Privacy and data protection

Australian privacy concerns rise as trust in AI companies falls

The Office of the Australian Information Commissioner has released a major survey showing that privacy concerns are rising across Australia, while public trust in AI companies and social media remains extremely low.

The Australian Community Attitudes to Privacy Survey, conducted every three years, found that 87% of respondents are more concerned about privacy than they were five years ago. The survey examines Australians’ privacy attitudes and experiences, including how recent events have shaped public expectations.

Trust was especially low for emerging and data-intensive sectors. Only 4% of respondents said they trusted AI companies, while 3% said the same for social media. Trust also declined across the insurance, telecommunications, technology, retail, and real estate sectors, while remaining highest for health service providers and Australian Government agencies.

Launching the report at the Data Privacy & Consumer Protection Summit 2026, Australian Privacy Commissioner Carly Kind said Australians’ expectations about privacy continue to sharpen as the information ecosystem becomes more complex, data-intensive, and difficult to navigate.

The OAIC said privacy complaints have increased by 73% year to date. Kind said trust is uneven across sectors and that wariness of emerging technologies is increasing, particularly around fairness, accountability, and the practical ability to exercise rights.

The survey also found that 68% of Australians would be more likely to use digital services requiring personal information if they knew their data was handled fairly and responsibly. Another 92% said data collection could be acceptable under certain conditions, including a clear purpose, consent or opt-in, limited collection, and the ability to opt out of non-essential data collection.

Kind said Australians want greater transparency in understanding their privacy rights and how their information is used, adding that improving transparency would help safeguard a healthy, informed, and vibrant democracy.

Why does it matter?

The survey shows that trust is becoming a central barrier to digital adoption, especially for AI and social media services. While Australians are willing to share data under fair and transparent conditions, the very low levels of trust in AI companies suggest that privacy, accountability, and explainability will be critical for public acceptance of emerging technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Papua New Guinea advances digital ID law

Papua New Guinea’s Ministry of Information and Communications Technology has begun drafting instructions and a proposed bill for digital identity and verifiable credentials legislation following the endorsement of the National Digital ID Policy.

ICT Minister Peter Tsiamalili Jr said the process marks a step towards a legal framework that will allow citizens to identify themselves securely and access trusted digital services.

The proposed legislation will support the national rollout of SevisPass, SevisWallet, SevisDEx, and other approved verifiable credentials. SevisWallet will allow citizens to register, hold, and present trusted digital credentials, while SevisDEx will enable secure, consent-based data exchange.

Tsiamalili said the government is moving from policy to implementation. He said SevisPass will verify identity, SevisWallet will hold and present trusted credentials, and SevisDEx will support secure data exchange based on user consent.

The minister urged banks, financial institutions, mobile network operators, telecommunications providers, government agencies, education institutions, and professional bodies to work with NICTA and the Department of ICT to complete technical, regulatory, and operational readiness by the end of July 2026.

The readiness process is intended to support electronic know-your-customer checks, SIM registration, secure onboarding, financial inclusion, and digital verification of credentials such as driver’s licences, police clearances, student and teacher IDs, education certificates, tax identification numbers, and superannuation records.

The ministry said relevant agencies, issuers, verifiers, and relying partners should align their systems and compliance pathways to support the rollout by July 2026.

Why does it matter?

Papua New Guinea’s move shows how digital identity systems are becoming foundational infrastructure for public services, financial inclusion, telecoms compliance, education records, and private-sector verification. By linking SevisPass, SevisWallet, and SevisDEx to verifiable credentials and consent-based data exchange, the planned law could shape how identity, trust, and interoperability are built into the country’s digital economy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EuroDIG 2026 debate strengthens Council of Europe digital governance push

The Council of Europe participated in EuroDIG 2026 in Brussels, contributing to discussions on digital governance, democracy, trustworthy AI, platform accountability, and the digital public sphere.

The European Dialogue on Internet Governance took place on 26 and 27 May, bringing together governments, businesses, civil society, academia, the technical community, and other stakeholders to exchange views on internet governance.

The Council of Europe participated under its New Democratic Pact for Europe, a year-long consultation focused on democratic backsliding and digital governance. The consultation covers issues including AI, data protection, media and information society, cybercrime, online discrimination and gender-based violence, digitalisation of justice, legal education, internet governance, and youth participation.

At the opening session, Claudia Luciani, Director of the Congress of Local and Regional Authorities, said democratic safeguards are critical for the integrity and functioning of Europe’s digital public sphere. She highlighted risks linked to disinformation, information bubbles, and foreign interference and manipulation campaigns.

The Council of Europe also co-organised a debate on trustworthy AI in public services, focusing on transparency, accountability, explainability, and crisis-resilient communication when automated decision-making and AI systems are used in public administration.

Another Council of Europe co-organised session addressed platform accountability and the need to strengthen the digital public sphere. Participants discussed how engagement-driven platform design, generative AI, and synthetic media can contribute to disinformation, hate speech, and other harms, and how governance frameworks could empower users as active citizens.

The Council of Europe’s European Commission for the Efficiency of Justice and its HELP programme also organised a session on how the use of AI in justice systems is changing legal professionals’ training needs.

EuroDIG 2026 was hosted by EURid, the .eu domain name registry, and supported by the European Commission.

The event was held under the theme ‘European voices for the future of the internet – celebrating 20 years of .eu and the beginning of a new internet governance era’.

Why does it matter?

The Council of Europe’s participation in EuroDIG shows how digital governance is being folded into broader debates on democratic resilience. Its focus on trustworthy AI in public services, platform accountability, synthetic media, online discrimination, and AI in justice systems reflects a broader policy shift: digital governance is increasingly treated as part of Europe’s democracy, human rights, and rule-of-law agenda, rather than solely as a technology issue.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Child safety online debate at EuroDIG 2026 shifts focus from bans to platform design

Participants at EuroDIG 2026 debated whether social media age bans are an effective way to protect minors online, with speakers warning that blanket restrictions may oversimplify a far more complex issue involving platform design, digital literacy, privacy, and children’s rights.

The session, titled ‘Youth Online Safety – Are Social Media Age Bans a Solution?’, focused on age verification, platform accountability, recommendation systems, and the broader European regulatory response to online harms affecting children and young people.

Speakers broadly agreed on the objective of improving child safety online, but many questioned whether blanket bans or rigid age restrictions would, in practice, effectively reduce harm.

Diya Aravinthan argued that protecting children online requires approaches that are proportionate, effective, and aligned with how young people actually use digital platforms. She warned that broad social media bans risk pushing children towards workarounds such as VPNs, shared accounts, or alternative services, potentially making online risks harder to monitor rather than reducing them.

Aravinthan also stressed that social media platforms cannot be understood only as sources of harm. She said young people often rely on online spaces for communication, friendships, creativity, civic participation, learning, and access to information.

Referring to Australian research conducted after the country’s under-16 social media restrictions, she said many young people increasingly consume news and current affairs through social media rather than traditional media channels.

Several speakers, therefore, argued that policymakers should focus more on safer platform design and stronger platform accountability rather than treating online safety primarily as an access-control problem.

Aravinthan called for layered protections based on age-appropriate design rather than a binary ‘access or no access’ model. She highlighted stronger privacy defaults, limits on profiling and targeted advertising, and safer platform features for minors as examples of more proportionate safeguards.

She also argued that recommendation systems and algorithmic feeds represent a central challenge because they actively guide minors toward attention-maximising and potentially harmful content.

Lennart Wetzel of Snapchat similarly argued that platforms carry major responsibility for protecting younger users. He said services should invest continuously in safety-by-design features, moderation systems, parental tools, and age-appropriate safeguards. Wetzel also warned that restrictions targeting only selected platforms may simply push young people towards other, potentially less safe or less regulated services.

He cited Australia’s social media restrictions as an example, noting that Snapchat had disabled or locked more than 415,000 accounts in response to the law while also observing migration to alternative services.

The debate also focused heavily on age verification and age assurance technologies.

Several speakers warned that current age-verification systems remain technically imperfect and raise significant privacy, proportionality, and inclusion concerns.

Aravinthan said platforms should not need to know users’ exact identities or precise ages to provide stronger protections for minors. She supported approaches based on data minimisation and privacy-preserving verification.

Wetzel added that even small error rates in age-assurance systems can produce large-scale consequences when applied across millions of users, potentially excluding legitimate users while failing to prevent circumvention.

Carmela Troncoso provided the strongest technical critique of age-verification systems. She argued that making age restrictions difficult to bypass often requires more intrusive forms of surveillance and data collection.

Troncoso warned that some systems rely on biometrics or behavioural analysis, creating additional privacy risks for children and young people. She also said stronger anti-circumvention measures may push minors towards unsafe tools or services that themselves collect and monetise user data.

According to Troncoso, current technologies risk creating substantial privacy and exclusion harms while offering only limited practical effectiveness.

The discussion also explored the wider European regulatory context.

Andrea Tognoni of the European Commission argued that debates about social media bans should not be separated from existing EU frameworks, including the Digital Services Act (DSA), the AI Act, the Audiovisual Media Services Directive, and the Better Internet for Kids strategy.

Tognoni said several member states are already advancing national measures on child protection and age restrictions, creating growing pressure for greater European harmonisation.

Speakers repeatedly warned that fragmented national rules could create inconsistent standards across Europe and undermine the coherence of the digital single market.

Wetzel argued that a risk-based European approach under frameworks such as the DSA offers a more sustainable path than isolated national bans.

The session also highlighted concerns that youth voices remain underrepresented in debates surrounding online safety regulation.

Stefanie Quintao of TikTok said many youth-led and child-rights organisations oppose blanket bans and believe they may unintentionally push children into less protected online spaces.

Both Quintao and Aravinthan stressed that young people use digital platforms for far more than entertainment, and that policy discussions often fail to reflect the lived realities of younger users.

Several audience interventions pushed the discussion further towards the broader political economy of social media platforms.

Some participants argued that the core issue lies not primarily in children accessing technology, but in platform business models built around surveillance, engagement maximisation, and algorithmic amplification.

Others stressed that digital literacy, parental support, and education remain essential complements to regulation.

One participant compared online safety to teaching children how to cross a road: legal rules and infrastructure matter, but children also require guidance, gradual learning, and the development of judgement.

The session concluded with broad agreement that protecting minors online requires a multi-layered and rights-based approach rather than a single regulatory instrument.

Participants broadly agreed that age bans alone are unlikely to solve underlying problems linked to harmful platform design, recommendation systems, and digital business models.

The closing synthesis stressed that effective child protection requires balancing privacy, proportionality, platform accountability, harmonised regulation, digital literacy, and meaningful youth participation.

EuroDIG 2026 took place on 26 and 27 May at the Charlemagne Building of the European Commission in Brussels under the theme ‘European Voices for the Future of the Internet – Celebrating 20 Years of .eu and the Beginning of a New Internet Governance Era’.

Digital Watch Observatory followed EuroDIG 2026 through a dedicated event page, featuring session information and reporting from Brussels.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK cyber guidance targets legacy trust in network access

The UK’s National Cyber Security Centre has issued new guidance on Zero Trust Network Access, warning that many deployments still rely on outdated assumptions about trust.

ZTNA is often introduced to modernise access to applications. However, the NCSC said many implementations still treat network location as a primary indicator of trust, meaning new tools can continue to rely on broad, network-based access rather than more granular and context-driven decisions.

The guidance explains how organisations can design and implement ZTNA to better align with zero-trust principles and modern network environments. It sets out the organisational and technical foundations required before deployment, describes key design requirements, and provides a reference architecture for accessing private applications and Software-as-a-Service.

A key focus is identifying common anti-patterns that undermine ZTNA security outcomes. The NCSC said many deployments fail not because of missing technology features, but because legacy trust assumptions are carried forward into new designs.

The guidance is aimed primarily at architects, security practitioners, and technical decision-makers responsible for designing or evolving access architectures. It is intended to support organisations exploring ZTNA as part of a broader zero trust strategy, replacing or reducing reliance on legacy ‘walled garden’ architectures, or reviewing existing deployments.

The NCSC said the guidance does not redefine zero trust, prescribe a single technical solution, or serve as a compliance checklist. Instead, ZTNA should be treated as part of a wider zero trust architecture shaped by an organisation’s users, systems, threats, and operational constraints.

Why does it matter?

The guidance highlights a common problem in cybersecurity modernisation: organisations can adopt new access technologies while still preserving older trust models. Poorly designed ZTNA deployments may leave broad access paths in place, weakening zero-trust goals and limiting resilience. NCSC’s message is that effective access control depends not only on deploying new tools, but on redesigning trust decisions around context, users, systems, risks, and operational needs.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Australia warns of serious frontier AI cyber risks

The Australian Government has issued a policy advisory urging Commonwealth entities to strengthen cybersecurity readiness for the frontier AI era.

Issued under the Protective Security Policy Framework, the advisory warns that frontier AI creates a dual-use challenge because advanced AI models can strengthen cyber defence while also being used by malicious actors to conduct cyber activities faster, cheaper, and at greater scale.

The Department of Home Affairs said frontier AI increases the risks posed by known vulnerabilities, legacy systems, and weak cyber hygiene, creating what it calls a ‘vulnerability storm’ for government entities.

The document says Australian Government entities do not need access to the most advanced frontier AI models to stay protected. Instead, effective readiness depends on applying existing cybersecurity mitigations and practices, including guidance from the Australian Signals Directorate and requirements under the Protective Security Policy Framework.

Commonwealth entities are told to prioritise compliance with the PSPF, Information Security Manual, and Essential Eight, confirm executive accountability for cybersecurity risk management, engage with ASD and Home Affairs guidance, and identify and remediate material gaps that AI-enabled threat actors could exploit.

The advisory also highlights requirements covering internet-facing systems, secure procurement and supply chains, attack surface reduction, patching, legacy technologies, zero-trust principles, gateway security, ASD’s Cyber Security Partnership Program, and the application of the Information Security Manual.

An annex from ASD says frontier AI is collapsing exploit timelines from days to hours and urges organisations to ‘lock down the fundamentals now’. It outlines actions to secure systems, reduce vulnerabilities, replace or isolate legacy IT, prepare for incidents, adopt AI for cyber defence, and modernise systems using secure-by-design and secure-by-default principles.

The advisory is aimed at accountable authorities, chief security officers, chief information security officers, procurement officers, and entity personnel.

Why does it matter?

The advisory frames frontier AI as an accelerant for existing cybersecurity weaknesses rather than a wholly new category of risk. Australia’s message to government entities is that AI-enabled threats make basic cyber hygiene more urgent: patching, reducing attack surfaces, managing legacy systems, securing supply chains, and preparing incident response plans. It also shows how governments are beginning to translate frontier AI risk into operational security requirements for public-sector organisations.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Spain approves draft law adapting the EU AI Act into national legislation

Spain’s Council of Ministers has approved a draft Organic Law aimed at adapting the EU AI Act into the country’s national legal framework.

Digital Transformation and Public Service Minister Óscar López said the draft law will now be sent to the Cortes for parliamentary consideration. The proposal establishes obligations for AI providers and introduces requirements for human oversight of AI systems.

The draft law incorporates the EU AI Act’s risk-based classification framework into Spanish legislation while establishing sanctions, governance structures, and supervisory authorities.

López said the law follows Spain’s approach to AI regulation, including human oversight, algorithmic transparency, protection of minors, and data privacy. López rejected the idea that regulation undermines competitiveness, pointing to Spain’s broader AI strategy and investment initiatives.

The minister said the EU AI Act includes prohibitions covering subliminal techniques, exploitation of vulnerabilities, biometric classification, social scoring, predictive surveillance, emotion recognition, facial scraping, and real-time identification. He added that, following a request from Spain, the EU agreed on 7 May to add prohibitions on AI-generated sexual deepfakes and AI-generated child sexual abuse material.

The draft law designates Spain’s Artificial Intelligence Supervisory Agency, based in A Coruña, as the central authority. Other market surveillance authorities will also have roles, including the Bank of Spain for financial systems, the Spanish Data Protection Agency for data-related matters, and the General Council of the Judiciary for justice-related issues.

The proposal promotes responsible AI use in the state public sector, including stronger requirements for AI models and transparency in public administration, as well as the creation of an AI officer role. The law also sets rules for AI regulatory sandboxes and measures intended to help AI providers comply with the legislation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

France and South Korea team up on AI data protection

The French data protection authority CNIL and South Korea’s Personal Information Protection Commission have jointly developed a poster to raise awareness of privacy risks linked to generative AI.

The initiative builds on their ongoing cooperation under a memorandum of understanding signed in October 2022 and follows a previous joint poster on children’s and adolescents’ right to self-determination over personal data.

The new poster, titled ‘Generative AI and Privacy’, provides practical guidance on how users can protect their personal data before, during, and after using generative AI services. CNIL said the material is designed to be easy to understand as generative AI becomes more widely used across age groups.

Both authorities said that generative AI offers new opportunities but also poses challenges for personal data protection, particularly for teenagers and young users. The poster is available in Korean, French, and English, and may be translated into other languages upon request from interested data protection authorities.

CNIL and PIPC said they will promote and use the poster through various initiatives, including online and offline distribution to middle and high schools, social networking service posts, and events.

The two authorities also agreed to continue strengthening international cooperation and policy collaboration, especially to protect children’s and adolescents’ personal data as generative AI expands.

Why does it matter?

The initiative shows how data protection authorities are using public-awareness tools to respond to everyday privacy risks created by generative AI. While it is not a regulatory measure, the cooperation between CNIL and PIPC highlights growing attention to youth data protection, AI literacy, and cross-border coordination between privacy regulators.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

New Zealand Privacy Commissioner Michael Webster has released the findings of Phase 1 of his inquiry into the December 2025 Manage My Health cyber incident, in which sensitive patient information was accessed, stolen, and offered for sale.

The first phase of the inquiry focused on the causes of the breach and accountability. The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards for patient information.

The breach affected nearly 100,000 people and caused serious anxiety and distress for many of those impacted. Around 91% of affected patients were based in Northland, with the Commissioner noting that many were likely to be Māori.

The investigation found that a single failure did not cause the breach, but it was a combination of security weaknesses. Manage My Health had gaps in technical safeguards, lacked systems to detect large-scale access to information, and raised concerns about the quality of its security design and risk management practices.

Health NZ was criticised for not doing enough to ensure that Northland hospital patients’ information would be kept safe before arranging to share it through the Manage My Health portal. The inquiry found that the project team lacked specialist privacy and security expertise, relied too heavily on information from Manage My Health, used poor-quality internal privacy risk assessments, and operated under a contract that was not fit for purpose.

The Commissioner said he intends to issue compliance notices requiring both organisations to complete the remaining necessary work and to demonstrate that their security controls are effective in preventing similar incidents. He also recommended that the Ministry of Health establish a process for verifying and ensuring that patient portals meet health-sector security standards.

A second phase of the inquiry will examine the broader impacts of the breach, including patient authorisation, information provided to patients, retention and deletion practices, breach communications, notification compliance, and whether the incident had a disproportionate impact on any group, particularly Northland Māori.

Why does it matter?

The findings show how privacy and cybersecurity failures in health portals can create large-scale risks when sensitive patient data is shared through third-party systems. The case also raises a wider governance issue for digital health: agencies cannot rely only on vendor assurances when transferring large volumes of health information. Independent security assessment, privacy-by-design, effective contracts, and ongoing monitoring are becoming essential safeguards for digital health infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK expert panel to shape online safety policy

The UK Department for Science, Innovation and Technology has published the terms of reference for the Growing Up in the Online World expert panel, an independent group that will advise the government on children’s digital experiences.

The panel will provide impartial, evidence-based advice to support government policy development on children’s online well-being. Its remit includes digital technology, social media, gaming, AI chatbots, and proposals under the Growing up in the online world consultation.

DSIT said the panel will help identify evidence gaps and priority research needs for 2026 to 2027 and beyond. It is also intended to provide independent assurance that policy options are considered in the context of the evolving evidence base.

The panel’s responsibilities include reviewing emerging data on children’s online experiences, online safety, and design interventions. It will also scrutinise DSIT’s presentation of consultation evidence, identify risks and dependencies, and provide recommendations to inform advice to ministers.

Members will serve in a personal capacity and must declare conflicts of interest. DSIT said it will publish the panel’s membership once it has been agreed, along with declarations of conflicts of interest.

The panel will bring together expertise in child development, psychology, education, digital harms, online safety, behavioural science, platform design, data infrastructure, algorithmic systems, ethics, safeguarding, equality, human rights, and lived experience.

DSIT expects the panel to meet monthly via Microsoft Teams for the initial 4-month period, with additional meetings around key milestones. The panel will not set government policy, publish independent reports, represent employers or sectors, or engage with media on behalf of DSIT.

Why does it matter?

The panel shows how the UK is trying to ground children’s online safety and well-being policy in a broader evidence base covering platform design, AI chatbots, gaming, behavioural science, safeguarding, and lived experience. Its creation also points to a more formal advisory process around future policy choices, even though the panel itself will not set policy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.