Privacy and data protection

CNIL reports record complaints and data breaches

The French data protection authority CNIL reported a record year in 2025 for complaints, fines and data breach notifications, while preparing for new responsibilities under the EU AI Act.

CNIL received 20,150 complaints in 2025, up 10% from 2024. The complaints covered issues linked to work, commerce, real estate, social networks and data breaches, with around 1,900 complaints directly concerning breaches.

The authority also received 6,167 data breach notifications, an increase of 9.5% from 2024. Hacking accounted for one in two reported incidents, while cybersecurity failures represented one-third of investigations and nearly 30% of sanctions.

In total, CNIL carried out 323 investigations and issued 259 corrective measures, including 83 sanctions worth nearly €487 million. Two major sanctions accounted for a large share of the total, while the simplified procedure introduced in 2022 allowed faster action in less complex cases.

Cybersecurity will become an even bigger enforcement focus in 2026, with CNIL planning to devote 50% of its controls and enforcement actions to data security. Checks will focus on organisations affected by breaches, those subject to complaints and sectors processing large volumes of sensitive or highly personal data.

The report also highlights CNIL’s role in supporting professionals and public authorities. In 2025, it processed 539 health authorisation applications, handled 1,351 professional advice requests, delivered 90 opinions on draft laws or regulatory texts and launched seven public consultations.

On AI, CNIL is already designated to monitor prohibited uses under the EU AI Act and is expected to become the market surveillance authority for certain high-risk AI systems, including in biometrics, migration, law enforcement, employment and education.

The authority also published AI resources for designers and developers, developed a traceability tool for open-source AI models and joined the PANAME project with ANSSI, Inria and PEReN to test whether AI models process personal data.

Why does it matter?

CNIL’s annual report shows how data protection enforcement is increasingly shaped by cybersecurity and AI. Record breach notifications and complaints point to growing pressure on organisations to secure personal data, while CNIL’s future AI Act responsibilities place the authority at the centre of France’s oversight of prohibited and high-risk AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Hong Kong checks AI privacy compliance across sectors

Hong Kong’s Office of the Privacy Commissioner for Personal Data has completed compliance checks on 60 organisations to assess how AI use affects personal data privacy.

The checks, launched in January 2026, covered sectors including banking and finance, education, government departments, insurance, medical services, telecommunications, transport, accounting, food and beverage, logistics, property management, and innovation and technology. The PCPD found no contravention of the Personal Data (Privacy) Ordinance during the exercise.

Among the organisations reviewed, 57 (95%) used AI in day-to-day operations, an increase of 15 percentage points from the previous round of checks. Around 79% of those organisations had used AI for more than a year, while 51% used three or more AI systems.

AI systems were mainly used for administrative support, customer service, research and development, marketing, compliance and risk management, human resources, corporate communications, cybersecurity and data analysis.

Of the 57 organisations using AI, 24 collected or used personal data through AI systems. All provided Personal Information Collection Statements before or during data collection and implemented security measures such as access controls, encryption, penetration testing and anonymisation.

The PCPD found that 23 of those 24 organisations tested AI systems before implementation, while 19 conducted privacy impact assessments. Nineteen adopted a human-in-the-loop approach, and five used a human-in-command model for oversight.

The checks also found that 19 organisations had established AI governance structures, while 17 had internal policies or guidelines for employees’ use of generative AI at work. Twenty organisations provided AI-related training, with most including content on privacy risks.

Also, the PCPD recommended that organisations using AI comply with the Personal Data (Privacy) Ordinance, establish internal governance structures, provide staff training, adopt incident response plans, conduct risk and privacy impact assessments, and regularly audit AI systems. It also urged organisations to use agentic AI prudently by limiting access rights, assessing data sensitivity and maintaining system and data security.

Why does it matter?

The checks show that AI is becoming embedded in business and public-sector operations in Hong Kong, including in areas involving personal data. The PCPD’s findings suggest that many organisations are beginning to adopt safeguards such as impact assessments, human oversight and AI governance structures, while its warnings on agentic AI point to growing concern over systems that can act with greater autonomy and access sensitive data.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Global Network Initiative raises concerns over India’s proposed IT rules amendments

The Global Network Initiative has raised concerns over India’s Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Second Amendment Rules, 2026, warning that the proposals could affect privacy, free expression, and access to information.

The draft amendments were published by India’s Ministry of Electronics and Information Technology on 30 March 2026. GNI said the proposals, although described as procedural and clarificatory, could introduce broader changes to intermediary liability and digital media regulation.

The organisation warns that amendments to Rules 3(1)(g) and 3(1)(h) would require intermediaries to retain user data for at least 180 days, regardless of whether the original purpose for collecting the data has been fulfilled. According to GNI, the proposed data retention requirements could conflict with principles contained in India’s Digital Personal Data Protection Act.

GNI also criticises the proposed insertion of Rule 3(4), which would require platforms to comply with a broad range of executive instruments as a condition for retaining safe harbour protections. GNI said the proposal could expand the practical effect of executive advisories and guidelines on platform moderation decisions.

The statement also raises concerns about proposed changes to Rules 8 and 14, which would extend the Code of Ethics and the authority of the Inter-Departmental Committee to intermediaries and users who share news and current affairs content, even when they are not recognised publishers. According to GNI, the proposed changes could extend aspects of content regulation to users sharing news and current affairs content online.

GNI said the draft amendments could increase regulatory oversight of digital platforms and online content. The organisation said the proposals could affect debates around intermediary liability, platform governance, and digital expression.

GNI called on the Government of India to revise the proposals and consult civil society, industry, and technical experts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia’s WGEA outlines AI transparency rules for internal use

Australia’s Workplace Gender Equality Agency has published an AI transparency statement outlining how it uses AI internally, in line with the Digital Transformation Agency’s Policy for the Responsible Use of AI in Government.

The agency uses AI to enhance workplace productivity and support internal service delivery processes, including case management, in a controlled and human-centred manner. It does not use AI for statutory decision-making, compliance determinations, auditing outcomes or enforcement actions.

Internally, AI helps staff manage and respond to enquiries using approved information sources. All outputs are reviewed and approved by WGEA staff before use, and AI-generated material remains advisory only.

The agency does not use AI systems to interact directly with the public or make decisions affecting individuals without human involvement. External communications are reviewed and issued by WGEA staff.

The statement notes that AI does not change WGEA’s accountability for the accuracy, quality or appropriateness of information provided. The agency also monitors usage levels, outcomes and reporting mechanisms to ensure systems operate as intended and align with responsible AI principles.

WGEA designated its Chief Operating Officer as the accountable official on 19 December 2024. The role is responsible for ensuring AI use complies with relevant legislation, whole-of-government policy and internal governance arrangements.

Why does it matter?

The statement shows how public bodies are beginning to formalise transparency around internal AI use, even when systems are not used for direct public interaction or decision-making. By limiting AI to advisory functions, requiring human review and naming an accountable official, WGEA is setting out a practical governance model for low-risk public-sector AI use.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

OpenAI tests financial data integration in ChatGPT

OpenAI has launched a preview of a personal finance experience in ChatGPT for Pro users in the United States. The feature allows users to connect financial accounts, view a dashboard, and ask questions based on their financial data.

The feature is available on web and iOS apps and supports more than 12,000 financial institutions. OpenAI said the preview will initially be available to a smaller group of users before expanding more broadly.

Users can connect accounts through Plaid, with Intuit support planned. Once authenticated, ChatGPT syncs and categorises financial data, allowing users to view portfolio performance, spending, subscriptions, upcoming payments, and other financial activity.

OpenAI said the feature supports questions related to budgeting, planning, subscriptions, investments, and spending activity. OpenAI said ChatGPT is intended to help users review financial information but is not a substitute for professional financial advice.

Users can also choose to save financial context as ‘Financial memories’ for future conversations, according to OpenAI. OpenAI says those memories are a dedicated type of memory used specifically for financial conversations and can be viewed or deleted from the Finances page.

OpenAI said connected accounts allow access to balances, transactions, investments, and liabilities, but not full account numbers or account controls. Users can disconnect accounts at any time, after which synced account data will be deleted from OpenAI’s systems within 30 days.

Conversations with connected financial accounts default to GPT-5.5 Thinking. OpenAI said it worked with finance professionals to evaluate the feature on personal finance tasks and response quality.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

YouTube expands AI likeness detection tool to more creators

YouTube said it is expanding its AI likeness detection tool to all eligible creators over 18, allowing more users to identify and request the removal of unauthorised AI-generated videos that use their facial likeness.

The company said the feature, available through YouTube Studio, is intended to detect altered or synthetic videos that may depict a user’s face. Once enrolled, users can review detected matches and request the removal of content that violates YouTube’s Privacy Guidelines.

The platform said likeness detection had recently been introduced as a pilot for creators in the YouTube Partner Program and will now roll out gradually over the coming weeks to all eligible creators aged 18 or older.

YouTube said the tool is intended to help users understand where their likeness appears, safeguard their identity, and protect audiences from being misled by AI-generated depictions.

To enrol, users must grant the platform permission to use likeness-detection technology and complete a one-time verification process. According to YouTube, the tool works only on facial likeness and does not cover other identifying features such as voice.

YouTube said removal requests will be assessed under YouTube’s privacy policy, including whether the content is realistic, whether it is labelled as AI-generated, and whether the person can be uniquely identified. The company also provides exceptions for content such as parody or satire.

YouTube spokesperson Jack Malon said:

‘With this expansion, we’re making clear that whether creators have been uploading to YouTube for a decade or are just starting, they’ll have access to the same level of protection.’

The expansion follows earlier testing with creators and broader availability for groups including public officials, politicians, journalists, and the entertainment industry. It comes amid growing concern about deepfakes affecting both public figures and private individuals.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ghana launches WHO-UNDP programme on AI-driven health system resilience

Ghana has launched an AI-driven health programme aimed at strengthening its healthcare system, improving resilience and protecting vulnerable communities.

The initiative is a joint programme by the World Health Organization and the UN Development Programme, funded by the Government of Japan through the UN Trust Fund for Human Security. It is being implemented in collaboration with Ghana’s Ministry of Health.

The programme focuses on integrating AI into Ghana’s health systems in an ethical, inclusive and people-centred way. It aims to strengthen AI governance, protect health data, build institutional and workforce capacity, and expand digital literacy among healthcare workers and communities.

A key component includes the deployment of AI-enabled early warning systems for climate-sensitive diseases, integrated into national platforms such as DHIS2. The programme will also support responsible private-sector engagement in digital health.

Speaking at the launch, WHO Representative to Ghana said the programme would strengthen the country’s digital health ecosystem by advancing AI governance, safeguarding health data and preparing a workforce able to deliver people-centred care.

UNDP Resident Representative Niloy Bernejee said strengthening health systems and responsible digital innovation could reinforce stability, build resilience and support sustainable development.

The initiative is grounded in a human security approach, focusing on protecting and empowering vulnerable and marginalised populations while improving equitable access to digital health solutions.

Why does it matter?

The programme shows how AI is being integrated into health systems not only as a technical tool, but as part of broader governance, resilience and equity planning. By combining early warning systems for climate-sensitive diseases with data protection, workforce training and digital literacy, Ghana is addressing both immediate healthcare needs and longer-term capacity gaps in responsible digital health.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Global experts gather for CPDP 2026

The CPDP Conference 2026 has released its detailed programme, outlining a multi-day agenda of panels, workshops and cultural sessions focused on AI, data protection and digital governance. The conference will run from 19 to 22 May 2026, bringing together global experts across policy, academia and industry.

Across the programme, a wide range of panels and debates will explore key themes including AI regulation, digital governance, workplace data rights and platform power. Alongside panels and discussions, there will also be short movies and workshops offering conference topics in different formats.

Workshops are scheduled throughout each day, with structured breaks including coffee sessions and lunch intervals offering networking moments for participants. Topics range from AI in healthcare and advertising to digital conflict, governance under pressure and privacy-preserving technologies.

The programme also includes specialised tracks and cultural sessions, such as film screenings and artistic discussions on algorithmic systems, alongside academic panels and policy debates. The event will conclude after a final series of workshops and sessions on 22 May in Brussels, Belgium.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK proposes stronger streaming rules under new Ofcom standards

Ofcom has proposed new content and accessibility standards for major streaming platforms operating in the UK, expanding regulatory oversight across the rapidly growing on-demand media sector. The draft framework follows powers introduced through the Media Act and would align streaming services more closely with traditional broadcast television standards.

The proposed rules would apply to major platforms including Netflix, Amazon and Disney. Ofcom said audiences increasingly expect consistent protections regardless of whether content is viewed through conventional television or streaming services.

The draft Code includes requirements covering harmful or offensive material, fairness and privacy protections, and due impartiality and accuracy for news content. Additional safeguards for minors would also apply, alongside stronger expectations around contextual warnings and viewer information.

Ofcom also proposed new accessibility obligations for streaming providers. Under the draft rules, platforms would need to subtitle 80% of catalogue content, provide audio description for 10%, and provide signing for 5%. The regulator said that more than 18 million people with hearing or sight conditions could benefit from improved accessibility standards across streaming platforms.

Why does it matter?

The proposals signal a major shift in how digital media platforms are regulated in the UK, extending broadcast-style obligations into streaming ecosystems for the first time. The measures could influence global debates around platform accountability, online safety, accessibility standards, and regulatory convergence between traditional media and digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ICO warns organisations about growing AI cyber threats

The UK Information Commissioner’s Office has warned that AI is enabling faster, more advanced and harder-to-detect cyberattacks, urging organisations to strengthen their defences against emerging threats.

In a blog post, the regulator highlighted risks such as AI-generated phishing emails, deepfake social engineering, automated vulnerability scanning, AI-powered malware, credential attacks, data poisoning and indirect prompt injection. The ICO said cybersecurity must be treated as a shared responsibility, with organisations expected to take proactive steps to protect the personal data they hold.

The ICO said strong foundational security measures remain essential, but should be reinforced with layered defences to counter AI-powered threats. It pointed to practical steps such as patching systems, restricting access through multi-factor authentication, applying least-privilege principles and managing supplier risks.

The recommendations also include monitoring systems for unusual activity, carrying out vulnerability scanning and penetration testing, and maintaining regularly tested incident response plans. The ICO said AI can also support cyber defence, but should operate within a clear framework of human oversight and accountability.

Organisations are further advised to minimise data collection, conduct regular data audits and train staff to recognise AI-powered social engineering attacks. The ICO said AI tools processing high-risk personal data should be supported by data protection impact assessments and appropriate safeguards.

Why does it matter?

The ICO’s warning links AI-powered cyber threats directly to data protection obligations. As attackers use AI to scale phishing, exploit vulnerabilities and impersonate trusted contacts, organisations are expected not only to improve technical security, but also to limit the personal data they hold, strengthen governance and prepare for faster-moving incidents.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.