Privacy and data protection

Singapore launches new AI, cybersecurity and quantum-readiness programmes

Singapore has announced new initiatives aimed at supporting enterprise AI adoption, strengthening cybersecurity, and preparing digital infrastructure for future quantum-related risks.

The measures were announced at ATxEnterprise 2026 by Senior Minister of State for Digital Development and Information Tan Kiat How. They include new partnerships under the Digital Enterprise Blueprint, an AI adoption playbook for enterprises, SME awards recognising AI impact, and a pilot on quantum-safe technologies.

According to IMDA’s Singapore Digital Economy Report 2025, AI adoption among SMEs increased significantly during 2024.

IMDA and the Singapore Business Federation will introduce SME AI Impact Awards recognising enterprises using AI technologies in business operations. Up to 30 winners will be recognised across categories for proprietary AI tools and adoption of ready-to-use AI solutions.

The Digital Enterprise Blueprint is being expanded through partnerships involving AI training, digital skills development, and cybersecurity support for SMEs. One programme led by Grab will provide AI-related training and courses for SMEs in sectors including retail, e-commerce, and food services.

RSM Stone Forest IT will also launch cybersecurity initiatives involving phishing simulations, awareness webinars, and tabletop exercises for SMEs. With the two partnerships, IMDA aims to reach 12,000 more SMEs, contributing to its target of supporting 50,000 SMEs by 2029.

IMDA, SkillsFuture Singapore, and Workforce Singapore have also developed an AI for Enterprise Impact Playbook to help digitally progressive enterprises assess readiness, identify support, and plan next steps for AI adoption.

Singapore additionally announced a pilot initiative focused on quantum-safe technologies for telecommunications infrastructure. IMDA signed a Memorandum of Intent with Singtel, Ericsson, and NCS Singapore to test and validate quantum-safe migration approaches.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Malaysia expands online safety rules for platforms and digital services

Malaysia’s Communications and Multimedia Commission (MCMC) has published the Child Protection Code and Risk Mitigation Code under the Online Safety Act 2025, following stakeholder engagement and a public consultation held from 12 February to 31 March 2026.

The codes form part of Malaysia’s broader online safety framework and outline expectations for service providers addressing online harms. According to MCMC, the framework follows an outcome-based approach that allows providers flexibility in implementing safety measures.

The Child Protection Code focuses on age-appropriate online experiences and child-safety-by-design principles for digital services in Malaysia. The code includes safeguards related to account registration, ownership restrictions for younger users, and protections involving higher-risk platform features.

It also introduces age-appropriate protections and restrictions on high-risk features, aiming to reduce children’s exposure to exploitative interactions and harmful content.

The Risk Mitigation Code outlines measures related to risk assessments, content governance, reporting systems, advertiser verification, and labelling of manipulated content. Measures include risk assessments, stronger content governance, effective reporting and response mechanisms, advertiser verification, and labelling manipulated content where appropriate.

Both codes are scheduled to take effect on 1 June 2026, with a transition period for implementation and verification processes. MCMC said a reasonable grace period will be provided for service providers to complete the verification process effectively.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ICO warns major platforms over lack of privacy-friendly age assurance

The UK Information Commissioner’s Office has warned that major platforms have not yet introduced viable and privacy-friendly age assurance measures to stop underage children from accessing services with minimum age limits.

The statement follows letters sent by the ICO in March to TikTok, Snapchat, Facebook, Instagram, YouTube, and X, calling on them to urgently review and strengthen measures to prevent underage children from accessing their services.

Responses from the platforms show that some services are taking, or considering, additional steps to protect children. However, the regulator said none had yet introduced new age assurance solutions that it considers both viable and privacy-friendly.

The ICO said it does not yet have confidence that appropriate measures are being put in place and raised concerns that underage children’s data is still being processed on platforms they should not be able to access.

The regulator warned that more progress is needed and said it is considering next steps, including formal investigations and sanctions. Platforms that set minimum age limits must have effective age assurance measures in place, it added.

The ICO said it will continue working closely with Ofcom, which enforces the Online Safety Act, to ensure underage users cannot access services that were not designed for them. It also said its response to the government’s ongoing consultation sets out how the ICO can act under data protection law.

Why does it matter?

The ICO’s warning shows that age assurance is becoming both a child safety and data protection issue. Platforms that set minimum age limits may face pressure not only to keep younger users away from unsuitable services, but also to avoid unlawfully processing children’s personal data when those users should not have access in the first place.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Europol dismantles cybercriminal VPN linked to ransomware investigations

Europol has announced that international law enforcement agencies dismantled the cybercriminal VPN platform known as First VPN during a coordinated operation targeting ransomware infrastructure and wider cybercrime networks.

The operation, led by authorities in France and the Netherlands with support from Eurojust, targeted infrastructure allegedly used by cybercriminals to conceal ransomware attacks, fraud, data theft and other illegal online activities.

Europol described the service as deeply embedded in the cybercrime ecosystem and said it had featured in almost every major Europol-supported cybercrime investigation over the past few years. The platform was allegedly promoted as an anonymity service for criminal use, offering anonymous payments, concealed infrastructure and tools intended to help users evade law enforcement detection.

Coordinated action days took place on 19 and 20 May, during which authorities dismantled 33 servers connected to the service and shut down associated domain names. Investigators also interviewed the alleged administrator in Ukraine and carried out a residential search linked to the operation.

According to Europol, investigators gained access to the platform’s infrastructure and user database during the investigation, which began in December 2021. The agency said the data helped identify users allegedly connected to ransomware campaigns, fraud schemes and other cybercrime operations across several jurisdictions.

Intelligence generated through the operation led to 83 intelligence packages being distributed internationally, information linked to 506 users being shared with partner agencies, and 21 Europol-supported investigations advancing through newly obtained evidence.

The operation also received support from cybersecurity company Bitdefender, while a joint investigation team coordinated by Eurojust facilitated judicial cooperation and evidence sharing among participating countries.

Why does it matter?

The takedown shows how law enforcement is increasingly targeting the infrastructure that enables cybercrime, not only the attackers themselves. VPN services marketed for criminal use can help ransomware actors and fraud networks hide their identity, route attacks and evade detection. By dismantling First VPN and obtaining user data, investigators can disrupt multiple cybercrime operations at once and strengthen ongoing ransomware investigations.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

UK Pensions Regulator publishes AI governance plan for pension schemes

The UK Pensions Regulator (TPR) has published an AI plan outlining expectations for governance and oversight of AI use in pension schemes.

TPR said AI may support pension administration, decision-making, and member engagement, while also creating operational and cybersecurity risks. According to the regulator, accountability remains with trustees and scheme managers even when AI systems or third-party providers are involved.

TPR Chief Executive Nausicaa Delfas said:

‘AI has the potential to transform pensions for the better: improving how schemes are run, how members are supported, and how the system as a whole delivers value.’

She added: ‘But trust is the most valuable asset in our system, and that trust depends on the safe and responsible adoption of AI in members’ interests.’

The plan recommends governance measures, including system testing, risk monitoring, fraud prevention, data management, and compliance with data protection requirements.

TPR’s plan sets out four areas of focus:

  • Ensuring schemes are well run and governed
  • Strengthening data foundations
  • Supporting responsible innovation
  • Using AI to become a more effective regulator.

TPR said it will continue coordinating with the Financial Conduct Authority on regulatory alignment across the pensions sector.

The regulator also said it has used AI-supported processes to identify pension scam websites and support enforcement actions. Further guidance and industry engagement activities are planned later this year.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia’s regulator targets AI-nudify platform over child safety and deepfake risks

Australia’s eSafety Commissioner has begun enforcement action against another AI-powered ‘nudify’ service accused of failing to protect children from exposure to sexually explicit deepfake images.

The regulator issued a formal Direction to Comply to one of the most visited nudify services in Australia, giving the provider 14 days to implement stronger protections preventing children from accessing the platform. eSafety said the service allows users to upload images of real people and generate sexually explicit deepfake content on demand.

The regulator warned that such technologies can facilitate non-consensual exploitation, cyberbullying, sexual extortion, image-based sexual abuse, misogynistic harassment and exploitation of minors. The service had attracted nearly 40,000 Australian visits per month as of March 2026, following a sharp increase in traffic over the previous six months.

The enforcement action was taken under Australia’s Age-Restricted Material Codes, which came into force in March 2026. The codes are designed to prevent children from accessing or being exposed to age-restricted material, including pornography, high-impact violence, self-harm, suicide or disordered eating content.

eSafety said the Argentina-based provider failed to respond to earlier engagement after the codes took effect and had not committed to improving protections for children. The regulator chose not to name the service to avoid inadvertently promoting it.

If the service does not meet the requirements within the 14-day timeframe, eSafety may pursue further action, including civil penalties of up to AU$49.5 million and delisting notices to search engine providers that help facilitate access to the site.

The action follows earlier enforcement in late 2025 that led three widely used nudify services, which had reportedly been used to generate child sexual exploitation material in schools, to withdraw from Australia. Those services have since relaunched under new ownership with additional safety measures, including mandatory age assurance.

Why does it matter?

The case shows how online safety regulators are beginning to apply age-assurance and child protection rules directly to generative AI services. Nudify platforms are treated as high-risk because they can enable non-consensual sexualised deepfakes, image-based abuse and exploitation involving minors at scale. Australia’s enforcement approach also signals that regulators may target foreign-based AI services when they are accessible to local users and fail to implement safeguards.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

CNIL reports record complaints and data breaches

The French data protection authority CNIL reported a record year in 2025 for complaints, fines and data breach notifications, while preparing for new responsibilities under the EU AI Act.

CNIL received 20,150 complaints in 2025, up 10% from 2024. The complaints covered issues linked to work, commerce, real estate, social networks and data breaches, with around 1,900 complaints directly concerning breaches.

The authority also received 6,167 data breach notifications, an increase of 9.5% from 2024. Hacking accounted for one in two reported incidents, while cybersecurity failures represented one-third of investigations and nearly 30% of sanctions.

In total, CNIL carried out 323 investigations and issued 259 corrective measures, including 83 sanctions worth nearly €487 million. Two major sanctions accounted for a large share of the total, while the simplified procedure introduced in 2022 allowed faster action in less complex cases.

Cybersecurity will become an even bigger enforcement focus in 2026, with CNIL planning to devote 50% of its controls and enforcement actions to data security. Checks will focus on organisations affected by breaches, those subject to complaints and sectors processing large volumes of sensitive or highly personal data.

The report also highlights CNIL’s role in supporting professionals and public authorities. In 2025, it processed 539 health authorisation applications, handled 1,351 professional advice requests, delivered 90 opinions on draft laws or regulatory texts and launched seven public consultations.

On AI, CNIL is already designated to monitor prohibited uses under the EU AI Act and is expected to become the market surveillance authority for certain high-risk AI systems, including in biometrics, migration, law enforcement, employment and education.

The authority also published AI resources for designers and developers, developed a traceability tool for open-source AI models and joined the PANAME project with ANSSI, Inria and PEReN to test whether AI models process personal data.

Why does it matter?

CNIL’s annual report shows how data protection enforcement is increasingly shaped by cybersecurity and AI. Record breach notifications and complaints point to growing pressure on organisations to secure personal data, while CNIL’s future AI Act responsibilities place the authority at the centre of France’s oversight of prohibited and high-risk AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Hong Kong checks AI privacy compliance across sectors

Hong Kong’s Office of the Privacy Commissioner for Personal Data has completed compliance checks on 60 organisations to assess how AI use affects personal data privacy.

The checks, launched in January 2026, covered sectors including banking and finance, education, government departments, insurance, medical services, telecommunications, transport, accounting, food and beverage, logistics, property management, and innovation and technology. The PCPD found no contravention of the Personal Data (Privacy) Ordinance during the exercise.

Among the organisations reviewed, 57 (95%) used AI in day-to-day operations, an increase of 15 percentage points from the previous round of checks. Around 79% of those organisations had used AI for more than a year, while 51% used three or more AI systems.

AI systems were mainly used for administrative support, customer service, research and development, marketing, compliance and risk management, human resources, corporate communications, cybersecurity and data analysis.

Of the 57 organisations using AI, 24 collected or used personal data through AI systems. All provided Personal Information Collection Statements before or during data collection and implemented security measures such as access controls, encryption, penetration testing and anonymisation.

The PCPD found that 23 of those 24 organisations tested AI systems before implementation, while 19 conducted privacy impact assessments. Nineteen adopted a human-in-the-loop approach, and five used a human-in-command model for oversight.

The checks also found that 19 organisations had established AI governance structures, while 17 had internal policies or guidelines for employees’ use of generative AI at work. Twenty organisations provided AI-related training, with most including content on privacy risks.

Also, the PCPD recommended that organisations using AI comply with the Personal Data (Privacy) Ordinance, establish internal governance structures, provide staff training, adopt incident response plans, conduct risk and privacy impact assessments, and regularly audit AI systems. It also urged organisations to use agentic AI prudently by limiting access rights, assessing data sensitivity and maintaining system and data security.

Why does it matter?

The checks show that AI is becoming embedded in business and public-sector operations in Hong Kong, including in areas involving personal data. The PCPD’s findings suggest that many organisations are beginning to adopt safeguards such as impact assessments, human oversight and AI governance structures, while its warnings on agentic AI point to growing concern over systems that can act with greater autonomy and access sensitive data.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Global Network Initiative raises concerns over India’s proposed IT rules amendments

The Global Network Initiative has raised concerns over India’s Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Second Amendment Rules, 2026, warning that the proposals could affect privacy, free expression, and access to information.

The draft amendments were published by India’s Ministry of Electronics and Information Technology on 30 March 2026. GNI said the proposals, although described as procedural and clarificatory, could introduce broader changes to intermediary liability and digital media regulation.

The organisation warns that amendments to Rules 3(1)(g) and 3(1)(h) would require intermediaries to retain user data for at least 180 days, regardless of whether the original purpose for collecting the data has been fulfilled. According to GNI, the proposed data retention requirements could conflict with principles contained in India’s Digital Personal Data Protection Act.

GNI also criticises the proposed insertion of Rule 3(4), which would require platforms to comply with a broad range of executive instruments as a condition for retaining safe harbour protections. GNI said the proposal could expand the practical effect of executive advisories and guidelines on platform moderation decisions.

The statement also raises concerns about proposed changes to Rules 8 and 14, which would extend the Code of Ethics and the authority of the Inter-Departmental Committee to intermediaries and users who share news and current affairs content, even when they are not recognised publishers. According to GNI, the proposed changes could extend aspects of content regulation to users sharing news and current affairs content online.

GNI said the draft amendments could increase regulatory oversight of digital platforms and online content. The organisation said the proposals could affect debates around intermediary liability, platform governance, and digital expression.

GNI called on the Government of India to revise the proposals and consult civil society, industry, and technical experts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.