EDPB orders Belgian regulator to examine VRT cookie complaint

The European Data Protection Board (EDPB) has instructed the Belgian Data Protection Authority to examine a complaint about VRT cookie banners on its merits rather than dismissing it as an alleged abuse of rights under the GDPR.

The EDPB published its binding decision of 28 May 2026 following a dispute between the Belgian and Austrian data protection authorities. The case concerns cookie banners used by Belgium’s public broadcaster, Vlaamse Radio-en-Televisieomroeporganisatie (VRT).

Austrian privacy organisation Noyb lodged the complaint with the Austrian Data Protection Authority on behalf of an individual. Because VRT is based in Belgium, the Belgian authority acted as the lead supervisory authority under the GDPR’s one-stop-shop mechanism.

The Belgian regulator proposed dismissing the VRT cookie banner complaint, arguing that the complainant had abused the rights provided under Articles 77 and 80(1) of the GDPR.

The Austrian DPA objected, arguing that the complaint should not be rejected on procedural grounds. Instead, it said the Belgian authority should assess the substance of the allegations and determine whether VRT’s cookie banners complied with the GDPR.

After the Belgian DPA declined to follow the objection, it referred the dispute to the EDPB under Article 65(1)(a) of the GDPR.

The EDPB concluded that the Austrian authority’s objection was both relevant and reasoned. Applying the Court of Justice of the European Union’s test for abuse of rights, the Board found that neither the objective nor the subjective element required to establish abuse had been demonstrated.

The decision does not determine whether VRT’s cookie banners violate the GDPR. Instead, it requires the Belgian DPA to assess the complaint on its merits and submit a new draft decision to the other supervisory authorities involved under Article 60(3) of the GDPR.

Why does it matter?

The decision reinforces the principle that GDPR complaints should generally receive a substantive assessment rather than being dismissed on procedural grounds without clear evidence of abuse. It also clarifies the high threshold regulators must meet before concluding that individuals have misused their rights under the GDPR.

The ruling further strengthens the GDPR’s cross-border enforcement system by confirming the role of the EDPB in resolving disputes between national data protection authorities and promoting consistent application of EU data protection law.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Commission prepares new EU child safety online legislation

The European Commission has received the report of its Special Panel on Child Safety Online, with President Ursula von der Leyen confirming that legislative proposals to strengthen children’s online protection will be presented after the summer.

Von der Leyen described the report as an important evidence base for future policymaking and said its recommendations would inform the Commission’s forthcoming legislative proposals.

The Commission highlighted growing concerns about the impact of social media on children’s mental health and wellbeing, pointing to excessive screen time, addictive platform design, cyberbullying and exposure to harmful content as key risks facing young users.

According to the Commission, online platforms should be responsible for ensuring their services are safe by design, just as manufacturers are responsible for the safety of physical products.

The Commission also stressed the need for stronger age-appropriate protections, highlighting the forthcoming EU age verification application as a privacy-preserving tool that could give parents greater control over children’s access to online services.

Von der Leyen also said Europe should consider introducing a minimum age for access to social media and other digital services with addictive or age-inappropriate features, describing any future approach as gradual and guided by scientific evidence.

The Commission will now examine the panel’s recommendations alongside input from parents, educators, researchers, young people, member states and international partners before preparing legislative proposals aimed at strengthening children’s rights and safety online.

Why does it matter?

The Commission’s announcement signals that child online safety is moving higher up the EU’s digital policy agenda. Beyond enforcing existing rules under the Digital Services Act and AI Act, Brussels is now considering additional legislation that could introduce stronger platform obligations, age verification measures and possible minimum-age requirements for certain online services.

If adopted, these proposals could significantly reshape how platforms design and deliver services for younger users, reinforcing a broader regulatory shift towards safety by design and greater platform accountability across the European Union.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK brings major cloud providers under financial oversight

The UK government has designated Microsoft, Google Cloud, Amazon Web Services (AWS) and Oracle as Critical Third Parties (CTPs), bringing the major cloud providers under direct financial regulatory oversight for the first time.

From 13 July 2026, the four companies will come under direct oversight by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), with the aim of strengthening the operational resilience of the UK financial system.

The new regime reflects the financial sector’s growing dependence on cloud infrastructure. Regulators will be able to assess the resilience of critical services, gather operational information and require providers to address risks that could disrupt banking, insurance or financial market infrastructure.

The oversight applies only to services considered systemically important to the financial sector, rather than to the companies’ wider commercial operations.

The UK government described the framework as a proportionate, risk-based approach designed to reduce the likelihood of widespread service disruptions affecting millions of consumers and businesses. It also said additional technology providers could be designated in the future if they meet the statutory threshold for systemic importance.

Microsoft, Google Cloud, AWS and Oracle all welcomed the framework, saying they would comply with the new requirements and continue supporting the resilience of the UK’s financial sector.

Why does it matter?

The designation marks a significant shift in financial regulation by extending direct oversight beyond banks and financial institutions to the technology providers that underpin critical financial services. As cloud infrastructure becomes increasingly central to banking, payments and financial markets, regulators are treating operational resilience as a systemic issue rather than solely a commercial responsibility.

The UK’s approach could also influence regulators in other jurisdictions. As financial institutions become more dependent on a small number of hyperscale cloud providers, governments may increasingly seek direct oversight of technology companies whose services have become essential to the stability of critical sectors.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Commission preliminarily finds Meta’s addictive platform design breaches the DSA

The European Commission has issued preliminary findings that Meta’s design of Instagram and Facebook breaches the Digital Services Act (DSA), arguing that features designed to maximise engagement may encourage compulsive use and fail to adequately protect children and other vulnerable users.

The investigation focuses on platform features including infinite scroll, autoplay, push notifications and highly personalised recommender systems.

According to the Commission’s preliminary assessment, Meta failed to properly evaluate the risks these features pose to users’ physical and mental well-being. Investigators found that personalised recommendations, continuous content feeds and engagement-driven formats such as Reels and Stories can encourage excessive use, particularly among younger users.

The Commission also said Meta failed to adequately consider evidence showing that children spend significant time on Instagram and Facebook during nighttime hours.

The Commission also concluded that Meta’s existing mitigation measures are insufficient. Screen time tools, including those enabled by default for teenagers, can easily be dismissed and do not meaningfully reduce usage.

Parental controls were also found to require considerable technical knowledge and active supervision, while educational resources available through Meta’s Safety Centre were considered inadequate to mitigate the risks associated with addictive platform design.

According to the Commission, Meta should redesign several core platform features, including disabling autoplay and infinite scroll by default, introducing more effective screen-time reminders and reducing the engagement-driven nature of its recommender systems.

The findings are preliminary, and Meta now has the opportunity to examine the Commission’s evidence and submit a formal response before a final decision is adopted. If the infringement is ultimately confirmed, the company could face fines of up to 6% of its global annual turnover under the Digital Services Act.

Why does it matter?

The case represents one of the EU’s most significant attempts to regulate platform design rather than online content. If confirmed, it would establish an important precedent for how very large online platforms design recommender systems, engagement mechanisms and user interfaces under the Digital Services Act, particularly where children and vulnerable users are concerned.

More broadly, the case signals that European regulators are increasingly willing to scrutinise the business models underpinning social media platforms, not just the content they host. That could influence how digital platforms design engagement features well beyond the EU.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UNESCO supports Tanzania judicial curriculum on AI and rule of law

UNESCO has supported the development of Tanzania’s first judicial curriculum on AI, helping judges and justice sector professionals address the technology’s growing impact on courts, human rights and the rule of law.

Developed with the Institute of Judicial Administration (IJA) in Lushoto, the competency-based programme is designed for judges, magistrates, judicial trainers, court administrators and other justice sector professionals. It aims to strengthen their ability to understand, assess and make informed decisions about AI while safeguarding judicial independence, due process and fundamental rights.

The initiative supports Tanzania’s broader digital transformation of the justice sector. As courts adopt more digital technologies, judicial officers are expected to face new questions surrounding AI-generated evidence, algorithmic bias, transparency, accountability and the protection of human rights.

The curriculum is designed for long-term institutional use through induction courses, executive education, continuing judicial education and train-the-trainer programmes, allowing judicial expertise to evolve alongside advances in AI.

It draws on UNESCO’s global AI governance instruments, including the Recommendation on the Ethics of Artificial Intelligence, the Global Toolkit on AI and the Rule of Law for the Judiciary, the Guidelines for the Use of AI Systems in Courts and Tribunals, the Ethical Impact Assessment methodology, and guidance on generative AI in education and research.

Adapted to the legal and institutional context of Tanzania, the curriculum combines practical instruction with case studies, judicial simulations and hands-on exercises. Participants will examine AI-generated evidence, identify algorithmic bias, assess human rights risks and practise decision-making while preserving judicial independence.

UNESCO has also produced an instructor’s guide for IJA faculty, including lesson plans, practical exercises and assessment tools to support executive education, continuing judicial training and future train-the-trainer programmes.

The initiative reflects UNESCO’s broader effort to translate global AI governance principles into practical institutional capacity. By focusing on the judiciary, it aims to ensure that AI strengthens justice systems without undermining fairness, accountability or public trust.

Why does it matter?

The initiative treats AI and the rule of law as a practical judicial capacity challenge rather than simply a technology policy issue. As AI becomes more common in legal disputes, evidence and court administration, judges will increasingly need the knowledge to assess its use while protecting due process, judicial independence and fundamental rights.

The programme also illustrates a broader shift in AI governance from developing high-level principles to building institutional capacity. Equipping judges with practical AI knowledge could become an increasingly important part of maintaining public trust in justice systems as AI adoption expands.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Greece begins parliamentary debate on EU AI Act implementation

Greece has introduced a draft law to implement the EU AI Act, becoming one of the first EU member states to establish a comprehensive national governance framework for enforcing the regulation.

The legislation aims to promote the safe, trustworthy and human-centred use of AI while protecting fundamental rights and supporting innovation, entrepreneurship and economic competitiveness.

The draft law designates the Hellenic Data Protection Authority as the national market surveillance authority and national contact point under the AI Act, while assigning the Hellenic Telecommunications and Post Commission as the notifying authority.

It also establishes an Artificial Intelligence Coordination and Know-how Centre to provide technical expertise to regulators, alongside a unified complaints mechanism and an administrative sanctions framework to support enforcement.

To encourage responsible innovation, the proposal introduces an AI regulatory sandbox, allowing startups and small and medium-sized enterprises to test AI applications under regulatory supervision.

The legislation also creates a Unified Registry of Public Artificial Intelligence Systems to strengthen transparency and accountability, while expanding the role of Greece’s AI Observatory in monitoring implementation of the National AI Strategy.

According to the Ministry of Digital Governance, the framework follows the AI Act’s risk-based approach by applying oversight measures proportionate to the risks posed by different AI systems.

The proposal builds on Greece’s broader AI strategy, including the creation of the Special Secretariat for Artificial Intelligence and Data Governance, with the aim of balancing innovation, economic development and the protection of fundamental rights.

Why does it matter?

Greece is positioning itself among the first EU member states to translate the AI Act into operational national institutions and enforcement mechanisms. By establishing supervisory authorities, a regulatory sandbox and governance structures ahead of key implementation deadlines, the country aims to provide greater legal certainty for businesses while supporting responsible AI innovation.

The legislation also illustrates how the AI Act will increasingly be implemented through national institutions rather than EU bodies alone. As other member states develop their own enforcement frameworks, differences in implementation could shape how consistently the regulation is applied across the European Union.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Parliament advances child safety privacy balance

The European Parliament has adopted amendments to a temporary exemption from the EU’s ePrivacy rules, seeking to preserve voluntary detection of child sexual abuse material while strengthening protections for end-to-end encrypted communications.

MEPs voted to exclude communications protected by end-to-end encryption from the scope of the temporary derogation, reinforcing privacy protections while maintaining support for voluntary detection measures.

The amendments were adopted during Parliament’s second reading of the proposal. Although a simple majority initially voted to reject the Council’s position, the motion failed because it did not reach the required absolute majority of 360 votes. Parliament therefore proceeded to adopt amendments instead.

The amended text now returns to the Council, which has three months to approve or reject Parliament’s changes. If the Council does not accept all of the amendments, the proposal will move to conciliation negotiations.

The temporary derogation is intended to prevent a legal gap following the expiry of the previous exemption in April 2026. It allows electronic communications providers to continue voluntarily detecting, removing and reporting child sexual abuse material while EU institutions negotiate a permanent legal framework.

Earlier negotiations between the European Parliament and the Council failed to produce an agreement, allowing the previous temporary framework to expire before the proposal returned for a second reading.

At the same time, Parliament and the Council continue negotiations on a permanent legislative framework to combat child sexual abuse online. Most elements have already been agreed, with discussions continuing on issues such as the balance between child protection and fundamental rights, including privacy and secure communications.

Why does it matter?

The vote highlights the EU’s continuing effort to balance child protection with fundamental rights. By excluding end-to-end encrypted communications from the temporary derogation, Parliament is signalling that stronger safeguards against child sexual abuse should not come at the expense of weakening secure communications.

The decision also keeps voluntary detection measures in place while negotiations continue on a permanent framework. The outcome of those talks is likely to shape how the EU reconciles online safety, privacy and encryption in future digital regulation.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Ofcom fines adult platform over Online Safety Act age check failures

The UK communications regulator, Ofcom, has fined the operator of Fapello.com £630,000 for breaching the Online Safety Act, marking one of its most significant enforcement actions under the new regime.

The penalty includes £600,000 for failing to implement legally required age assurance measures to prevent children from accessing pornographic content, and a further £30,000 for failing to comply with a legally binding information request. Following Ofcom’s action, Fapello.com geoblocked users in the UK, although the regulator said it will continue monitoring compliance.

Ofcom also confirmed it has opened a new investigation into Bit Hive, operator of Eporner.com, to assess whether its age verification measures meet the Act’s requirement for ‘highly effective’ age assurance.

Separately, the regulator expanded its existing investigation into Kemono.cr to examine whether the platform failed to comply with statutory information requests.

Ofcom said robust age verification is a core requirement of the Online Safety Act and warned that providers failing to implement effective protections or cooperate with regulatory investigations should expect enforcement action, including substantial financial penalties.

The regulator added that it prioritises investigations according to user reach and will continue monitoring compliance across online pornography services.

Why does it matter?

The case demonstrates that the UK’s Online Safety Act has entered a new phase of active enforcement. Rather than focusing solely on guidance and compliance deadlines, Ofcom is now imposing financial penalties and investigating platforms that fail to implement effective child protection measures.

The decision also shows that enforcement extends beyond age verification itself. Companies that fail to cooperate with regulatory investigations or provide required information may face additional sanctions, reinforcing the regulator’s ability to oversee compliance across online platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Commission takes four countries to EU court over NIS2 delays

The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive fully into national law.

The Directive strengthens the EU cybersecurity rules and sets common requirements for organisations operating in critical sectors.

Member states were required to transpose NIS2 by 17 October 2024, but the four countries have not notified the Commission of full implementation.

The referrals follow earlier infringement steps. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025.

The Commission is asking the Court to impose financial sanctions, including a lump sum and daily penalties until the countries notify complete transposition.

NIS2 applies to entities in 18 critical sectors, including health, energy, transport and public administration.

The Directive aims to improve national and EU-wide cyber resilience by strengthening risk management, incident response and security obligations for public and private entities.

The Commission said full implementation is essential for improving the EU’s overall resilience and the incident response capacity of organisations operating in critical sectors.

Why does it matter?

The referral shows that the Commission is prepared to enforce cybersecurity law against member states that fail to meet implementation deadlines. NIS2 is designed to create a more consistent baseline of cyber resilience across the EU, but delays in national transposition can leave organisations facing fragmented obligations and uneven enforcement. For critical sectors, consistent implementation is central to risk management, incident response and cross-border resilience.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

South Korea opens antitrust proceedings over Google app market practices

South Korea’s Fair Trade Commission has begun formal deliberation procedures over allegations that Google abused its dominant position in the Android app market.

The case follows an examiner’s report submitted to the Commission, which outlines suspected violations of the country’s Fair Trade Act.

According to the report, Google used its Games/Google Velocity Program, known internally as Project Hug, to provide financial support for services such as Google Cloud, Google Ads and YouTube.

In return, participating game developers were allegedly required to launch games on Google’s app marketplace on terms at least as favourable as those offered to rival platforms.

The examiner concluded that the programme reduced incentives for developers to distribute games through competing app marketplaces, including ONE store, while strengthening Google’s position in the Android app ecosystem.

The allegedly affected revenue was estimated at 14.16 trillion won, or about $9.1 billion. If violations are confirmed, potential penalties could reach up to 6% of that amount.

Google will have an opportunity to respond before the Commission reaches a final decision.

The case adds to wider global scrutiny of app-store competition and the ways dominant platforms use developer incentives, contracts and ecosystem services to shape market access.

Why does it matter?

The case shows how antitrust scrutiny of app stores is expanding beyond commission fees and payment systems into developer incentive programmes and platform-service bundles. If KFTC confirms the allegations, the decision could influence how dominant platforms structure support packages for developers and whether such programmes are treated as loyalty-inducing conduct. It also reinforces South Korea’s role as an active jurisdiction in digital-platform competition enforcement.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!