Privacy and data protection

Australia’s regulator targets AI-nudify platform over child safety and deepfake risks

Australia’s eSafety Commissioner has begun enforcement action against another AI-powered ‘nudify’ service accused of failing to protect children from exposure to sexually explicit deepfake images.

The regulator issued a formal Direction to Comply to one of the most visited nudify services in Australia, giving the provider 14 days to implement stronger protections preventing children from accessing the platform. eSafety said the service allows users to upload images of real people and generate sexually explicit deepfake content on demand.

The regulator warned that such technologies can facilitate non-consensual exploitation, cyberbullying, sexual extortion, image-based sexual abuse, misogynistic harassment and exploitation of minors. The service had attracted nearly 40,000 Australian visits per month as of March 2026, following a sharp increase in traffic over the previous six months.

The enforcement action was taken under Australia’s Age-Restricted Material Codes, which came into force in March 2026. The codes are designed to prevent children from accessing or being exposed to age-restricted material, including pornography, high-impact violence, self-harm, suicide or disordered eating content.

eSafety said the Argentina-based provider failed to respond to earlier engagement after the codes took effect and had not committed to improving protections for children. The regulator chose not to name the service to avoid inadvertently promoting it.

If the service does not meet the requirements within the 14-day timeframe, eSafety may pursue further action, including civil penalties of up to AU$49.5 million and delisting notices to search engine providers that help facilitate access to the site.

The action follows earlier enforcement in late 2025 that led three widely used nudify services, which had reportedly been used to generate child sexual exploitation material in schools, to withdraw from Australia. Those services have since relaunched under new ownership with additional safety measures, including mandatory age assurance.

Why does it matter?

The case shows how online safety regulators are beginning to apply age-assurance and child protection rules directly to generative AI services. Nudify platforms are treated as high-risk because they can enable non-consensual sexualised deepfakes, image-based abuse and exploitation involving minors at scale. Australia’s enforcement approach also signals that regulators may target foreign-based AI services when they are accessible to local users and fail to implement safeguards.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

CNIL reports record complaints and data breaches

The French data protection authority CNIL reported a record year in 2025 for complaints, fines and data breach notifications, while preparing for new responsibilities under the EU AI Act.

CNIL received 20,150 complaints in 2025, up 10% from 2024. The complaints covered issues linked to work, commerce, real estate, social networks and data breaches, with around 1,900 complaints directly concerning breaches.

The authority also received 6,167 data breach notifications, an increase of 9.5% from 2024. Hacking accounted for one in two reported incidents, while cybersecurity failures represented one-third of investigations and nearly 30% of sanctions.

In total, CNIL carried out 323 investigations and issued 259 corrective measures, including 83 sanctions worth nearly €487 million. Two major sanctions accounted for a large share of the total, while the simplified procedure introduced in 2022 allowed faster action in less complex cases.

Cybersecurity will become an even bigger enforcement focus in 2026, with CNIL planning to devote 50% of its controls and enforcement actions to data security. Checks will focus on organisations affected by breaches, those subject to complaints and sectors processing large volumes of sensitive or highly personal data.

The report also highlights CNIL’s role in supporting professionals and public authorities. In 2025, it processed 539 health authorisation applications, handled 1,351 professional advice requests, delivered 90 opinions on draft laws or regulatory texts and launched seven public consultations.

On AI, CNIL is already designated to monitor prohibited uses under the EU AI Act and is expected to become the market surveillance authority for certain high-risk AI systems, including in biometrics, migration, law enforcement, employment and education.

The authority also published AI resources for designers and developers, developed a traceability tool for open-source AI models and joined the PANAME project with ANSSI, Inria and PEReN to test whether AI models process personal data.

Why does it matter?

CNIL’s annual report shows how data protection enforcement is increasingly shaped by cybersecurity and AI. Record breach notifications and complaints point to growing pressure on organisations to secure personal data, while CNIL’s future AI Act responsibilities place the authority at the centre of France’s oversight of prohibited and high-risk AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Hong Kong checks AI privacy compliance across sectors

Hong Kong’s Office of the Privacy Commissioner for Personal Data has completed compliance checks on 60 organisations to assess how AI use affects personal data privacy.

The checks, launched in January 2026, covered sectors including banking and finance, education, government departments, insurance, medical services, telecommunications, transport, accounting, food and beverage, logistics, property management, and innovation and technology. The PCPD found no contravention of the Personal Data (Privacy) Ordinance during the exercise.

Among the organisations reviewed, 57 (95%) used AI in day-to-day operations, an increase of 15 percentage points from the previous round of checks. Around 79% of those organisations had used AI for more than a year, while 51% used three or more AI systems.

AI systems were mainly used for administrative support, customer service, research and development, marketing, compliance and risk management, human resources, corporate communications, cybersecurity and data analysis.

Of the 57 organisations using AI, 24 collected or used personal data through AI systems. All provided Personal Information Collection Statements before or during data collection and implemented security measures such as access controls, encryption, penetration testing and anonymisation.

The PCPD found that 23 of those 24 organisations tested AI systems before implementation, while 19 conducted privacy impact assessments. Nineteen adopted a human-in-the-loop approach, and five used a human-in-command model for oversight.

The checks also found that 19 organisations had established AI governance structures, while 17 had internal policies or guidelines for employees’ use of generative AI at work. Twenty organisations provided AI-related training, with most including content on privacy risks.

Also, the PCPD recommended that organisations using AI comply with the Personal Data (Privacy) Ordinance, establish internal governance structures, provide staff training, adopt incident response plans, conduct risk and privacy impact assessments, and regularly audit AI systems. It also urged organisations to use agentic AI prudently by limiting access rights, assessing data sensitivity and maintaining system and data security.

Why does it matter?

The checks show that AI is becoming embedded in business and public-sector operations in Hong Kong, including in areas involving personal data. The PCPD’s findings suggest that many organisations are beginning to adopt safeguards such as impact assessments, human oversight and AI governance structures, while its warnings on agentic AI point to growing concern over systems that can act with greater autonomy and access sensitive data.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Global Network Initiative raises concerns over India’s proposed IT rules amendments

The Global Network Initiative has raised concerns over India’s Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Second Amendment Rules, 2026, warning that the proposals could affect privacy, free expression, and access to information.

The draft amendments were published by India’s Ministry of Electronics and Information Technology on 30 March 2026. GNI said the proposals, although described as procedural and clarificatory, could introduce broader changes to intermediary liability and digital media regulation.

The organisation warns that amendments to Rules 3(1)(g) and 3(1)(h) would require intermediaries to retain user data for at least 180 days, regardless of whether the original purpose for collecting the data has been fulfilled. According to GNI, the proposed data retention requirements could conflict with principles contained in India’s Digital Personal Data Protection Act.

GNI also criticises the proposed insertion of Rule 3(4), which would require platforms to comply with a broad range of executive instruments as a condition for retaining safe harbour protections. GNI said the proposal could expand the practical effect of executive advisories and guidelines on platform moderation decisions.

The statement also raises concerns about proposed changes to Rules 8 and 14, which would extend the Code of Ethics and the authority of the Inter-Departmental Committee to intermediaries and users who share news and current affairs content, even when they are not recognised publishers. According to GNI, the proposed changes could extend aspects of content regulation to users sharing news and current affairs content online.

GNI said the draft amendments could increase regulatory oversight of digital platforms and online content. The organisation said the proposals could affect debates around intermediary liability, platform governance, and digital expression.

GNI called on the Government of India to revise the proposals and consult civil society, industry, and technical experts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australia’s WGEA outlines AI transparency rules for internal use

Australia’s Workplace Gender Equality Agency has published an AI transparency statement outlining how it uses AI internally, in line with the Digital Transformation Agency’s Policy for the Responsible Use of AI in Government.

The agency uses AI to enhance workplace productivity and support internal service delivery processes, including case management, in a controlled and human-centred manner. It does not use AI for statutory decision-making, compliance determinations, auditing outcomes or enforcement actions.

Internally, AI helps staff manage and respond to enquiries using approved information sources. All outputs are reviewed and approved by WGEA staff before use, and AI-generated material remains advisory only.

The agency does not use AI systems to interact directly with the public or make decisions affecting individuals without human involvement. External communications are reviewed and issued by WGEA staff.

The statement notes that AI does not change WGEA’s accountability for the accuracy, quality or appropriateness of information provided. The agency also monitors usage levels, outcomes and reporting mechanisms to ensure systems operate as intended and align with responsible AI principles.

WGEA designated its Chief Operating Officer as the accountable official on 19 December 2024. The role is responsible for ensuring AI use complies with relevant legislation, whole-of-government policy and internal governance arrangements.

Why does it matter?

The statement shows how public bodies are beginning to formalise transparency around internal AI use, even when systems are not used for direct public interaction or decision-making. By limiting AI to advisory functions, requiring human review and naming an accountable official, WGEA is setting out a practical governance model for low-risk public-sector AI use.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

OpenAI tests financial data integration in ChatGPT

OpenAI has launched a preview of a personal finance experience in ChatGPT for Pro users in the United States. The feature allows users to connect financial accounts, view a dashboard, and ask questions based on their financial data.

The feature is available on web and iOS apps and supports more than 12,000 financial institutions. OpenAI said the preview will initially be available to a smaller group of users before expanding more broadly.

Users can connect accounts through Plaid, with Intuit support planned. Once authenticated, ChatGPT syncs and categorises financial data, allowing users to view portfolio performance, spending, subscriptions, upcoming payments, and other financial activity.

OpenAI said the feature supports questions related to budgeting, planning, subscriptions, investments, and spending activity. OpenAI said ChatGPT is intended to help users review financial information but is not a substitute for professional financial advice.

Users can also choose to save financial context as ‘Financial memories’ for future conversations, according to OpenAI. OpenAI says those memories are a dedicated type of memory used specifically for financial conversations and can be viewed or deleted from the Finances page.

OpenAI said connected accounts allow access to balances, transactions, investments, and liabilities, but not full account numbers or account controls. Users can disconnect accounts at any time, after which synced account data will be deleted from OpenAI’s systems within 30 days.

Conversations with connected financial accounts default to GPT-5.5 Thinking. OpenAI said it worked with finance professionals to evaluate the feature on personal finance tasks and response quality.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

YouTube expands AI likeness detection tool to more creators

YouTube said it is expanding its AI likeness detection tool to all eligible creators over 18, allowing more users to identify and request the removal of unauthorised AI-generated videos that use their facial likeness.

The company said the feature, available through YouTube Studio, is intended to detect altered or synthetic videos that may depict a user’s face. Once enrolled, users can review detected matches and request the removal of content that violates YouTube’s Privacy Guidelines.

The platform said likeness detection had recently been introduced as a pilot for creators in the YouTube Partner Program and will now roll out gradually over the coming weeks to all eligible creators aged 18 or older.

YouTube said the tool is intended to help users understand where their likeness appears, safeguard their identity, and protect audiences from being misled by AI-generated depictions.

To enrol, users must grant the platform permission to use likeness-detection technology and complete a one-time verification process. According to YouTube, the tool works only on facial likeness and does not cover other identifying features such as voice.

YouTube said removal requests will be assessed under YouTube’s privacy policy, including whether the content is realistic, whether it is labelled as AI-generated, and whether the person can be uniquely identified. The company also provides exceptions for content such as parody or satire.

YouTube spokesperson Jack Malon said:

‘With this expansion, we’re making clear that whether creators have been uploading to YouTube for a decade or are just starting, they’ll have access to the same level of protection.’

The expansion follows earlier testing with creators and broader availability for groups including public officials, politicians, journalists, and the entertainment industry. It comes amid growing concern about deepfakes affecting both public figures and private individuals.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ghana launches WHO-UNDP programme on AI-driven health system resilience

Ghana has launched an AI-driven health programme aimed at strengthening its healthcare system, improving resilience and protecting vulnerable communities.

The initiative is a joint programme by the World Health Organization and the UN Development Programme, funded by the Government of Japan through the UN Trust Fund for Human Security. It is being implemented in collaboration with Ghana’s Ministry of Health.

The programme focuses on integrating AI into Ghana’s health systems in an ethical, inclusive and people-centred way. It aims to strengthen AI governance, protect health data, build institutional and workforce capacity, and expand digital literacy among healthcare workers and communities.

A key component includes the deployment of AI-enabled early warning systems for climate-sensitive diseases, integrated into national platforms such as DHIS2. The programme will also support responsible private-sector engagement in digital health.

Speaking at the launch, WHO Representative to Ghana said the programme would strengthen the country’s digital health ecosystem by advancing AI governance, safeguarding health data and preparing a workforce able to deliver people-centred care.

UNDP Resident Representative Niloy Bernejee said strengthening health systems and responsible digital innovation could reinforce stability, build resilience and support sustainable development.

The initiative is grounded in a human security approach, focusing on protecting and empowering vulnerable and marginalised populations while improving equitable access to digital health solutions.

Why does it matter?

The programme shows how AI is being integrated into health systems not only as a technical tool, but as part of broader governance, resilience and equity planning. By combining early warning systems for climate-sensitive diseases with data protection, workforce training and digital literacy, Ghana is addressing both immediate healthcare needs and longer-term capacity gaps in responsible digital health.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Global experts gather for CPDP 2026

The CPDP Conference 2026 has released its detailed programme, outlining a multi-day agenda of panels, workshops and cultural sessions focused on AI, data protection and digital governance. The conference will run from 19 to 22 May 2026, bringing together global experts across policy, academia and industry.

Across the programme, a wide range of panels and debates will explore key themes including AI regulation, digital governance, workplace data rights and platform power. Alongside panels and discussions, there will also be short movies and workshops offering conference topics in different formats.

Workshops are scheduled throughout each day, with structured breaks including coffee sessions and lunch intervals offering networking moments for participants. Topics range from AI in healthcare and advertising to digital conflict, governance under pressure and privacy-preserving technologies.

The programme also includes specialised tracks and cultural sessions, such as film screenings and artistic discussions on algorithmic systems, alongside academic panels and policy debates. The event will conclude after a final series of workshops and sessions on 22 May in Brussels, Belgium.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK proposes stronger streaming rules under new Ofcom standards

Ofcom has proposed new content and accessibility standards for major streaming platforms operating in the UK, expanding regulatory oversight across the rapidly growing on-demand media sector. The draft framework follows powers introduced through the Media Act and would align streaming services more closely with traditional broadcast television standards.

The proposed rules would apply to major platforms including Netflix, Amazon and Disney. Ofcom said audiences increasingly expect consistent protections regardless of whether content is viewed through conventional television or streaming services.

The draft Code includes requirements covering harmful or offensive material, fairness and privacy protections, and due impartiality and accuracy for news content. Additional safeguards for minors would also apply, alongside stronger expectations around contextual warnings and viewer information.

Ofcom also proposed new accessibility obligations for streaming providers. Under the draft rules, platforms would need to subtitle 80% of catalogue content, provide audio description for 10%, and provide signing for 5%. The regulator said that more than 18 million people with hearing or sight conditions could benefit from improved accessibility standards across streaming platforms.

Why does it matter?

The proposals signal a major shift in how digital media platforms are regulated in the UK, extending broadcast-style obligations into streaming ecosystems for the first time. The measures could influence global debates around platform accountability, online safety, accessibility standards, and regulatory convergence between traditional media and digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.