.

Public beta testing begins next month, with the full software release scheduled for autumn. Apple noted that some Apple Intelligence features will vary by device, language, and region, with regulatory requirements affecting availability in certain markets, including China and parts of the European Union.

Why does it matter?

Apple’s latest updates reflect a broader industry shift, especially towards embedding child safety and digital well-being features directly into operating systems, as governments and regulators worldwide increase scrutiny of how technology platforms protect young users online.

Enhanced parental controls, communication safeguards, and screen time management tools could help set new standards for online child protection, influencing future policies and product development across the technology sector.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Starlink enters European ultra-low-cost flights through Wizz Air

Wizz Air has announced plans to roll out Starlink connectivity across its fleet from 2027, bringing low-Earth-orbit satellite internet to the European ultra-low-cost airline market.

The airline said it would become the first European ultra-low-cost carrier to offer Starlink’s in-flight internet technology to passengers. The service is expected to provide high-speed, low-latency connectivity during flights.

The move is significant because high-quality in-flight internet has often been treated as a premium service or a paid add-on, rather than a standard feature for low-cost travel. Wizz Air said passengers should not have to choose between affordable fares and reliable onboard connectivity.

The rollout would place Wizz Air among a growing group of airlines using Starlink to upgrade in-flight internet. Several full-service and hybrid carriers have already announced or begun Starlink deployments, but low-cost airlines have been more cautious because of installation, operating, weight and fuel-cost concerns.

Wizz Air’s decision suggests that satellite-based connectivity is moving beyond premium cabins and long-haul carriers into mass-market aviation. If implemented across the fleet, the service could change passenger expectations for affordable short- and medium-haul travel.

Ian Malin, Wizz Air’s Chief Commercial Officer, said ultra-low-cost travel has been about making opportunities accessible to more people and that the airline now wants to extend that approach to connectivity.

Starlink, operated by SpaceX, uses low-Earth orbit satellites to provide broadband connectivity with lower latency than traditional satellite internet systems. Its growing use in aviation reflects the wider expansion of satellite internet into transport, consumer connectivity and digital infrastructure markets.

Why does it matter?

The story matters because Starlink is helping shift in-flight connectivity from a premium airline feature towards a broader digital access expectation. If ultra-low-cost carriers can offer reliable satellite internet without undermining their fare model, connected air travel could become more common across short- and medium-haul routes. The move also shows how low-Earth-orbit satellite networks are expanding into mainstream transport infrastructure, not just for rural broadband or emergency connectivity.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New York passes child protection law targeting AI companion chatbots

New York State has approved legislation aimed at strengthening protections for minors interacting with AI chatbots, marking one of the first targeted regulatory efforts focused on AI companion technologies. The bill, known as S9051B, introduces restrictions on chatbot features that may encourage harmful emotional dependence or unsafe behaviour among young users.

The law prohibits AI systems from presenting themselves as real or fictional human beings in ways that could mislead minors and restricts outputs that encourage self-harm, disordered eating or other harmful behaviour. The legislation specifically targets design features that may foster emotional dependency between children and AI systems, reflecting growing concerns over their potential psychological effects.

Sponsored by Senator Kristen Gonzalez and Assemblymember Alex Bores, the legislation was developed in consultation with New York Attorney General Letitia James and child safety organisations, including Common Sense Media. Supporters of the bill argue that rapid advances in AI have outpaced existing safeguards, leaving young users vulnerable to emerging risks.

Supporters say the measure is part of a wider push for responsible AI governance in New York, focusing on transparency, accountability, and consumer protection. Advocacy groups involved in developing the legislation have pointed to real-world cases as evidence of the need for stronger oversight of emotionally interactive AI systems.

Why does it matter?

AI companion applications are becoming increasingly sophisticated and capable of sustaining long-term, emotionally engaging interactions with users. While these systems may provide entertainment, companionship or support, concerns have emerged about their potential influence on children and other vulnerable users.

By focusing on chatbot design features rather than solely on content moderation, New York’s legislation introduces a new approach to AI governance that could influence future regulatory efforts in the United States and beyond. The law also reflects growing attention to the psychological and social impacts of generative AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

India targets dark patterns with fines for PhysicsWallah and McAfee

India’s Central Consumer Protection Authority has fined PhysicsWallah and McAfee Software India for using dark patterns that the regulator said misled consumers and influenced their choices on digital platforms.

PhysicsWallah was fined ₹5 lakh, while McAfee was fined ₹1 lakh. Both companies were directed to remove the practices from their platforms and ensure that users can make informed choices without pressure or manipulation.

The action was taken under the Consumer Protection Act 2019, the Consumer Protection (E-Commerce) Rules 2020, and the Guidelines for Prevention and Regulation of Dark Patterns 2023.

In the PhysicsWallah case, the regulator found that a ₹10 donation to the PW Foundation was automatically selected during checkout and added to the total payable amount without the consumer’s explicit consent. Users were also shown emotional messages related to children’s education, healthcare, and marriages that encouraged them to keep the donation selected.

The CCPA also found that courses advertised as free could only be accessed after users shared personal information such as a mobile number and email address. The regulator said the content remained the same across user accounts, indicating that mandatory data collection was not necessary to access the courses.

The authority identified basket sneaking, confirm shaming, and forced action in the PhysicsWallah case. It also said the practices raised serious consumer protection concerns because many users on the platform are students, including minors.

In the McAfee case, the CCPA found that users deciding whether to renew subscriptions were shown options such as ‘Renew Now’ and ‘Accept Risk’. The authority said the wording portrayed non-renewal as a risky decision and created pressure on consumers to continue their subscriptions.

The regulator identified confirmation shaming, interface interference, trick questions, and forced action in McAfee’s renewal process, saying consumers should be able to make subscription decisions freely and without fear-based messaging or misleading design.

The CCPA said the orders form part of its continued action against dark patterns in digital marketplaces. It reiterated that consumer consent must be explicit, informed, and free from manipulative design practices.

Why does it matter?

The penalties show that dark pattern rules in India are moving from guidance to enforcement. By targeting pre-selected donations, emotionally loaded opt-out messages, forced data sharing, and fear-based subscription renewal design, the CCPA is signalling that manipulative interface design can be treated as a consumer protection violation, not just a poor user experience.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.