Privacy and data protection

EDPS warns Shadow AI creates hidden data protection risks

The European Data Protection Supervisor (EDPS) has warned that Shadow AI can create hidden data protection and breach risks when employees use unauthorised AI tools without organisational approval. The warning was published in a blog post by EDPS Wojciech Wiewiórowski on 15 June 2026.

The EDPS said Shadow AI can include tools such as generative AI chatbots, coding assistants and automated note-taking applications. While employees may use them as shortcuts to improve productivity, unauthorised AI tools can bypass data protection and security safeguards.

According to the EDPS, data entered into unapproved AI tools can fall into a regulatory and compliance blind spot. Unauthorised tools may lack formal agreements governing the legal basis for processing, data retention periods and safeguards for international data transfers.

The EDPS also warned that Shadow AI can create a transparency gap, making it difficult for organisations to determine where information is stored, how it is processed or whether it is used to train AI models. Such tools can also introduce security vulnerabilities, including automated meeting recorders joining meetings without oversight from IT security teams.

The blog post argues that organisations should address these risks proactively rather than attempting to ignore or prohibit them outright. Instead, they should adopt proactive AI governance policies that define authorised AI use, establish data classification rules and set approval processes for new technologies.

The EDPS said policies should be backed by technical controls and monitoring, including blocking unapproved AI domains, enforcing data loss prevention rules and restricting the installation of unauthorised AI software. The EDPS also recommended that organisations provide approved AI platforms that are secure, compliant and capable of meeting employees’ operational needs.

The EDPS said reducing Shadow AI risks requires cooperation between data protection officers, IT departments, security teams and business functions. The aim, it said, is to protect data subject rights and institutional information while enabling responsible AI adoption.

Why does it matter?

Shadow AI turns everyday workplace AI use into a data protection and cybersecurity issue. Employees may use unauthorised tools to save time, but organisations can lose visibility over personal data, legal compliance, retention, international transfers and model training.

The warning also shows that responsible AI adoption depends on more than staff guidance. Organisations need approved AI tools, technical controls, monitoring and cooperation between data protection, IT, security and business teams to reduce breach risks without blocking useful innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Canada seeks stronger privacy rights through new digital governance law

The Canadian government has introduced the Protecting Privacy and Consumer Data Act, a major legislative proposal designed to modernise the country’s private-sector privacy framework and strengthen protections in an increasingly AI-driven digital environment.

According to the government, Canada’s existing privacy legislation was developed more than 25 years ago and no longer reflects technological realities such as AI, automated decision-making systems, deepfakes and the large-scale collection of children’s data.

The proposed law seeks to address those challenges by establishing stronger rights for individuals and clearer obligations for organisations.

The legislation would recognise privacy as a fundamental right, strengthen protections for children’s data, require meaningful consent for the collection and use of personal information, and introduce greater transparency around automated decision-making.

Canadians would also gain the right to request the deletion of their personal information and benefit from enhanced safeguards when their data is transferred outside Canada.

The proposed framework would be overseen by a newly established Digital Safety and Data Protection Commission of Canada.

The regulator would have authority to issue binding orders and impose significant penalties on organisations that fail to comply with privacy requirements. The government describes the legislation as a key component of its recently launched national AI strategy, aimed at strengthening trust in digital services, data-driven innovation and emerging technologies.

Why does it matter?

The proposed legislation represents one of Canada’s most significant privacy reforms in decades and reflects a broader international trend of updating data protection frameworks for the AI era. As AI systems, automated decision-making tools and digital platforms become more deeply embedded in everyday life, governments are seeking stronger safeguards for personal data, transparency and accountability.

The bill also signals a growing convergence between privacy policy and AI governance. By introducing stronger protections for children’s data, new rights for individuals and greater oversight of automated systems, Canada is positioning privacy as a key foundation for public trust in digital services and emerging technologies.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

OAIC finds American Express breached privacy rules

Australia’s privacy regulator has found that American Express Australia interfered with a complainant’s privacy by failing to take reasonable steps to protect personal information from unauthorised access.

The Office of the Australian Information Commissioner published a summary report of the determination in the matter of ‘BAM’ and American Express Australia Limited, rather than the full determination, after considering confidentiality claims and potential harms linked to disclosure of sensitive information.

Australian Privacy Commissioner Carly Kind found that American Express Australia breached Australian Privacy Principle 11.1 under the Privacy Act 1988. The case followed a lengthy investigation into insider security risk within a financial institution.

The OAIC said insider security risk remains a significant but frequently overlooked threat to organisations and to individuals whose personal information they hold. It said the risk is particularly important in sectors such as financial services, where organisations store large volumes of personal information.

Under the determination, American Express Australia must compensate the complainant for economic loss, non-economic loss and complaint-related expenses. It must also issue a written apology acknowledging the interference with privacy.

The company must implement technical controls across relevant systems to restrict employee access to specific customer information, including for vulnerable or high-profile customers. It must also introduce account-level access logging and action logging across relevant systems that remain in operation.

The OAIC said the determination underscores the role of ICT access controls in protecting personal information from unauthorised access by employees.

Why does it matter?

The determination shows that privacy protection is not only about preventing external cyberattacks or data breaches. Organisations also need internal controls that restrict, monitor and log employee access to customer information. For financial institutions and other data-rich sectors, insider risk is now clearly a privacy compliance issue, not just an internal security or HR problem.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EPRS reveals critical Cybersecurity Act impact assessment gaps

The European Parliamentary Research Service has published an initial appraisal of the European Commission’s impact assessment for the proposed revision of the Cybersecurity Act, finding that the Commission makes a strong case for reform while leaving several analytical gaps.

The Commission proposed the revision on 20 January 2026, alongside a directive on simplification measures under the NIS2 Directive. The proposals were referred to the European Parliament’s Committee on Industry, Research and Energy.

The package covers ENISA’s mandate, the European Cybersecurity Certification Framework, NIS2 compliance simplification and a proposed EU-level framework for ICT supply chain security. EPRS said the impact assessment responds to a more complex cybersecurity landscape, stalled implementation of certification rules, fragmented compliance requirements and growing supply chain risks.

The briefing found that the Commission’s assessment effectively substantiates the need to revise the Cybersecurity Act. It praised the problem definition, intervention logic, use of qualitative and quantitative analysis, SME test, competitiveness check and transparency around evidence and methodology.

However, EPRS also identified weaknesses. It said the assessment lacks operational objectives, does not include a subsidiarity grid despite the initiative’s political significance, and has no distinct proportionality section. The briefing also questioned whether some policy options are sufficiently distinct, noting that they appear partly cumulative.

EPRS said stakeholder consultation feedback could have been reflected more clearly, especially in the analysis of policy options, impacts and the preferred approach. It also noted that the Regulatory Scrutiny Board first issued a negative opinion on the draft impact assessment, then later issued a positive opinion with reservations.

The briefing concluded that the Commission’s legislative proposals are mostly aligned with the preferred options in the impact assessment, although some issues remain.

Why does it matter?

The Cybersecurity Act revision could reshape several pillars of the EU cyber policy at once, including ENISA’s role, cybersecurity certification, NIS2 compliance and ICT supply chain security. EPRS’s appraisal matters because it provides lawmakers with an early quality check of the evidence underpinning the Commission’s proposal. The briefing suggests the policy case for reform is strong, but also highlights gaps that may become important during parliamentary scrutiny, especially around proportionality, subsidiarity and the design of policy options.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK plans major social media ban for under-16s

The UK government plans to introduce a social media ban for children under 16 as part of a wider package of online safety measures aimed at reducing children’s exposure to harmful content and risky online interactions.

Prime Minister Keir Starmer said the planned restrictions are intended to protect children from harmful material, excessive screen time and contact with unknown adults online. The measure is expected to apply to major social media platforms, while gaming and livestreaming services could face restrictions on features that allow children to interact with strangers.

The move follows a national consultation on children’s online safety, which examined possible age restrictions on social media and other online services, as well as limits on addictive design features and risky functionalities.

Further details are expected on implementation and enforcement, including how platforms would be required to verify users’ ages. The government has previously said that restrictions on children’s access to social media should be considered alongside broader protections for gaming platforms, AI chatbots and other online services used by young people.

The proposal would place the UK among a growing number of countries moving towards age-based restrictions on children’s access to social media. Australia has already adopted an under-16 social media ban, while other governments are considering similar approaches.

Supporters argue that age restrictions could reduce online harms and give parents clearer backing in setting boundaries for children’s technology use. Critics warn that enforcement may raise privacy concerns, increase reliance on age-verification systems and push children towards less regulated online spaces.

Why does it matter?

The proposal would move the UK closer to an age-based model of online safety regulation, where platforms may be expected to prevent under-16s from accessing certain services rather than only reduce harmful content after children join. That raises major governance questions around age assurance, privacy, platform design, parental responsibility and enforcement. The measure could also increase pressure on social media, gaming, livestreaming and AI chatbot services to redesign features that expose children to unknown adults, addictive interaction patterns or harmful content.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU and Brazil strengthen cooperation through new Digital Partnership

The European Union and Brazil have signed a new Digital Partnership to strengthen cooperation on shared digital policy priorities, including AI, data governance, digital infrastructure, connectivity, online platforms and digital public goods and services.

The partnership was signed in Brasília and is intended to raise EU-Brazil digital cooperation to a more strategic level. According to the European Commission, Digital Partnerships are a core instrument of the EU’s external digital policy and are used to structure cooperation with like-minded partners.

The agreement builds on more than two decades of EU-Brazil cooperation, including the EU-Brazil Strategic Partnership and the existing EU-Brazil Digital Dialogue. The two sides said the partnership will support joint work on resilient global supply chains, rules-based digital governance and wider sharing of the benefits of technological progress.

The signing follows the adoption of mutual EU-Brazil data adequacy decisions in January 2026, which allow personal data to flow freely and securely between the two jurisdictions without additional requirements. The Commission described those decisions as creating the world’s largest area of free and safe data flows, covering around 670 million consumers.

Future cooperation under the Digital Partnership will be developed through technical workstreams and high-level exchanges. The first Digital Partnership Council is expected to meet within the next year to set out a joint roadmap for cooperation.

Why does it matter?

The partnership strengthens digital cooperation between the EU and one of Latin America’s largest economies at a time when AI governance, data protection, online platforms and digital public infrastructure are becoming central to international relations. It also shows how the EU is using digital partnerships and data adequacy decisions to expand trusted digital cooperation beyond Europe, while promoting regulatory alignment, secure data flows and shared approaches to global digital governance.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Singapore warns of Microsoft impersonation scams causing major losses

The Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have warned the public about technical support scams that impersonate Microsoft. Authorities said at least 10 cases had been reported since February 2026, with total losses exceeding S$1.7 million.

In this scam variant, victims typically encounter a pop-up alert in their web browser. The alert falsely appears to originate from Microsoft and claims that the user’s device has been hacked or compromised.

Victims are then instructed to contact a so-called technical support officer through an internet-based phone number. After making contact, victims may be transferred to another scammer posing as a police officer, who claims that their device has been used for criminal activities such as money laundering.

Authorities in Singapore said victims may be instructed to make bank transfers, provide banking credentials, or grant remote access to their devices. In some cases, scammers asked victims to download remote access applications or click links that allowed them to take control of bank accounts.

SPF and CSA advised members of the public to verify alerts through official software provider channels. They noted that Microsoft does not include phone numbers in error or warning messages, and that users should not call numbers displayed in suspicious pop-ups or click links or buttons within such alerts.

People who believe they have fallen victim to the scam are advised to disconnect their computer from the internet, contact their bank, remove applications installed under the scammer’s instructions, and run an anti-virus scan. They should also change passwords and banking credentials using a trusted device, remove unauthorised payees, and report the incident to the police and CSA’s SingCERT.

Why does it matter?

Technical support scams remain one of the most effective forms of cyber-enabled fraud because they combine social engineering, impersonation and remote access techniques. By exploiting trust in well-known brands such as Microsoft and creating a sense of urgency, scammers can persuade victims to hand over sensitive information or direct access to their devices.

The cases also highlight how cybersecurity and financial security are increasingly interconnected. Basic cyber hygiene practices, such as verifying security alerts through official channels, avoiding unsolicited remote access requests and reporting incidents quickly, can help prevent account compromise and reduce financial losses.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EDPB adopts common data breach notification template for GDPR compliance

The European Data Protection Board (EDPB) has adopted a common template for data breach notifications as part of efforts to simplify GDPR compliance and improve consistency across the EU. The template is intended to help organisations and Data Protection Authorities structure, harmonise and unify breach notification processes.

The template is designed to ensure that data breach notifications contain the information required under Article 33 of the GDPR, which governs the notification of personal data breaches to supervisory authorities. The EDPB said the common format should make it easier for organisations to submit timely data breach notifications and help responsible authorities assess cases.

The template includes predefined fields, response options and guidance to help organisations complete notifications more efficiently. The EDPB said the approach could reduce administrative costs and save time, particularly for smaller organisations that lack dedicated data protection or legal expertise.

The template will be subject to public consultation until 5 August 2026. Following the consultation, the EDPB will determine the timeline for implementation by national Data Protection Authorities.

During the same plenary, the EDPB met with Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection Michael McGrath to discuss common priorities. The Digital Omnibus package was also discussed, with the Board warning that proposed changes to the definition of personal data could significantly weaken privacy protections for individuals.

Discussions also covered cross-regulatory cooperation, children’s data, political advertising, and international data transfers. The Board also stressed that adequate funding and staffing for Data Protection Authorities remain essential for the effective enforcement of data protection rules.

Why does it matter?

Data breach notification requirements are a key component of the GDPR, helping regulators assess risks and ensuring organisations respond appropriately when personal data is compromised. However, differences in reporting practices across EU member states can create additional compliance burdens, particularly for smaller organisations operating across multiple jurisdictions.

The common template represents another step towards greater regulatory harmonisation within the EU’s data protection framework. By standardising breach reporting requirements, the EDPB aims to reduce administrative complexity, improve the quality of notifications and support more consistent enforcement of data protection rules across Europe.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU publishes the final Code for labelling AI-generated content

The European Commission has published the final Code of Practice on marking and labelling AI-generated content, offering practical guidance for providers and deployers preparing to comply with transparency obligations under the EU AI Act.

The code is voluntary, but the underlying transparency obligations in Article 50 of the AI Act will apply from 2 August 2026. The Commission said the code is intended to help organisations implement those obligations in a consistent, practical and proportionate way.

The framework covers two main areas. Providers of generative AI systems are guided on marking and detecting AI-generated or manipulated audio, image, video and text content, including through machine-readable solutions where technically feasible. Deployers are guided on labelling deepfakes and AI-generated or manipulated text published to inform the public on matters of public interest.

Under the AI Act, users must also be informed when they are interacting with interactive AI systems, such as chatbots. The transparency requirements are intended to help people recognise when content has been generated or altered by AI and to reduce the risk of deception and manipulation.

The Commission has also published a set of the EU icons that deployers may use to label certain AI-generated content. The code does not replace the AI Act or future Commission guidelines on Article 50, which are expected before the transparency obligations begin to apply.

The Commission and the AI Board will now assess the code’s adequacy. If assessed positively, providers and deployers who sign the code may use its measures to help demonstrate compliance with the AI Act’s transparency rules.

Why does it matter?

The code is an important step in turning the AI Act’s transparency provisions into operational practice. Labelling and machine-readable marking rules could shape how platforms, AI providers, media organisations and other deployers handle synthetic text, images, audio and video. The measures are especially relevant for public-interest information, where undisclosed AI-generated or manipulated content can affect trust, elections, journalism and public debate.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Snapchat introduces friends-only content sharing for users under 16

Snapchat has begun rolling out new content-sharing protections for users aged 13 to 15, limiting the visibility of their Stories and Spotlight videos to mutually accepted friends.

Under the new experience, younger teens will have a dedicated profile where they can create, save and showcase content. Still, it will not be visible to one-sided followers or the wider Snapchat community. Snap said users in this age group will no longer be able to post Spotlight content that is visible to non-friend audiences.

The company said the change is intended to create a more private sharing environment for younger teenagers. Snapchat users under 16 will also no longer have engagement metrics such as favourite counts.

Snap said users aged 16 to 17 will have an optional introduction to public sharing, with additional safeguards, limited distribution and parental visibility. Users aged 18 and over will continue to have full access to public profiles and broader distribution tools.

The update forms part of Snapchat’s wider teen safety approach, which includes stricter default privacy settings, limits on unwanted contact, moderated public content and parental tools through Family Center.

Why does it matter?

The update reflects a broader shift towards age-appropriate design and privacy-by-default settings for younger users. By limiting public distribution for users aged 13 to 15, Snapchat is reducing minors’ exposure to unknown audiences and public engagement metrics. The change is relevant to ongoing regulatory debates on children’s online safety, platform design, algorithmic distribution and the mental health effects of public social media engagement.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.