Privacy and data protection

UNESCO assessment supports ethical AI roadmap in El Salvador

El Salvador has advanced its national AI agenda following the presentation of a Readiness Assessment Methodology (RAM) report developed by UNESCO in cooperation with the National Artificial Intelligence Agency (ANIA). The initiative brings together government institutions, international organisations, academia and the private sector to assess the country’s preparedness for ethical, inclusive and sustainable AI development.

The assessment is grounded in the UNESCO Recommendation on the Ethics of Artificial Intelligence, which establishes principles for safe and responsible AI deployment. According to the assessment, El Salvador’s legal and institutional framework, including measures related to data protection, cybersecurity and AI governance, has strengthened its position in regional AI readiness indicators.

The report highlights AI deployments already being used in public services, including digital health diagnostics, automated legal processes and large-scale digitisation of government records. Education systems are also integrating AI tools to expand access to learning, while projected economic gains suggest significant growth potential if ethical adoption continues to scale.

Alongside the findings, authorities outlined priorities aimed at reducing inequalities in access to technology, expanding participation in STEM education and ensuring that AI-related benefits reach both urban and rural communities.

The new National Artificial Intelligence Strategy 2026 sets out these priorities as part of a broader human-centred development model.

Why does it matter?

The initiative positions El Salvador as a test case for how emerging economies can align rapid AI adoption with structured governance and ethical safeguards. By embedding human-centred principles into national strategy and law, the country aims to prevent AI-driven gains from widening social or geographic inequalities while strengthening long-term digital readiness.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

EDPS and EU data protection officers focus on AI, cybersecurity and compliance

The European Data Protection Supervisor (EDPS) and data protection officers (DPOs) from EU institutions, bodies, offices and agencies met in Brussels on 18 June to discuss emerging data protection priorities and compliance challenges.

The 58th meeting of the EDPS-DPO network was hosted by the Executive Agencies of the European Commission. The meeting brought together DPOs from across the EU administration at a time of significant regulatory and technological change.

European Data Protection Supervisor Wojciech Wiewiórowski opened the meeting by emphasising the importance of safeguarding DPO independence in practice. He pointed to recent EDPS action, guidance, and procedures intended to safeguard the role of DPOs across EU institutions.

Wiewiórowski also reviewed key developments from 2025, including the closure of the EDPS investigation into the European Commission’s use of Microsoft 365, a rise in complaints, and the growing impact of AI-generated submissions. He noted that regulatory simplification should reduce unnecessary administrative burdens without undermining fundamental rights protections.

Thomas Zerdick, Head of the EDPS Supervision and Enforcement Unit, introduced a follow-up tracker designed to maintain continuity between EDPS-DPO meetings. The first tracker focused on EDPS supervisory guidance on the role of DPOs in EU institutions and the EDPS decision on prior consent to DPO dismissal.

Zerdick also presented recent developments in supervision and enforcement, including complaint handling, compliance issues affecting several EU institutions, and practical guidance on international transfers and data protection impact assessments. The update also covered work linked to the Area of Freedom, Security and Justice, including audits, opinions, and preparations for upcoming systems.

Luis Velasco, Head of the EDPS Technology and Privacy Unit, outlined initiatives to help EU institutions meet compliance requirements for automated systems and AI. He announced that an updated version of the EDPS guidance on risk management for AI systems is expected to be published later this summer.

Velasco also referred to a practical checklist on human intervention, intended to help organisations establish effective safeguards for automated systems. He warned that cyberattacks targeting EU institutions pose a growing threat and pose serious risks to individuals’ personal data.

The discussion also addressed the response to a personal data breach. Velasco stressed that individuals affected by a personal data breach should be informed without undue delay when a breach is likely to pose a high risk to their rights and freedoms.

A practical workshop focused on developing a common data protection impact assessment template under the EU Data Protection Regulation. Participants tested a draft template through a case study and discussed issues, including necessity, proportionality, and risk assessment.

The afternoon sessions included a discussion of the 2024 data breach at the European Agency for Law Enforcement Training. The CEPOL DPO and the EDPS Data Breach Notification Team shared lessons with the wider DPO community, highlighting that major data breaches create organisational and human challenges as well as compliance obligations.

The meeting also included a session on privacy and data protection case law, presented by Zerdick. The session focused on the EDPS’s interpretation of recent judgments and their practical implications for supervisory work and controllers.

Participants also received an update on the EDPS Website Compliance Awareness Campaign. Following pilot phases in 2024 and 2025, the Technology and Privacy Unit presented preliminary findings from the first wave of the campaign’s second phase, which involved automated scans of public-facing websites of EU institutions.

The EDPS said the meeting demonstrated the value of bringing together the EU’s DPO community to address shared challenges, exchange practical experience and strengthen compliance across institutions. The discussions focused on practical cooperation, support for compliance, and stronger data protection safeguards across the EU administration.

Why does it matter?

The meeting highlights how data protection within EU institutions is evolving beyond traditional compliance issues toward broader challenges involving AI governance, cybersecurity, automated decision-making and digital service oversight. As public administrations increasingly adopt AI-enabled systems and process larger volumes of personal data, data protection officers are playing a more strategic role in managing operational and regulatory risks.

The discussions also illustrate a growing emphasis on practical implementation. Common templates, coordinated guidance and shared lessons from data breaches can help institutions apply data protection rules more consistently across the EU administration. This is particularly important as regulators seek to align privacy requirements with emerging frameworks governing AI, cybersecurity and digital public services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Eurostat report highlights online hate speech exposure in the EU

More than half of young internet users in the EU encountered hostile or degrading online content in 2025, according to Eurostat data published to mark the International Day for Countering Hate Speech.

Eurostat said 54.0% of internet users aged 25 to 34 and 53.7% of those aged 16 to 24 had encountered hostile or degrading messages during the previous three months. Exposure declined with age, falling to 46.4% among people aged 35 to 44, 38.9% among those aged 45 to 54, 32.8% among those aged 55 to 64, and 28.1% among people aged 65 to 74.

Among internet users aged 16 to 24, young women reported higher exposure than young men, at 57.2% compared with 50.4%. Eurostat said the pattern was observed across all types of hostile or degrading messages.

For both young women and young men, the most commonly reported hostile messages related to political or social views and racial or ethnic origin. The largest gender gaps were recorded for messages concerning sexual orientation, sex and disability.

Eurostat said hostile or degrading content may be directed at respondents or at other people, and can include messages, comments, photos, memes, videos and other online material.

The findings underline the scale of online hostility facing younger internet users in the EU and the continuing challenge for policymakers, platforms and civil society organisations working on digital safety and content governance.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU court weighs GDPR and digital evidence in employment dispute

The Court of Justice of the European Union has clarified that the GDPR does not require national courts to automatically exclude evidence containing personal data solely because it was previously obtained unlawfully by one of the parties.

The case, C-484/24 NTH Haustechnik v EM, concerns a dispute between a German employer and a former employee. The employer sought damages over the alleged unauthorised sale of company property and relied on information obtained through access to the former employee’s private eBay account.

The referring German court asked whether judicial use of such evidence would itself amount to personal data processing under the GDPR and whether the EU data protection law required the evidence to be excluded.

The CJEU found that a court’s handling of evidence containing personal data can constitute data processing. However, such processing may be lawful where the court must perform its judicial duties and decide the dispute before it.

The Court also clarified that the GDPR does not create an automatic exclusionary rule for evidence obtained in breach of privacy or data protection rules. National courts must instead assess whether the processing is necessary and proportionate, while respecting GDPR principles and the rights protected by the EU Charter.

The ruling is relevant to civil and employment proceedings because it clarifies the relationship among data protection law, the right to evidence, and the right to effective judicial protection.

Why does it matter?

The case clarifies an important boundary in GDPR litigation: unlawful collection of personal data does not automatically make evidence unusable in court, but it also does not give parties a free pass to gather evidence unlawfully. Courts must balance privacy and data protection rights with the right to effective judicial protection. The ruling could affect employment disputes, civil claims and digital evidence cases where emails, platform accounts, logs or other personal data are submitted as proof.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Spain’s data protection authority issues privacy guidance for video game industry

The Spanish Data Protection Agency (AEPD) has published a new guide outlining data protection recommendations for the video game industry, urging companies to embed privacy safeguards throughout the entire game lifecycle.

According to the AEPD, modern video games have evolved into complex digital ecosystems that collect, analyse and process significant volumes of personal data. This may include account information, gameplay activity, behavioural data and other user-generated information, creating potential privacy and security risks.

The guide notes that AI-enabled and online gaming services increasingly rely on data-driven business models, making compliance with the General Data Protection Regulation (GDPR) particularly important. The agency emphasised that privacy protections are especially important for children and other vulnerable groups, given their significant participation in online gaming environments.

The recommendations span the entire development process, from pre-production and design to post-launch operations, covering transparency obligations, data minimisation, profiling controls and cybersecurity measures. Privacy and responsible data practices should be integrated into games from design through to end-of-life in Spain.

Why does it matter?

The guidance reflects the growing importance of data protection in the gaming industry as video games increasingly function as connected digital platforms rather than standalone entertainment products. Online services, in-game economies, AI-powered features and behavioural analytics have expanded the volume and sensitivity of personal data processed by game developers and publishers.

The recommendations also highlight broader regulatory concerns around children’s privacy and responsible data use. As gaming platforms become more immersive and data-driven, regulators are placing greater emphasis on privacy-by-design principles, transparency and user control. The AEPD’s guidance signals that compliance with data protection rules is becoming an integral part of game development, not simply a legal requirement applied after products are launched.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Anthropic and South Korea partner on AI safety and cybersecurity

Anthropic has opened an office in Seoul and announced a series of partnerships across South Korea’s AI ecosystem, alongside a memorandum of understanding (MoU) with the Ministry of Science and ICT on AI safety.

The company said the Seoul office will serve as a long-term hub for collaboration with South Korean enterprises, startups, researchers and developers using Claude. Senior Anthropic leaders travelled to Seoul this week to open the office and meet partners, customers, and developers.

Anthropic said the MOU with South Korea’s Ministry of Science and ICT will support the safe and responsible adoption of AI across the public sector. The cooperation will focus on AI safety and cybersecurity, including Korean-language model safety evaluations with the Korea AI Safety Institute and information sharing on AI-enabled cyber threats.

KiYoung Choi, Representative Director of South Korea at Anthropic, said South Korean organisations understand that innovation and safety are linked. He said the Seoul office provides a long-term base for collaboration with organisations helping shape South Korea’s AI leadership.

Anthropic also highlighted broader adoption of Claude among South Korean companies. NAVER has deployed Claude Code across its engineering organisation, while Nexon engineering teams are using Claude Code to write, review, and ship code for live-service games.

Large South Korean business groups are also using Claude. LG CNS plans to deploy it across LG Group, Hanwha Solutions is using Claude through AWS Bedrock to meet in-region data residency and security requirements, and Samsung SDS is deploying Claude across Samsung Electronics for knowledge work, agentic workflows, and software development.

South Korean startups are also integrating Claude into products. Channel Corp uses Claude to power Channel Talk, a customer AI platform used by more than 230,000 companies across South Korea, Japan, and the United States.

Anthropic said it will also work with the National AI Research Lab, a consortium spanning KAIST, South Korea University, Yonsei University, and POSTECH. Anthropic will provide Claude access to up to 60 affiliated researchers to support work on AI safety, model evaluation, alignment, robustness and frontier AI research.

In the nonprofit sector, Good Neighbors Korea is deploying Claude to help staff analyse programme outcomes, navigate social welfare law and internal guidelines, and reduce administrative work for frontline social workers.

Anthropic said South Korea ranks among the top dozen countries globally for Claude.ai usage, with activity concentrated in technical and creative work. The company has launched Claude for Startups in South Korea and has held Claude Meetups for South Korean developers since September 2025.

The company also co-hosted Claude Build Day with BASS Ventures, bringing together more than 100 South Korean founders and developers. Anthropic will also co-host a Push to Prod hackathon with Replit, Korea Investment Partners, and Korea Investment Accelerator.

Why does it matter?

The announcement highlights South Korea’s growing importance in the global AI landscape. Beyond being a major market for AI products, the country is increasingly positioning itself as a centre for AI research, safety evaluation, enterprise adoption and public-sector deployment.

The expansion also illustrates how frontier AI companies are combining commercial growth with governance initiatives. Anthropic’s cooperation with the Ministry of Science and ICT and the Korea AI Safety Institute suggests that AI safety, cybersecurity and model evaluation are becoming integrated into broader ecosystem-building efforts. As competition among leading AI companies intensifies, partnerships that combine research, regulation, enterprise adoption and developer engagement are likely to play an increasingly important role in shaping national AI ecosystems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK cyber agency warns of growing vulnerability risks from Frontier AI

The UK’s National Cyber Security Centre (NCSC) has issued guidance for network defenders on managing the growing risk associated with software vulnerabilities discovered using Frontier AI.

The guidance states that Frontier AI models represent the most advanced AI systems and have already demonstrated the ability to identify vulnerabilities in software products. According to the NCSC, this has significant implications for the threat landscape because Frontier AI can help both defenders and threat actors identify weaknesses at greater speed and scale. The UK’s National Cyber Security Centre has issued guidance for network defenders on managing the growing risk from software vulnerabilities discovered with Frontier AI.

The guidance states that Frontier AI models represent the most advanced AI systems and have demonstrated the ability to discover vulnerabilities in software products. The NCSC says this has implications for the threat landscape because Frontier AI can help both defenders and threat actors identify weaknesses more quickly.

The NCSC emphasises that organisations using AI for vulnerability discovery should do so within secure and controlled environments. It recommends limiting what the AI system can access, ideally using it only in testing or development environments, running it through a service account with only necessary permissions, and placing it in a sandboxed environment.

Organisations should also consider legal, contractual, and security obligations before using AI-as-a-service tools for vulnerability discovery. Sending source code, intellectual property or other sensitive information to external AI providers could introduce additional security, confidentiality and compliance risks.

The NCSC notes that AI-assisted vulnerability discovery is only effective if organisations have the processes and resources needed to manage the findings. That means having processes for patch management, vulnerability identification, prioritisation, validation, remediation, and reporting, as well as the ability to filter false positives and address root causes rather than only individual flaws.

The NCSC stresses that Frontier AI should complement, rather than replace, human cybersecurity expertise. Staff with experience in cybersecurity or the relevant IT systems should guide and validate AI-based vulnerability discovery to improve speed and accuracy.

The NCSC also warns that threat actors are increasingly using Frontier AI to identify and exploit vulnerabilities, potentially accelerating cyberattack timelines. Frontier AI may reduce the time between discovery and exploitation of newly published vulnerabilities, leaving organisations with less time to patch. The guidance says organisations should therefore adopt an assume-compromised mindset.

The NCSC recommends that organisations meet minimum cybersecurity standards, apply defence-in-depth principles, monitor networks and endpoints for suspicious behaviour and maintain a strong incident response plan.

The guidance also urges organisations to reduce the number of systems exposed to the internet, especially high-risk systems such as admin login panels, legacy systems, and operational technology. Organisations should identify internet-accessible systems and assess whether they need to remain exposed.

The guidance also highlights the growing importance of software supply chain security. Organisations should understand the commercial software, cloud services, open-source software, and dependencies they use, review supplier security and AI assurance policies, apply updates quickly, and use software bills of materials or similar tools to identify vulnerable dependencies.

The NCSC says Frontier AI is likely to be used extensively to discover vulnerabilities in open-source software because source code is accessible. It also notes that open-source supply chains have already been targeted through malware campaigns affecting major packages.

Why does it matter?

The guidance reflects a growing shift in cybersecurity as advanced AI systems become capable of identifying software vulnerabilities at unprecedented speed. While these capabilities can help defenders improve security testing and vulnerability management, they can also enable attackers to discover and exploit weaknesses more quickly, potentially reducing the time organisations have to respond.

The NCSC’s recommendations also point to a broader governance challenge surrounding AI adoption in cybersecurity. Organisations must not only defend against AI-enabled threats but also ensure that their own use of AI tools does not introduce new risks related to sensitive data, software supply chains or overreliance on automated systems. As Frontier AI capabilities continue to improve, cyber resilience will increasingly depend on combining AI-driven analysis with strong human oversight, secure development practices and effective incident response.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IWF backs Pope Leo XIV call for responsible AI development

The Internet Watch Foundation has welcomed Pope Leo XIV’s reflections on AI, arguing that AI systems must be developed with stronger safeguards to protect children from abuse.

In a blog post, the IWF said the Pope’s message that technology should serve the common good and remain subject to human judgement and accountability reflects the risks its analysts are already seeing online.

The organisation warned that AI is being used to generate highly realistic child sexual abuse images and videos at scale. It said the number of AI-generated child sexual abuse videos identified by the IWF in 2025 increased by more than 260%, with nearly two-thirds falling into the most severe category of abuse.

The IWF also raised concerns about AI-nudification tools, which can generate realistic sexualised images of children and other individuals. Following the Child Dignity in the Artificial Intelligence Era conference in Rome, the organisation joined more than 100 organisations and individuals in supporting calls for a global ban on such tools.

The IWF said AI safety should be built into products from the earliest stages of development. Through its Safety by Design work, the organisation is calling for companies to assess, test and mitigate risks before AI systems reach the public.

It also called for stronger regulation, global alignment and enforceable safety-by-design standards to prevent the creation and spread of AI-generated child sexual abuse material.

Why does it matter?

The IWF’s warning shows how generative AI is creating urgent child protection risks, especially through realistic synthetic abuse material and nudification tools. The issue is no longer only content moderation after harm occurs; it increasingly concerns model design, testing, deployment and accountability before AI systems reach users. That makes safety by design, developer responsibility and international coordination central to AI governance.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

University of Nottingham data breach exposes student and alumni records

The University of Nottingham has confirmed that an external third party accessed a significant amount of data in its student record system during a cyber incident.

The university said the incident affected current students and alums and that it is working with the third-party provider that maintains the affected platform to support a forensic investigation. It has reported the incident to Action Fraud and the Information Commissioner’s Office.

The university has not publicly attributed the attack, but the ShinyHunters extortion group has claimed responsibility. Have I Been Pwned said the breach affected 454,600 accounts and involved tens of gigabytes of data, which was later published online.

According to Have I Been Pwned, the exposed data included names, email addresses, phone numbers, physical addresses, passport numbers, citizenship statuses, dates of birth, academic records, ethnicity, disability information, IP addresses and information relating to enrolments and fee payments.

The university told affected individuals that it was operating on the precautionary assumption that contact information, university-related details, financial information and personal information may have been accessed.

The breach creates risks of identity theft, fraud and follow-up phishing attacks, particularly where exposed records include identity documents, financial data and sensitive personal characteristics.

The University of Nottingham Students’ Union advised students to monitor university communications, use the dedicated support line and remain cautious about unexpected emails, messages or calls.

Why does it matter?

The breach highlights the scale of cyber risk facing higher education institutions, which hold large volumes of sensitive personal, financial and academic data. Exposure of passport numbers, contact details, protected characteristics and payment-related information can create long-term risks for students and alums. The incident also points to the importance of third-party platform security and clear breach communication, especially when student record systems are involved.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New AI breakthrough in cardiology balances patient data privacy and diagnosis

Researchers at the University of Kansas have developed a new AI model designed to improve the analysis of electrocardiogram (ECG) data while strengthening protections for patient privacy. The innovation responds to growing concerns that AI-enhanced ECGs can reveal sensitive personal attributes beyond heart activity.

The model, known as PP-VAE, aims to preserve clinically relevant insights, such as indicators of heart disease and mortality risk, while reducing the risk of exposing biometric and demographic information, including age and sex. The system uses advanced neural network architectures to separate clinically relevant signals from identifiable personal characteristics.

Published in Scientific Reports, the study highlights the model’s ability to predict outcomes such as left ventricular ejection fraction (LVEF) while limiting the disclosure of personal information. Researchers report that the system performs competitively compared with existing machine-learning approaches, while improving privacy safeguards.

The researchers also emphasised the importance of reducing bias and improving the representativeness of medical AI systems. Future plans include testing the model across more diverse datasets and releasing it publicly to support safer sharing of ECG data between healthcare institutions.

Why does it matter?

The development might be a critical turning point in medical AI, where improving diagnostic accuracy must be balanced with safeguarding highly sensitive patient information.

As healthcare systems increasingly rely on AI-driven analysis of ECGs and other clinical data, the ability to prevent unintended identification of individuals becomes essential for maintaining trust, enabling secure cross-institutional data sharing, and ensuring compliance with privacy standards.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Diplo chatbot can make mistakes. Consider checking important information.