Global Digital Compact

UAE and China deepen ties with mBridge launch

Sheikh Mansour bin Zayed has overseen a digital currency payment between the UAE and China. The transfer used the ‘mBridge’ central bank digital currency platform to settle funds directly. Officials say the move marks the formal launch of ‘mBridge’ for cross-border payments.

Ceremonies in Abu Dhabi also launched the first ‘Jaywan-UnionPay’ multi-scheme prepaid card. The product links Jaywan’s domestic network with UnionPay’s global acceptance in more than 180 countries.

Transactions inside the UAE are processed locally, while overseas spending routes through UnionPay’s international infrastructure. Officials say the projects highlight partnerships between the UAE and China and strengthen the Emirates’ role in digital finance.

Sheikh Mansour and Pan Gongsheng also signed a memorandum on future cross-border payment cooperation. Further expansion of the ‘mBridge‘ network and domestic Digital Dirham pilots is planned from 2026.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

EU proposal sparks alarm over weakened privacy rules

The Digital Omnibus has been released by the European Commission, prompting strong criticism from privacy advocates. Campaigners argue the reforms would weaken long-standing data protection standards and introduce sweeping changes without proper consultation.

Noyb founder Max Schrems claims the plan favours large technology firms by creating loopholes around personal data and lowering user safeguards. Critics say the proposals emerge despite limited political support from EU governments, civil society groups and several parliamentary factions.

The Omnibus is welcomed by industry which have called for simplification and changes to be made for quite a number of years. These changes should make carrying out business activities simpler for entities which do process vast amounts of data.

The Commission is also accused of rushing (errors can be found in the draft, including references to the GDPR) the process under political pressure, abandoning impact assessments and shifting priorities away from widely supported protections. View our analysis on the matter for a deep dive on the matter.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

The future of EU data protection under the Omnibus Package

Introduction and background information

The Commission claims that the Omnibus Package aims to simplify certain European Union legislation to strengthen the Union’s long-term competitiveness. A total of six omnibus packages have been announced in total.

The latest (no. 4) targets small mid-caps and digitalisation. Package no. 4 covers data legislation, cookies and tracking technologies (i.e. the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD)), as well as cybersecurity incident reporting and adjustments to the Artificial Intelligence Act (AIA).

That ‘simplification’ is part of a broader agenda to appease business, industry and governments who argue that the EU has too much red tape. In her September 2025 speech to German economic and business associations, Ursula von der Leyen sided with industry and stated that simplification is ‘the only way to remain competitive’.

As for why these particular laws were selected, the rationale is unclear. One stated motivation for including the GDPR is its mention in Mario Draghi’s 2024 report on ‘The Future of European Competitiveness’.

Draghi, the former President of the European Central Bank, focused on innovation in advanced technologies, decarbonisation and competitiveness, as well as security. Yet, the report does not outline any concrete way in which the GDPR allegedly reduces competitiveness or requires revision.

The GDPR appears only twice in the report. First, as a brief reference to regulatory fragmentation affecting the reuse of sensitive health data across Member States (MS).

Second, in the concluding remarks, it is claimed that ‘the GDPR in particular has been implemented with a large degree of fragmentation which undermines the EU’s digital goals’. There is, however, no explanation of this ‘large fragmentation’, no supporting evidence, and no dedicated section on the GDPR as its first mention being buried in the R&I (research and innovation) context.

It is therefore unclear what legal or analytical basis the Commission relies on to justify including the GDPR in this simplification exercise.

The current debate

There are two main sides to this Omnibus, which are the privacy forward and the competitive/SME side. The two need not be mutually exclusive, but civil society warns that ‘simplification’ risks eroding privacy protection. Privacy advocates across civil society expressed strong concern and opposition to simplification in their responses to the European Commission’s recent call for evidence.

Industry positions vary in tone and ambition. For example, CrowdStrike calls for greater legal certainty under the Cybersecurity Act, such as making recital 55 binding rather than merely guiding and introducing a one-stop-shop mechanism for incident reporting.

Meta, by contrast, urges the Commission to go beyond ‘easing administrative burdens’, calling for a pause in AI Act enforcement and a sweeping reform of the EU data protection law. On the civil society side, Access Now argues that fundamental rights protections are at stake.

It warns that any reduction in consent prompts could allow tracking technologies to operate without users ever being given a real opportunity to refuse. A more balanced, yet cautious line can be found in the EDPB and EDPS joint opinion regarding easing records of processing activities for SMEs.

Similar to the industry, they support reducing administrative burdens, but with the caveat that amendments should not compromise the protection of fundamental rights, echoing key concerns of civil society.

Regarding Member State support, Estonia, France, Austria and Slovenia are firmly against any reopening of the GDPR. By contrast, the Czech Republic, Finland and Poland propose targeted amendments while Germany proposes a more systematic reopening of the GDPR.

Individual Members of the European Parliament have also come out in favour of reopening, notably Aura Salla, a Finnish centre-right MEP who previously headed Meta’s Brussels lobbying office.

Therefore, given the varied opinions, it cannot be said what the final version of the Omnibus would look like. Yet, a leaked draft document of the GDPR’s potential modifications suggests otherwise. Upon examination, it cannot be disputed that the views from less privacy-friendly entities have served as a strong guiding path.

Leaked draft document main changes

The leaked draft introduces several core changes.

Those changes include a new definition of personal and sensitive data, the use of legitimate interest (LI) for AI processing, an intertwining of the ePrivacy Directive (ePD) and GDPR, data breach reforms, a centralised data protection impact assessment (DPIA) whitelist/blacklist, and access rights being conditional on motive for use.

A new definition of personal data

The draft redefines personal data so that ‘information is not personal data for everyone merely because another entity can identify that natural person’. That directly contradicts established EU case law, which holds that if an entity can, with reasonable means, identify a natural person, then the information is personal data, regardless of who else can identify that person.

A new definition of sensitive data

Under current rules, inferred information can be sensitive personal data. If a political opinion is inferred from browsing history, that inference is protected.

The draft would narrow this by limiting sensitive data to information that ‘directly reveals’ special categories (political views, health, religion, sexual orientation, race/ethnicity, trade union membership). That would remove protection from data derived through profiling and inference.

Detected patterns, such as visits to a health clinic or political website, would no longer be treated as sensitive, and only explicit statements similar to ‘I support the EPP’ or ‘I am Muslim’ would remain covered.

Intertwining article 5(3) ePD and the GDPR

Article 5(3) ePD is effectively copied into the GDPR as a new Article 88a. Article 88a would allow the processing of personal data ‘on or from’ terminal equipment where necessary for transmission, service provision, creating aggregated information (e.g. statistics), or for security purposes, alongside the existing legal bases in Articles 6(1) and 9(2) of the GDPR.

That generates confusion about how these legal bases interact, especially when combined with AI processing under LI. Would this mean that personal data ‘on or from’ a terminal equipment may be allowed if it is done by AI?

The scope is widened. The original ePD covered ‘storing of information, or gaining access to information already stored, in the terminal equipment’. The draft instead regulates any processing of personal data ‘on or from’ terminal equipment. That significantly expands the ePD’s reach and would force controllers to reassess and potentially adapt a broad range of existing operations.

LI for AI personal data processing

A new Article 88c GDPR, ‘Processing in the context of the development and operation of AI’, would allow controllers to rely on LI to process personal data for AI processing. That move would largely sideline data subject control. Businesses could train AI systems on individuals’ images, voices or creations without obtaining consent.

A centralised data breach portal, deadline extension and change in threshold reporting

The draft introduces three main changes to data breach reporting.

  • Extending the notification deadline from 72 to 96 hours, giving privacy teams more time to investigate and report.
  • A single EU-level reporting portal, simplifying reporting for organisations active in multiple MS.
  • Raising the notification threshold when the rights and freedoms of data subjects are at ‘risk’ to ‘high risk’.

The first two changes are industry-friendly measures designed to streamline operations. The third is more contentious. While industry welcomes fewer reporting obligations, civil society warns that a ‘high-risk’ threshold could leave many incidents unreported. Taken together, these reforms simplify obligations, albeit at the potential cost of reducing transparency.

Centralised processing activity (PA) list requiring a DPIA

This is another welcome change as it would clarify which PAs would automatically require a DPIA and which would not. The list would be updated every 3 years.

What should be noted here is that some controllers may not see their PA on this list and assume or argue that a DPIA is not required. Therefore, the language on this should make it clear that it is not a closed list.

Access requests denials

Currently, a data subject may request a copy of their data regardless of the motive. Under the draft, if a data subject exploits the right of access by using that material against the controller, the controller may charge or refuse the request.

That is problematic for the protection of rights as it impacts informational self-determination and weakens an important enforcement tool for individuals.

For more information, an in depth analysis by noyb has been carried out which can be accessed here.

The Commission’s updated version

As of the 19th of November, the Commission has published its digital omnibus proposal. Most of the amendments in the leaked draft have remained. One of the measures dropped is the definition of sensitive data. This means that inferences could amount to sensitive data.

However, the final document keeps three key changes that erode fundamental rights protections:

  • Changing the definition of personal data to be a subjective and narrow one;
  • An intertwining of the ePD and the GDPR which also allows for processing based on aggregated and security purposes;
  • LI being relied upon as a legal basis for AI processing of personal data.

Still, positive changes remain:

  • A single-entry point for EU data breaches. This is a welcomed measure which streamlines reporting and appease some compliance obligations for EU businesses.
  • Another welcomed measure is the white/black-list of processing activities which would or would not require a DPIA. The same note remains with what the language of this text will look like.

Overall, these two measures are examples of simplification measures with concrete benefits.

Now, the European Parliament has the task to dissect this proposal and debate on what to keep and what to reject. Some experts have suggested that this may take minimum 1 year to accomplish given how many changes there are, but this is not certain.

We can also expect a revised version of the Commission’s proposal to be published due to the errors in language, numbering and article referencing that have been observed. This does not mean any content changes.

Final remarks

Simplification in itself is a good idea, and businesses need to have enough freedom to operate without being suffocated with red tape. However, changing a cornerstone of data protection law to such an extent that it threatens fundamental rights protections is just cause for concern.

Alarms have already been raised after the previous Omnibus package on green due diligence obligations was scrapped. We may now be witnessing a similar rollback, this time targeting digital rights.

As a result, all eyes are on 19 November, a date that could reshape not only the EU privacy standards but also global data protection norms.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

AI energy demand strains electrical grids

Microsoft CEO Satya Nadella recently delivered a key insight, stating that the biggest hurdle to deploying new AI solutions is now electrical power, not chip supply. The massive energy requirements for running large language models (LLMs) have created a critical bottleneck for major cloud providers.

Nadella specified that Microsoft currently has a ‘bunch of chips sitting in inventory’ that cannot be plugged in and utilised. The problem is a lack of ‘warm shells’, meaning data centre buildings that are fully equipped with the necessary power and cooling capacity.

The escalating power requirements of AI infrastructure are placing extreme pressure on utility grids and capacity. Projections from the Lawrence Berkeley National Laboratory indicate that US data centres could consume up to 12 percent of the nation’s total electricity by 2028.

The disclosure should serve as a warning to investors, urging them to evaluate the infrastructure challenges alongside AI’s technological promise. This energy limitation could create a temporary drag on the sector, potentially slowing the massive projected returns on the $5 trillion investment.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

CERN unveils AI strategy to advance research and operations

CERN has approved a comprehensive AI strategy to guide its use across research, operations, and administration. The strategy unites initiatives under a coherent framework to promote responsible and impactful AI for science and operational excellence.

It focuses on four main goals: accelerating scientific discovery, improving productivity and reliability, attracting and developing talent, and enabling AI at scale through strategic partnerships with industry and member states.

Common tools and shared experiences across sectors will strengthen CERN’s community and ensure effective deployment.

Implementation will involve prioritised plans and collaboration with EU programmes, industry, and member states to build capacity, secure funding, and expand infrastructure. Applications of AI will support high-energy physics experiments, future accelerators, detectors, and data-driven decision-making.

AI is now central to CERN’s mission, transforming research methodologies and operations. From intelligent automation to scalable computational insight, the technology is no longer optional but a strategic imperative for the organisation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Global AI adoption rises quickly but benefits remain unequal

Microsoft’s AI Economy Institute has released its 2025 AI Diffusion Report, detailing global AI adoption, innovation hubs, and the impact of digital infrastructure. AI has reached over 1.2 billion users in under three years, yet its benefits remain unevenly distributed.

Adoption rates in the Global North are roughly double those in the Global South, highlighting the risk of long-term inequalities.

AI adoption depends on strong foundational infrastructure, including electricity, data centres, internet connectivity, digital and AI skills, and language accessibility.

Countries with robust foundations- such as the UAE, Singapore, Norway, and Ireland- have seen rapid adoption, even without frontier-level model development. In contrast, regions with limited infrastructure and low-resource languages lag significantly, with adoption in some areas below 10%.

Ukraine exemplifies the potential for rapid AI growth, despite current disruptions from the war, with an adoption rate of 9.1%. Strategic investments in connectivity, AI skills, and language-inclusive solutions could accelerate recovery, strengthen resilience, and drive innovation.

AI is already supporting cybersecurity and helping businesses and organisations maintain operations amid ongoing challenges.

The concentration of AI infrastructure remains high, with the US and China hosting 86% of the global data centre capacity. A few countries dominate frontier AI development, yet the performance gap between leading models is narrowing.

Coordinated efforts across infrastructure, skills, and policy are crucial to ensure equitable access and maximise AI’s potential worldwide.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

TikTok nears US takeover deal as Washington secures control

The White House has revealed that US companies will take control of TikTok’s algorithm, with Americans occupying six of seven board seats overseeing the platform’s operations in the country. A final deal, which would reshape the app’s US presence, is expected soon, though Beijing has yet to respond publicly.

Washington has long pushed to separate TikTok’s American operations from its Chinese parent company, ByteDance, citing national security risks. The app faced repeated threats of a ban unless sold to US investors, with deadlines extended several times under President Donald Trump. The Supreme Court also upheld legislation requiring ByteDance to divest, though enforcement was delayed earlier this year.

According to the White House, data protection and privacy for American users will be managed by Oracle, chaired by Larry Ellison, a close Trump ally. Oracle will also oversee control of TikTok’s algorithm, the key technology that drives what users see on the app. Ellison’s influence in tech and media has grown, especially after his son acquired Paramount, which owns CBS News.

Trump claimed he had secured an understanding on the deal in a recent call with Chinese President Xi Jinping, describing the exchange as ‘productive.’ However, Beijing’s official response has been less explicit. The Commerce Ministry said discussions should proceed according to market rules and Chinese law, while state media suggested China welcomed continued negotiations.

Trump has avoided clarifying whether US investors need to develop a new system or continue using the existing one. His stance on TikTok has shifted since his first term, when he pushed for a ban, to now embracing the platform as a political tool to engage younger voters during his 2024 campaign.

Concerns over TikTok’s handling of user data remain at the heart of US objections. Officials at the Justice Department have warned that the app’s access to US data posed a security threat of ‘immense depth and scale,’ underscoring why Washington is pressing to lock down control of its operations.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Blue Origin begins accepting cryptocurrency for space travel

Blue Origin has opened its doors to cryptocurrency enthusiasts, allowing passengers to pay for suborbital spaceflights in Bitcoin, Ether, Solana, USDt and USDC. Partnering with Shift4 Payments, Blue Origin will take direct wallet transfers from MetaMask and Coinbase for New Shepard flights.

The move adds to a growing trend of blockchain ventures in aerospace. Past projects have ranged from NFTs sent to space to the launch of satellites hosting decentralised networks.

Spacecoin XYZ recently began building an orbital blockchain network. World Mobile is also rolling out a decentralised 5G system using hydrogen-powered drones to deliver affordable, high-speed internet to underserved regions.

Blue Origin’s ties to crypto go back years. In 2021, Tron founder Justin Sun purchased a $28 million ticket for a Blue Origin flight, with the funds benefiting 19 space-related charities.

Following the journey, Sun called for global action to protect Earth, a message that resonates as technology and space exploration continue to intersect.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

ECOSOC adopts CSTD draft resolution on WSIS outcomes implementation

On 29 July 2025, the UN Economic and Social Council (ECOSOC) adopted a resolution titled ‘Assessment of the progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society‘.

Prepared by the Commission on Science and Technology for Development (CSTD) and adopted as a draft at the Commission’s 28th meeting in April 2025, the resolution outlines several vital recommendations for possible outcomes of the ongoing process dedicated to the review of 20 years of implementation of outcomes of the World Summit on the Information Society (the so-called WSIS+20 review process):

  • A recommendation is that, as an outcome of the WSIS+20 process, commitments outlined in the Global Digital Compact (GDC) are integrated into the work of WSIS action lines by the action lines facilitators (para 131).
  • A recommendation regarding strengthening the UN Group on the Information Society (UNGIS), by including further UN offices with responsibilities in matters of digital cooperation, as well as multistakeholder advice on its work, as appropriate (para 132).
  • A recommendation that UNGIS is tasked with developing a joint implementation roadmap, to be presented to CSTD’s 29th session, to integrate GDC commitments into the WSIS architecture, ensuring a unified approach to digital cooperation that avoids duplication and maximises resource efficiency (para 133).
  • A call for strengthening the CSTD in its role as an intergovernmental platform for discussions on the impact and opportunities of technologies to achieve sustainable development goals (para 134).

The resolution also emphasises the role of CSTD in the GDC’s follow-up and review process and the need to ensure the strongest possible convergences between the implementation of WSIS outcomes and the Compact to avoid duplication and enhance synergies, efficiencies, and impact (para 135).

ECOSOC adopted the resolution without discussion and by consensus. When discussed at CSTD in April, the draft resolution was adopted by a vote of 33 in favour and one against; the USA, which voted against, explained its vote.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Towards a unified digital future: WSIS+20 and GDC seek synergy, not redundancy

At the WSIS+20 High-Level Event in Geneva, global digital leaders gathered to align two major initiatives shaping the future of digital governance: the WSIS+20 Review and the Global Digital Compact (GDC). With resource efficiency and institutional coherence high on the UN’s agenda, the session emphasised avoiding duplication and building on two decades of WSIS infrastructure, rather than creating new frameworks.

Discussions pointed to a shared vision: a streamlined and inclusive approach to digital governance rooted in collaboration and practical results. Co-facilitators from Kenya and Albania, UN agency leaders, and the EU representatives voiced strong consensus that the WSIS legacy—built on multistakeholder participation—should remain central to the digital governance agenda.

Amandeep Singh Gill, the UN’s tech envoy, noted that the GDC already incorporates WSIS principles and advocates reliance on existing mechanisms like the WSIS Forum and the Internet Governance Forum. Proposals such as the EU’s idea of developing action line ‘roadmaps’ were well received as practical tools to embed GDC principles within the WSIS ecosystem.

UNESCO’s Assistant Director-General for Communication and Information Tawfik Jelassi and ITU’s Deputy Secretary-General Tomas Lamanauskas stressed that digital governance isn’t just about structure but outcomes that directly impact communities, from remote healthcare access to digital ID solutions. Calls to uphold the ‘progressive language’ of the GDC highlighted concern over backsliding amid geopolitical tensions, while the need for hybrid governance—blending state authority with stakeholder inclusivity—was cited as a promising way forward.

Ultimately, the session closed on a constructive note: WSIS+20 and the GDC must not compete but complement each other, delivering real-world digital transformation without adding bureaucratic layers. The challenge now lies in operationalising this consensus—coordinating reporting mechanisms, leveraging forums, and ensuring that every digital policy yields tangible benefits for people worldwide.

Track all key events from the WSIS+20 High-Level Event 2025 on our dedicated page.