Privacy and data protection

EDPS debate to examine EU Omnibus data protection proposals

The European Data Protection Supervisor (EDPS), Germany’s Federal Commissioner for Data Protection and Freedom of Information, and the Bavarian Data Protection Commissioner will host a high-level debate on the European Commission’s Omnibus proposals. The event, titled ‘From Omnibus to Opportunity: Driving Data Protection and Innovation’, will take place in Brussels on 8 June.

The debate will examine the Omnibus proposals and their potential implications for the GDPR and the wider EU digital regulatory framework. The event is hosted by the Representation of the Free State of Bavaria to the European Union.

According to the EDPS, the proposals introduce targeted adjustments affecting elements of the EU digital acquis, including aspects of the GDPR and the AI Act. Their stated objective is to simplify compliance requirements and reduce administrative burdens while maintaining a high level of protection for fundamental rights.

Discussions will focus on legal certainty, regulatory coherence, preserving the GDPR’s level of protection, and identifying ways to strengthen fundamental rights, innovation and competitiveness across the EU.

Participants are expected to include representatives from the European Parliament, the Council of the European Union, the European Commission, data protection authorities, academia, civil society and the private sector.

Why does it matter?

The Omnibus proposals have become a focal point in wider debates about how the European Union can strengthen competitiveness and innovation while preserving high standards of data protection and fundamental rights.

The discussion highlights growing efforts to balance regulatory simplification with legal certainty and effective safeguards, particularly as the EU seeks to implement complex frameworks such as the GDPR and AI Act while supporting digital innovation and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

India targets dark patterns with fines for PhysicsWallah and McAfee

India’s Central Consumer Protection Authority has fined PhysicsWallah and McAfee Software India for using dark patterns that the regulator said misled consumers and influenced their choices on digital platforms.

PhysicsWallah was fined ₹5 lakh, while McAfee was fined ₹1 lakh. Both companies were directed to remove the practices from their platforms and ensure that users can make informed choices without pressure or manipulation.

The action was taken under the Consumer Protection Act 2019, the Consumer Protection (E-Commerce) Rules 2020, and the Guidelines for Prevention and Regulation of Dark Patterns 2023.

In the PhysicsWallah case, the regulator found that a ₹10 donation to the PW Foundation was automatically selected during checkout and added to the total payable amount without the consumer’s explicit consent. Users were also shown emotional messages related to children’s education, healthcare, and marriages that encouraged them to keep the donation selected.

The CCPA also found that courses advertised as free could only be accessed after users shared personal information such as a mobile number and email address. The regulator said the content remained the same across user accounts, indicating that mandatory data collection was not necessary to access the courses.

The authority identified basket sneaking, confirm shaming, and forced action in the PhysicsWallah case. It also said the practices raised serious consumer protection concerns because many users on the platform are students, including minors.

In the McAfee case, the CCPA found that users deciding whether to renew subscriptions were shown options such as ‘Renew Now’ and ‘Accept Risk’. The authority said the wording portrayed non-renewal as a risky decision and created pressure on consumers to continue their subscriptions.

The regulator identified confirmation shaming, interface interference, trick questions, and forced action in McAfee’s renewal process, saying consumers should be able to make subscription decisions freely and without fear-based messaging or misleading design.

The CCPA said the orders form part of its continued action against dark patterns in digital marketplaces. It reiterated that consumer consent must be explicit, informed, and free from manipulative design practices.

Why does it matter?

The penalties show that dark pattern rules in India are moving from guidance to enforcement. By targeting pre-selected donations, emotionally loaded opt-out messages, forced data sharing, and fear-based subscription renewal design, the CCPA is signalling that manipulative interface design can be treated as a consumer protection violation, not just a poor user experience.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Australia’s regulator warns of growing AI-powered sextortion threat

Australia’s eSafety Commissioner has launched a public awareness campaign warning that criminals are increasingly using AI and other digital tools in sextortion scams.

The initiative, titled ‘If sextortionists were honest’, uses generative AI to expose deceptive tactics used by online criminals targeting victims through dating apps and social media platforms.

According to eSafety, more than 3,300 reports of sexual extortion were received through its image-based abuse scheme in 2025. Eighty-six percent of reports came from males of all ages, while 42% of all sextortion reports involved males aged 18 to 24.

eSafety Commissioner Julie Inman Grant said offenders are already weaponising face-swapping and voice-cloning technologies, while using generative AI to create fake but convincing online characters and improve scam scripts that previously contained warning signs such as poor grammar or inconsistent messaging.

Reports made to eSafety show that first contact frequently occurs on platforms such as Tinder, Instagram, and Grindr, before conversations are moved to WhatsApp, Telegram, or other messaging apps. Offenders may then search victims’ social media accounts to identify family members and friends they can threaten to contact.

The regulator said overseas offenders often try to appear local and legitimate, including by spoofing Australian phone numbers, using intimate images taken from other victims, or using bank accounts belonging to previous victims to receive and move payments.

eSafety said the safest response is to stop contact, report the account to the platform, block the offender, preserve evidence where possible, and seek support rather than paying. The regulator also called on platforms to take proactive Safety by Design steps, including better language analysis, classifier-based detection, accessible reporting and blocking tools, swift removal pathways for image-based abuse, and cross-platform signal sharing.

Why does it matter?

The campaign shows how generative AI is making online coercion and scams harder to detect. Sextortion is no longer only a problem of fake accounts and blackmail messages: offenders can now use AI-generated personas, improved scripts, voice cloning, and deepfake-style techniques to build trust and pressure victims more effectively. That raises the importance of platform-level detection, user reporting tools, digital literacy, and victim support.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK Ofcom sets out AI safety and innovation strategy

Ofcom has outlined its approach to enabling safe and secure AI adoption across the UK communications sectors it regulates and within its own work.

The regulator said its approach is technology-neutral and outcomes-based, aligning AI oversight with its wider mission of making communications work for everyone while supporting innovation and growth.

Ofcom’s report uses case studies to show how AI is already shaping regulatory work and the sectors it oversees. Planned and recent initiatives include building a pilot data lake to make spectrum licensing and online safety data more accessible, engaging with innovators to identify regulatory uncertainty, and assessing public trust in AI chatbots.

The regulator is also examining the impact of AI on telecoms customer experience, exploring AI deployment in broadcasting, assessing AI use in cybersecurity for telecommunications networks, and considering how AI could support network management and optimisation.

Alongside innovation support, Ofcom said it is monitoring AI-related risks and emerging harms. Its work includes guidance on technology-led mitigation against deepfakes, research into chatbot-related harms, and action to address risks posed by AI systems to users.

Ofcom said it coordinated with the AI Security Institute and the National Cyber Security Centre to brief stakeholders on the frontier AI cybersecurity implications following Anthropic’s preview of Claude Mythos, which caused concern. It also said it launched a formal investigation into X’s Grok chatbot.

The regulator is also piloting responsible AI use internally, including tools to support policy development, research, consultation processes, tracking of technical standards, and operational efficiency. Ofcom said it will take a safety-first approach and roll out internal AI tools only once it is confident they are safe and secure.

Why does it matter?

Ofcom’s approach shows how AI governance is becoming operational inside sector regulators, not only debated at the government level. The strategy links innovation support with risk monitoring across online safety, telecoms, broadcasting, cybersecurity, spectrum management, and consumer protection. It also shows regulators experimenting with AI in their own workflows while trying to maintain safety, accountability, and public trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Tech firms and law enforcement disrupt Southeast Asia scam networks

A major international operation involving Meta, Microsoft, Coinbase, Starlink, and law enforcement agencies from several countries has disrupted large-scale criminal scam networks operating across Southeast Asia.

The coordinated effort combined digital intelligence, financial investigations, platform enforcement, and real-world law enforcement action to target organised groups responsible for online fraud, investment scams, and other cyber-enabled crimes.

According to Meta, the operation removed more than 1.4 million fraudulent accounts, pages, and groups across Facebook and Instagram. Microsoft suspended around 20,000 malicious accounts linked to scam activity, while Coinbase froze more than $3 million in cryptocurrency assets associated with criminal operations.

Starlink also shut down thousands of internet terminals allegedly used by fraud operations, while law enforcement authorities arrested 63 individuals linked to scam centres.

The initiative brought together the US Department of Justice, the FBI, the US Secret Service, the Royal Thai Police, and law enforcement agencies from the UK, Australia, Canada and New Zealand.

Meta said intelligence sharing between technology companies and law enforcement helped identify additional scam locations and uncover previously unknown criminal networks operating across multiple jurisdictions.

Why does it matter?

The operation shows how online scam networks now rely on a full digital stack: social media accounts, messaging, cryptocurrency payments, connectivity infrastructure, and cross-border money movement. Disrupting these networks increasingly requires coordination between platforms, financial services, internet providers, and law enforcement. The case also highlights the link between digital fraud and physical scam compounds in Southeast Asia, where cybercrime operations often operate across multiple jurisdictions.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

New Zealand’s NCSC warns frontier AI could amplify cybersecurity risks

New Zealand’s National Cyber Security Centre (NCSC) has issued guidance to help government agencies prepare for the cybersecurity implications of frontier AI systems. The advisory notes that frontier AI models may enable more advanced automation, reasoning and decision-making capabilities than previous generations of AI systems.

The guidance describes frontier AI as a dual-use technology, noting that the same capabilities that enhance cyber defence could also enable malicious actors to conduct cyber operations more quickly, at lower cost and on a larger scale. The NCSC warns that frontier AI could amplify risks associated with known vulnerabilities, legacy systems and poor cyber hygiene, creating what it describes as a ‘vulnerability storm’ for organisations.

According to the NCSC, organisations do not need access to the most advanced frontier AI models to strengthen their cyber resilience. Instead, it says effective readiness depends on existing cybersecurity mitigations and practices, including the New Zealand Information Security Manual, the NCSC Cyber Security Framework, Minimum Cyber Security Standards, and Protective Security Requirements.

The advisory urges government entities to treat several actions as immediate priorities, including reviewing compliance with existing standards, confirming executive accountability for frontier AI cyber risk, reviewing NCSC guidance, and identifying material gaps that AI-enabled threat actors could exploit.

The guidance also restates the NCSC Cyber Security Framework’s five functions: guide and govern, identify and understand, prevent and protect, detect and contain, and respond and recover. The advisory highlights a range of baseline cybersecurity measures, including risk management, security awareness, secure configuration, patch management, multi-factor authentication, least-privilege access controls, anomaly detection, data recovery and incident response planning.

Why does it matter?

Frontier AI is expected to increase the speed, scale and sophistication of cyber operations, potentially allowing attackers to identify vulnerabilities, automate exploitation and conduct campaigns more efficiently than before.

Rather than relying solely on new AI-specific defences, New Zealand’s guidance emphasises that strong cybersecurity fundamentals, including patching, access controls, monitoring and incident response, remain the most effective way to reduce risk. The advisory reflects a growing international view that AI is amplifying existing cyber challenges rather than replacing them with entirely new ones.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

OpenAI advocates for global action on youth AI safety

OpenAI has called for stronger international action on youth AI safety, including the creation of a dedicated institute to support common evidence, guidance, and safeguards for young users.

Ahead of the G7 Leaders’ Summit in Évian, France, the company said governments, researchers, civil society, and industry should work together to raise standards for safe and age-appropriate AI use by children and teenagers.

OpenAI said a dedicated youth AI safety institute could provide continuity beyond a single summit, helping stakeholders share evidence, develop guidance, and keep standards aligned with fast-moving AI systems. The company said such a body could take the form of a new international institute or an existing or newly created national AI institute with a global mandate.

The principles outlined by OpenAI include privacy-preserving age estimation, default safeguards when a user’s age is uncertain, annual youth safety risk assessments, accessible parental controls, clearer transparency about youth protections, and stronger protocols for serious safety situations involving self-harm, exploitation, grooming, sexually exploitative content, and other high-risk interactions.

The company also called for stronger protection of minors’ personal information, including prohibitions on privacy-invasive targeted advertising to young people and the sale of their personal information. It also said youth safety frameworks should promote AI literacy, learning, creativity, skill development, and future opportunities.

OpenAI said AI tools can help young people understand difficult concepts, practise languages, improve writing, learn to code, organise research, explore creative ideas, and prepare for changing labour markets. However, it argued that safeguards, family and educator guidance, and clear accountability mechanisms such as independent audits should support access.

The proposal builds on existing youth safety initiatives and education partnerships, including work with Common Sense Media, educators, and national education deployments in countries such as Estonia, Greece, and Singapore.

Why does it matter?

Youth AI safety is becoming a central policy issue as children and teenagers increasingly use AI tools for learning, creativity, social interaction, and everyday digital tasks. OpenAI’s proposal adds to pressure for international coordination on age-appropriate design, privacy, parental controls, safety protocols, and independent accountability. The G7 context also shows that youth AI safety is moving from product policy into broader debates over digital governance and education policy.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Liberties launches project on patient data and clinical AI accountability

The civil liberties organisation Liberties has launched the AI in the Healthcare Project to examine how personal data is used in the development and deployment of clinical AI systems.

The project, developed with Liberties member and partner organisations and independent expert Júlia Keserű, aims to improve transparency, accountability, and data protection practices in healthcare AI.

According to Liberties, the first phase will gather information through literature review, stakeholder consultations, interviews, freedom of information requests, and GDPR-based data subject access requests. Requests will be submitted to government agencies, regulatory bodies, public health authorities, publicly funded hospitals, and research institutions.

A second phase, led by Liberties, will focus on capacity development for watchdog organisations and civil society groups. The organisation said the work will provide methodologies, research tools, and collaboration platforms to help groups independently monitor the development and use of health AI systems.

The final stage will develop policy recommendations at the EU and national levels to promote responsible, transparent, and accountable health data practices. The recommendations will also seek to support compliance with existing frameworks such as the AI Act and the GDPR.

Liberties said AI systems are increasingly being integrated into healthcare, relying on data from sources such as electronic health records, wearable devices, mobile health apps, genetic testing services, and data brokers. However, it warned that transparency around data sources and their integration into clinical AI systems remains limited, creating risks to privacy, human rights, security, and safe use.

Why does it matter?

The project targets one of the most sensitive areas of AI deployment: healthcare systems that rely on personal and health data. As clinical AI tools become more common, questions about data sources, consent, transparency, GDPR rights, and accountability will become central to whether patients can trust AI-supported healthcare.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

IWF, PIR and NetBeacon expand cooperation against online child abuse content

The Internet Watch Foundation (IWF) has announced a new partnership with Public Interest Registry (PIR) and the NetBeacon Institute aimed at strengthening efforts to identify and disrupt online child sexual abuse material (CSAM).

The initiative introduces a reporting mechanism that enables suspected child sexual abuse content to be reported through NetBeacon Reporter alongside existing DNS abuse categories, including phishing, malware and spam. Reports are forwarded to IWF analysts, who assess the material under UK law and initiate appropriate action when illegal content is confirmed.

The partnership also expands registrars’ access to IWF domain protection services. Through PIR sponsorship, registrars will be able to access IWF Domain Alerts and the Top-Level Domain Hopping List free of charge.

According to the organisations, the programme already covers approximately 55 million domains and is intended to make it more difficult for criminals to use domain infrastructure to host or distribute child sexual abuse material.

Why does it matter?

Child sexual abuse material remains a significant online safety challenge, requiring coordination across platforms, hosting providers, registries and registrars. Integrating CSAM reporting into existing DNS abuse workflows could help speed up the identification of illegal content and improve coordination between reporting mechanisms and domain operators.

The initiative also reflects growing efforts to use domain-level tools and threat intelligence services to disrupt the infrastructure that supports the distribution of harmful and illegal content online.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.