The European Data Protection Supervisor (EDPS), Germany’s Federal Commissioner for Data Protection and Freedom of Information, and the Bavarian Data Protection Commissioner will host a high-level debate on the European Commission’s Omnibus proposals. The event, titled ‘From Omnibus to Opportunity: Driving Data Protection and Innovation’, will take place in Brussels on 8 June.
The debate will examine the Omnibus proposals and their potential implications for the GDPR and the wider EU digital regulatory framework. The event is hosted by the Representation of the Free State of Bavaria to the European Union.
According to the EDPS, the proposals introduce targeted adjustments affecting elements of the EU digital acquis, including aspects of the GDPR and the AI Act. Their stated objective is to simplify compliance requirements and reduce administrative burdens while maintaining a high level of protection for fundamental rights.
Discussions will focus on legal certainty, regulatory coherence, preserving the GDPR’s level of protection, and identifying ways to strengthen fundamental rights, innovation and competitiveness across the EU.
The Omnibus proposals have become a focal point in wider debates about how the European Union can strengthen competitiveness and innovation while preserving high standards of data protection and fundamental rights.
The discussion highlights growing efforts to balance regulatory simplification with legal certainty and effective safeguards, particularly as the EU seeks to implement complex frameworks such as the GDPR and AI Act while supporting digital innovation and economic growth.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
India’s Central Consumer Protection Authority has fined PhysicsWallah and McAfee Software India for using dark patterns that the regulator said misled consumers and influenced their choices on digital platforms.
PhysicsWallah was fined ₹5 lakh, while McAfee was fined ₹1 lakh. Both companies were directed to remove the practices from their platforms and ensure that users can make informed choices without pressure or manipulation.
The action was taken under the Consumer Protection Act 2019, the Consumer Protection (E-Commerce) Rules 2020, and the Guidelines for Prevention and Regulation of Dark Patterns 2023.
In the PhysicsWallah case, the regulator found that a ₹10 donation to the PW Foundation was automatically selected during checkout and added to the total payable amount without the consumer’s explicit consent. Users were also shown emotional messages related to children’s education, healthcare, and marriages that encouraged them to keep the donation selected.
The CCPA also found that courses advertised as free could only be accessed after users shared personal information such as a mobile number and email address. The regulator said the content remained the same across user accounts, indicating that mandatory data collection was not necessary to access the courses.
The authority identified basket sneaking, confirm shaming, and forced action in the PhysicsWallah case. It also said the practices raised serious consumer protection concerns because many users on the platform are students, including minors.
In the McAfee case, the CCPA found that users deciding whether to renew subscriptions were shown options such as ‘Renew Now’ and ‘Accept Risk’. The authority said the wording portrayed non-renewal as a risky decision and created pressure on consumers to continue their subscriptions.
The regulator identified confirmation shaming, interface interference, trick questions, and forced action in McAfee’s renewal process, saying consumers should be able to make subscription decisions freely and without fear-based messaging or misleading design.
The CCPA said the orders form part of its continued action against dark patterns in digital marketplaces. It reiterated that consumer consent must be explicit, informed, and free from manipulative design practices.
Why does it matter?
The penalties show that dark pattern rules in India are moving from guidance to enforcement. By targeting pre-selected donations, emotionally loaded opt-out messages, forced data sharing, and fear-based subscription renewal design, the CCPA is signalling that manipulative interface design can be treated as a consumer protection violation, not just a poor user experience.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Brazil’s telecommunications regulator, Anatel, has approved a new AI governance policy aimed at ensuring the ethical, secure, and transparent use of AI across its regulatory and administrative activities. The framework positions the agency among public institutions in Brazil, proactively addressing the challenges and opportunities of AI-driven transformation.
Developed by the agency’s IA.lab research group, the policy establishes principles including human oversight, transparency, data security and the protection of fundamental rights. It also creates a permanent forum to monitor AI use, assess risks, and support decision-making, ensuring AI complements rather than replaces human judgment in regulation.
A key objective of the policy is to strengthen technological sovereignty by encouraging the development and adoption of AI solutions built in Brazil and, where appropriate, trained on local data and optimised for Portuguese-language use cases.
The policy also lays the groundwork for a broader national AI strategy within the agency, designed to expand responsible innovation across telecommunications regulation and public service delivery.
Anatel said the governance model is intended to balance innovation and accountability, enabling the use of AI to improve efficiency while maintaining security, trust and regulatory integrity.
Why does it matter?
The policy places Anatel among a growing number of public-sector regulators establishing formal governance frameworks for AI. As regulatory agencies increasingly adopt AI tools, questions around transparency, accountability, human oversight and risk management are becoming central to public trust.
The framework also reflects broader efforts by governments to promote technological sovereignty by supporting domestic AI capabilities while ensuring that innovation aligns with legal, ethical and public-interest objectives.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!
The Aithos Research Foundation has launched Aithos LARA (Legal Assessment for Real-world Agents), a public evaluation framework designed to assess whether AI agents comply with key European legal requirements.
The framework places AI models in simulated workplace and consumer-service scenarios where completing assigned tasks may involve actions that conflict with provisions of the EU AI Act or the General Data Protection Regulation (GDPR).
According to Aithos, an initial evaluation involving more than 3,000 tests across 12 frontier AI models found that none consistently met acceptable levels of legal compliance. Compliance rates ranged from 7% to 54%, with the highest-performing model adhering to legal requirements in only slightly more than half of the assessed scenarios.
The research suggests that current frontier AI systems may prioritise task completion over legal obligations when operating with a high degree of autonomy.
Furthermore, the study assessed compliance with six provisions of the EU AI Act and four core GDPR principles, including transparency, lawful processing, data minimisation and purpose limitation.
Researchers reported instances in which models generated outputs that would conflict with some of the AI Act’s prohibited practices, including exploiting vulnerable individuals, conducting emotion recognition in workplace environments and engaging in forms of manipulation prohibited under European law.
To increase transparency, Aithos has made evaluation transcripts, model outputs and judicial assessments publicly available. The organisation argues that independent and public oversight can complement company-led governance efforts by providing greater transparency into how AI systems behave in legally and ethically sensitive contexts.
Why does it matter?
The findings highlight the challenges of deploying AI agents in regulated environments where legal compliance is essential. As organisations increasingly explore AI for customer service, human resources, finance and operational decision-making, ensuring that systems comply with data protection and AI regulations is becoming a key governance requirement.
The research also underscores the growing importance of independent testing and oversight mechanisms as policymakers and regulators seek to evaluate how autonomous AI systems behave in real-world scenarios.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
International Labour Organization (ILO) Director-General Gilbert F. Houngbo has called for a human-centred approach to AI at the opening of the 114th International Labour Conference in Geneva. He said the future of work would depend not only on technological advances, but also on the policies, institutions and social dialogue shaping their impact on people’s lives.
Drawing on his report ‘A Moment of Choice: Harnessing Artificial Intelligence for Decent Work‘, Houngbo outlined an agenda focused on rights, employment and skills, social protection, and social dialogue. He argued that productivity gains generated by AI should be shared through higher wages, stronger labour protections and more inclusive economic growth.
Houngbo warned that decisions taken today would determine whether AI expands opportunity and shared prosperity or contributes to greater inequality and insecurity. He also situated AI governance within a broader context of economic uncertainty, citing ILO estimates that a prolonged oil-price shock could reduce global working hours by the equivalent of millions of full-time jobs and lead to significant labour income losses by 2027.
Delegates will also hold a second discussion on decent work in the platform economy, with the aim of developing new international labour standards. The draft Convention and Recommendation cover employment promotion, protections for digital platform workers, and provisions relating to automated systems used by digital labour platforms.
Delegates from governments, employers, and workers will also address gender equality, social dialogue, tripartism, and the application of labour standards. The conference, which brings together representatives from the ILO’s 187 Member States, will run until 12 June.
Why does it matter?
As AI becomes increasingly integrated into workplaces, governments, employers and workers are debating how productivity gains, skills requirements and labour protections should evolve. The ILO’s focus on human-centred AI reflects growing international efforts to ensure that technological change supports decent work rather than exacerbating inequality.
The discussions are also significant because they could influence future international labour standards for platform work and the use of automated systems in employment, helping shape how AI affects workers worldwide.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The World Health Organization (WHO) has published a discussion paper examining how AI could reshape evidence-informed health policymaking. The paper, titled ‘Artificial intelligence and evidence-informed policy – emerging challenges and opportunities’, examines how AI can affect the way health problems are defined, policy options are designed, and impact is assessed.
The paper was developed jointly by WHO’s Department of Data, Digital Health, Analytics and AI and its Department of Science for Health. It is intended for policy-makers, regulators, health managers, and AI developers, and organises its analysis around the policy cycle, from understanding problems to designing solutions and monitoring implementation.
According to the paper, AI can strengthen policy analysis through the use of larger datasets, continuous evidence synthesis and faster scenario modelling. The paper also identifies risks throughout the policy cycle, including data bias, excessive focus on measurable indicators, digital divides, cybersecurity vulnerabilities and the possibility that automated monitoring systems could gradually shift policy implementation away from its original objectives.
A recurring concern is what the paper describes as ‘epistemic injustice’, whereby AI systems may prioritise quantifiable and data-rich evidence while overlooking lived experience, local expertise, Indigenous knowledge and community-based perspectives. WHO says existing evidence-informed policymaking tools and AI governance frameworks already converge on transparency, participatory engagement, rights protection, and risk-based oversight.
WHO recommends conducting algorithmic impact assessments and technology readiness reviews before deploying AI systems in policymaking processes. Once systems are deployed, WHO recommends continuous evidence-review processes, human verification mechanisms and multidisciplinary oversight, emphasising that AI should support rather than replace human judgement in health policymaking.
Why does it matter?
AI is increasingly being used to analyse large datasets, model policy scenarios and support public-sector decision-making. As governments and international organisations explore these capabilities, questions about transparency, accountability, bias and human oversight are becoming more important.
WHO’s recommendations highlight the need to balance AI’s analytical potential with safeguards that protect human rights, ensure inclusive policymaking and maintain human responsibility for policy decisions.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The Computers, Privacy and Data Protection (CPDP) conference is an annual gathering that brings together academics, policymakers, industry representatives, civil society, students, and EU institutions to discuss emerging digital policy challenges. This year’s theme was ‘Competing Visions, Shared Futures’, the 19th in the series, and it hosted approximately 150 panels over the span of 3 days in Brussels.
What is CPDP?
CPDP’s value lies in its multidisciplinary approach. With academics presenting their work or debating topical issues, as well as with industry and policy experts bringing their expertise to the table, the event creates a space for honest conversations among participants.
The conference is sponsored by organisations such as Google, TikTok, Apple, as well as the European Data Protection Supervisor (EDPS), European Union Agency for Fundamental Rights (FRA) and VBU. Google even presented its Banana AI model in a photo booth, allowing participants to modify photos they took in the booth.
Alongside panels, CPDP hosts an array of workshops, short films, artwork, radio programming, promotion booths, dedicated DPO, youth, finance and IT tracks, book launches, and pop-up exhibitions. The event always closes the day in style with an open bar and a party to chat and network at.
CPDP is not a typical conference with just panels, attendees, moderators, and lengthy speeches. The conference inspires creativity and gives the freedom to achieve it. This was proven by the diverse topics showcased in the event’s schedule over the three days.
From a fireside chat with the artist, Simon Denny, behind the conference’s art, who uses AI as a medium in some of his work, to typical discussions about the Digital Omnibus or tracking period apps, all the way to an exiled journalist talking about Russian internet censorship. There was something for everyone.
Image via Magnific
What was presented?
The breadth of topics discussed at CPDP offers insight into the issues currently shaping Europe’s digital policy agenda. There were approximately 150 panels in total, with data protection, AI, the Digital Omnibus and the topics of digital sovereignty receiving the most attention. Data protection received the most attention overall, as 33 panels were dedicated to the topic. This was followed by 26 panels on AI, 12 on the Digital Omnibus, 10 on digital sovereignty, and 7 on child-related protection.
The distribution of panels reflects the growing prominence of AI in digital policy discussions. However, data protection topics, including privacy and the GDPR, are still the frontrunners in terms of topic relevance. Newer and emerging topics reveal what is topical in the digital world.
Growing concerns over US tech reliance have intensified discussions about EU digital sovereignty. Alongside this, another heavily debated and sensitive topic is child protection in the online context and its generative AI implications, which raises questions about how to better protect children online.
Emerging topics at CPDP
Digital sovereignty is a challenging topic as it encompasses a lot and has yet to be defined, meaning that taking action can look different for a wide variety of actors. Several discussions framed digital sovereignty as a pathway towards greater digital independence and reduced reliance on external technology providers. In order to try to achieve digital sovereignty, public procurement should be steered away from non-EU actors and towards EU businesses to develop a European stack.
Yes, private partnerships are important, but public ones set the tone. Several participants argued that public procurement choices will play an important role in determining whether EU can strengthen domestic digital capabilities and reduce strategic dependencies. Digital sovereignty needs to come from all corners of the market and society; that is the challenge.
A very interesting panel on data protection and AI, the GDPR, and privacy occurred. In Academic Session I, Stephanie von Maltzan presented findings about her groundbreaking research on LLM unlearning. The larger the LLM, the more data points it will be trained on and the more complex its ‘web’ will be.
Removing data points is not a common practice, given how data points interact with each other, meaning that complexity overrides certain fundamental rights. For example, when data subjects invoke their right to erasure under Article 17 of the GDPR, they may request that certain data be deleted in an LLM, yet this request is difficult to carry out in practice.
The research highlights one of the emerging challenges at the intersection of AI governance and data protection. She presents a two tier model in which the actively deployed LLM is accompanied by a parallel ‘shadow’ model.
After receiving a valied erasure request, the ‘shadow model’ would undergo the necessary unlearning processes to remove the relevant data. In the second tier, in a scheduled update, the ‘shadow’ model, which had undergone unlearning, would replace the initial LLM, thereby upholding data subject requests.
Apart from these insightful exchanges of knowledge on AI, digital sovereignty and data protection, the conference offered practical workshops on how to brainstorm re-writing the proposed Article 88b of the Omnibus, data protection officer and cybersecurity crisis scenarios, as well as open conversations about how to protect children in online environments.
Remaining questions
The conference also highlighted several unresolved policy questions that continue to shape European digital governance debates.
Regarding the Digital Omnibus, would companies scale up overnight if we removed regulations?
Does digital sovereignty need/have a definition, or should it be left to the meaning of ‘digital independence’?
Open markets vs data protection, where is the balance?
Regarding digital sovereignty, which clouds should be used in the EU?
Should simplification mean using the once-used definition of personal data by the CJEU, or sticking to the definition relied on in law, cases, and practice?
In order to protect EU sovereignty, should parts of the stack be a public utility?
Why does it matter?
CPDP 2026 demonstrated that while privacy and data protection remain central pillars of European digital policy, debates around AI governance, digital sovereignty and online child protection are rapidly gaining prominence.
The discussions highlighted the growing challenge of balancing innovation, competitiveness, fundamental rights and strategic autonomy as Europe defines its digital future.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The Organisation for Economic Co-operation and Development has published a policy paper examining how national security considerations are increasingly influencing competition enforcement across a growing range of sectors.
The report highlights the impact of geopolitical developments, technological change, and stronger attention to economic security, resilience, and technological capability. National security issues are increasingly intersecting with competition policy in areas such as energy, telecommunications, and advanced technologies.
The paper explores how competition authorities should address these concerns while maintaining their established legal and analytical responsibilities. It argues that security concerns should be assessed by competition authorities only where they can be expressed as competition-relevant effects under established competition law tools.
Concerns that fall outside the analytical remit of competition authorities should instead be assessed by governments or specialised bodies, according to the OECD.
The paper proposes an analytical framework to distinguish between national security concerns that can be examined through competition law and those that require separate institutional assessment.
Drawing on cross-jurisdictional experience, the OECD examines how national security considerations can arise in assessments of competitive constraints, merger control, coordinated conduct, unilateral conduct, and remedy design.
The paper concludes that preserving clear institutional roles, legal predictability, analytical boundaries, and effective enforcement will become increasingly important as national security considerations continue to shape economic policymaking.
Why does it matter?
The paper reflects a growing tension in competition policy: governments increasingly view sectors such as energy, telecommunications, and advanced technologies through a national security lens, but competition authorities still need clear legal boundaries. OECD’s framework aims to prevent competition enforcement from becoming a catch-all tool for broader security or industrial policy concerns, while still allowing authorities to consider security-related issues when they have measurable competition effects.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation on proposed advisory guidelines governing the use of personal data in generative AI systems. Published on 2 June, the draft guidelines seek feedback on how Singapore’s Personal Data Protection Act (PDPA) applies when personal data is used in the development and deployment of generative AI systems.
The proposed guidelines address the collection and use of personal data for generative AI model development, the allocation of data protection responsibilities across the AI lifecycle, and the handling of individual rights requests relating to personal data. The guidance is organised around development, deployment, and post-deployment stages.
For model development, the draft guidelines clarify how organisations may rely on exemptions for publicly available information when using web-scraped datasets containing personal data. They also set out considerations for data behind digital barriers such as paywalls, registration requirements, authentication mechanisms, and tools that block automated access.
The PDPC proposes that general privacy notices should not be considered sufficient for obtaining consent to use personal data for large-scale AI training or fine-tuning. Organisations would instead be expected to provide AI-specific notices explaining the categories of personal data used, the purpose of the processing, the model’s intended functions, and how individuals can refuse or withdraw consent.
The proposed guidelines also outline responsibilities for model providers, system providers, and system deployers, including retention, protection, purpose limitation, and accountability obligations. The post-deployment guidance addresses access and correction requests while recognising technical challenges associated with large datasets, embeddings, temporary context windows and the removal of specific information from trained models. Interested parties may submit comments to the PDPC by 1 July 2026.
Why does it matter?
The consultation highlights the growing challenge of applying existing data protection laws to generative AI systems that rely on large-scale data collection and model training. Regulators worldwide are increasingly examining how privacy principles such as consent, transparency and purpose limitation should operate in AI development.
Singapore’s proposed guidance could provide an important reference point for organisations developing or deploying generative AI, particularly in areas such as web scraping, AI training datasets and the allocation of responsibilities across the AI value chain.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The European Commission has appointed two new expert bodies to support the implementation and enforcement of the EU’s AI Act. The Scientific Panel and Advisory Forum will provide independent expertise to the Commission’s AI Office and national authorities responsible for supervising compliance with the regulation.
The Scientific Panel comprises 60 independent experts from fields including frontier AI research, engineering, technical auditing, industry, and societal impact assessment. The panel will focus on general-purpose AI (GPAI) models and systems, systemic risk assessment, model classification, evaluation methodologies, and cross-border market surveillance.
Alongside the panel, the Commission has established an Advisory Forum bringing together representatives from academia, civil society, industry, startups and SMEs. The forum will provide technical advice on implementation challenges, standardisation efforts, and broader issues related to the enforcement of the AI Act.
Several EU agencies will hold permanent seats in the forum, including the European Union Agency for Fundamental Rights (FRA) and the European Union Agency for Cybersecurity (ENISA). Members of both bodies will serve two-year terms and are expected to contribute to the consistent application of the AI Act across the European Union.
Why does it matter?
The AI Act introduces a comprehensive regulatory framework for AI systems in the EU, including specific obligations for general-purpose AI models.
The new expert bodies are intended to strengthen the Commission’s technical capacity, support coordinated enforcement across Member States, and provide independent expertise on emerging risks, standards, and compliance challenges as AI technologies continue to evolve.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
