New Zealand’s National Cyber Security Centre (NCSC) has issued guidance to help government agencies prepare for the cybersecurity implications of frontier AI systems. The advisory notes that frontier AI models may enable more advanced automation, reasoning and decision-making capabilities than previous generations of AI systems.
The guidance describes frontier AI as a dual-use technology, noting that the same capabilities that enhance cyber defence could also enable malicious actors to conduct cyber operations more quickly, at lower cost and on a larger scale. The NCSC warns that frontier AI could amplify risks associated with known vulnerabilities, legacy systems and poor cyber hygiene, creating what it describes as a ‘vulnerability storm’ for organisations.
According to the NCSC, organisations do not need access to the most advanced frontier AI models to strengthen their cyber resilience. Instead, it says effective readiness depends on existing cybersecurity mitigations and practices, including the New Zealand Information Security Manual, the NCSC Cyber Security Framework, Minimum Cyber Security Standards, and Protective Security Requirements.
The advisory urges government entities to treat several actions as immediate priorities, including reviewing compliance with existing standards, confirming executive accountability for frontier AI cyber risk, reviewing NCSC guidance, and identifying material gaps that AI-enabled threat actors could exploit.
The guidance also restates the NCSC Cyber Security Framework’s five functions: guide and govern, identify and understand, prevent and protect, detect and contain, and respond and recover. The advisory highlights a range of baseline cybersecurity measures, including risk management, security awareness, secure configuration, patch management, multi-factor authentication, least-privilege access controls, anomaly detection, data recovery and incident response planning.
Why does it matter?
Frontier AI is expected to increase the speed, scale and sophistication of cyber operations, potentially allowing attackers to identify vulnerabilities, automate exploitation and conduct campaigns more efficiently than before.
Rather than relying solely on new AI-specific defences, New Zealand’s guidance emphasises that strong cybersecurity fundamentals, including patching, access controls, monitoring and incident response, remain the most effective way to reduce risk. The advisory reflects a growing international view that AI is amplifying existing cyber challenges rather than replacing them with entirely new ones.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The settings are designed to provide more age-appropriate experiences by limiting teens’ exposure to content deemed unsuitable for younger users. On Facebook, the 13+ default setting is intended to hide inappropriate content in areas such as Feed and Reels, and to limit teens’ ability to interact with profiles, pages, groups, and events that primarily post inappropriate content.
On Messenger, the default setting limits teens’ ability to view links to inappropriate Facebook content or to chat with accounts that primarily share such content. Meta said its stricter Limited Content setting will also become available on Facebook and Messenger later in 2026.
The company is also testing new measures on Instagram to prevent teenagers from repeatedly viewing similar types of content in areas such as nutrition, weightlifting, and anxiety. Meta said such content can be useful, but should be balanced with other types of content rather than shown repeatedly.
Meta also highlighted findings from an external assessment conducted by Alice, formerly ActiveFence, a digital safety organisation. According to Meta, the review found that Instagram Teen Accounts using the default 13+ setting saw 68% less mature content than a leading competitor’s teen experience, while those using the stricter Limited Content setting saw 96% less.
The company said the assessment helped identify areas for improvement, including detecting accounts that regularly share age-inappropriate content and ensuring policy coverage for risky stunts and viral challenges. Meta said it updated its detection signals and policies in response, and will continue stress-testing and refining Teen Accounts.
Why does it matter?
Meta’s update shows how major platforms are expanding age-appropriate design and content-governance tools for younger users. The focus on repeated exposure to topics such as nutrition, weightlifting, and anxiety also reflects a broader shift in child online safety: platforms are not only trying to block clearly inappropriate content, but also to manage recommendation patterns that may affect young users’ well-being.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Ahead of the G7 Leaders’ Summit in Évian, France, the company said governments, researchers, civil society, and industry should work together to raise standards for safe and age-appropriate AI use by children and teenagers.
OpenAI said a dedicated youth AI safety institute could provide continuity beyond a single summit, helping stakeholders share evidence, develop guidance, and keep standards aligned with fast-moving AI systems. The company said such a body could take the form of a new international institute or an existing or newly created national AI institute with a global mandate.
The principles outlined by OpenAI include privacy-preserving age estimation, default safeguards when a user’s age is uncertain, annual youth safety risk assessments, accessible parental controls, clearer transparency about youth protections, and stronger protocols for serious safety situations involving self-harm, exploitation, grooming, sexually exploitative content, and other high-risk interactions.
The company also called for stronger protection of minors’ personal information, including prohibitions on privacy-invasive targeted advertising to young people and the sale of their personal information. It also said youth safety frameworks should promote AI literacy, learning, creativity, skill development, and future opportunities.
OpenAI said AI tools can help young people understand difficult concepts, practise languages, improve writing, learn to code, organise research, explore creative ideas, and prepare for changing labour markets. However, it argued that safeguards, family and educator guidance, and clear accountability mechanisms such as independent audits should support access.
The proposal builds on existing youth safety initiatives and education partnerships, including work with Common Sense Media, educators, and national education deployments in countries such as Estonia, Greece, and Singapore.
Why does it matter?
Youth AI safety is becoming a central policy issue as children and teenagers increasingly use AI tools for learning, creativity, social interaction, and everyday digital tasks. OpenAI’s proposal adds to pressure for international coordination on age-appropriate design, privacy, parental controls, safety protocols, and independent accountability. The G7 context also shows that youth AI safety is moving from product policy into broader debates over digital governance and education policy.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The civil liberties organisation Liberties has launched the AI in the Healthcare Project to examine how personal data is used in the development and deployment of clinical AI systems.
The project, developed with Liberties member and partner organisations and independent expert Júlia Keserű, aims to improve transparency, accountability, and data protection practices in healthcare AI.
According to Liberties, the first phase will gather information through literature review, stakeholder consultations, interviews, freedom of information requests, and GDPR-based data subject access requests. Requests will be submitted to government agencies, regulatory bodies, public health authorities, publicly funded hospitals, and research institutions.
A second phase, led by Liberties, will focus on capacity development for watchdog organisations and civil society groups. The organisation said the work will provide methodologies, research tools, and collaboration platforms to help groups independently monitor the development and use of health AI systems.
The final stage will develop policy recommendations at the EU and national levels to promote responsible, transparent, and accountable health data practices. The recommendations will also seek to support compliance with existing frameworks such as the AI Act and the GDPR.
Liberties said AI systems are increasingly being integrated into healthcare, relying on data from sources such as electronic health records, wearable devices, mobile health apps, genetic testing services, and data brokers. However, it warned that transparency around data sources and their integration into clinical AI systems remains limited, creating risks to privacy, human rights, security, and safe use.
Why does it matter?
The project targets one of the most sensitive areas of AI deployment: healthcare systems that rely on personal and health data. As clinical AI tools become more common, questions about data sources, consent, transparency, GDPR rights, and accountability will become central to whether patients can trust AI-supported healthcare.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The Internet Watch Foundation (IWF) has announced a new partnership with Public Interest Registry (PIR) and the NetBeacon Institute aimed at strengthening efforts to identify and disrupt online child sexual abuse material (CSAM).
The initiative introduces a reporting mechanism that enables suspected child sexual abuse content to be reported through NetBeacon Reporter alongside existing DNS abuse categories, including phishing, malware and spam. Reports are forwarded to IWF analysts, who assess the material under UK law and initiate appropriate action when illegal content is confirmed.
The partnership also expands registrars’ access to IWF domain protection services. Through PIR sponsorship, registrars will be able to access IWF Domain Alerts and the Top-Level Domain Hopping List free of charge.
According to the organisations, the programme already covers approximately 55 million domains and is intended to make it more difficult for criminals to use domain infrastructure to host or distribute child sexual abuse material.
Why does it matter?
Child sexual abuse material remains a significant online safety challenge, requiring coordination across platforms, hosting providers, registries and registrars. Integrating CSAM reporting into existing DNS abuse workflows could help speed up the identification of illegal content and improve coordination between reporting mechanisms and domain operators.
The initiative also reflects growing efforts to use domain-level tools and threat intelligence services to disrupt the infrastructure that supports the distribution of harmful and illegal content online.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The Aithos Research Foundation has launched Aithos LARA (Legal Assessment for Real-world Agents), a public evaluation framework designed to assess whether AI agents comply with key European legal requirements.
The framework places AI models in simulated workplace and consumer-service scenarios where completing assigned tasks may involve actions that conflict with provisions of the EU AI Act or the General Data Protection Regulation (GDPR).
According to Aithos, an initial evaluation involving more than 3,000 tests across 12 frontier AI models found that none consistently met acceptable levels of legal compliance. Compliance rates ranged from 7% to 54%, with the highest-performing model adhering to legal requirements in only slightly more than half of the assessed scenarios.
The research suggests that current frontier AI systems may prioritise task completion over legal obligations when operating with a high degree of autonomy.
Furthermore, the study assessed compliance with six provisions of the EU AI Act and four core GDPR principles, including transparency, lawful processing, data minimisation and purpose limitation.
Researchers reported instances in which models generated outputs that would conflict with some of the AI Act’s prohibited practices, including exploiting vulnerable individuals, conducting emotion recognition in workplace environments and engaging in forms of manipulation prohibited under European law.
To increase transparency, Aithos has made evaluation transcripts, model outputs and judicial assessments publicly available. The organisation argues that independent and public oversight can complement company-led governance efforts by providing greater transparency into how AI systems behave in legally and ethically sensitive contexts.
Why does it matter?
The findings highlight the challenges of deploying AI agents in regulated environments where legal compliance is essential. As organisations increasingly explore AI for customer service, human resources, finance and operational decision-making, ensuring that systems comply with data protection and AI regulations is becoming a key governance requirement.
The research also underscores the growing importance of independent testing and oversight mechanisms as policymakers and regulators seek to evaluate how autonomous AI systems behave in real-world scenarios.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The Computers, Privacy and Data Protection (CPDP) conference is an annual gathering that brings together academics, policymakers, industry representatives, civil society, students, and EU institutions to discuss emerging digital policy challenges. This year’s theme was ‘Competing Visions, Shared Futures’, the 19th in the series, and it hosted approximately 150 panels over the span of 3 days in Brussels.
What is CPDP?
CPDP’s value lies in its multidisciplinary approach. With academics presenting their work or debating topical issues, as well as with industry and policy experts bringing their expertise to the table, the event creates a space for honest conversations among participants.
The conference is sponsored by organisations such as Google, TikTok, Apple, as well as the European Data Protection Supervisor (EDPS), European Union Agency for Fundamental Rights (FRA) and VBU. Google even presented its Banana AI model in a photo booth, allowing participants to modify photos they took in the booth.
Alongside panels, CPDP hosts an array of workshops, short films, artwork, radio programming, promotion booths, dedicated DPO, youth, finance and IT tracks, book launches, and pop-up exhibitions. The event always closes the day in style with an open bar and a party to chat and network at.
CPDP is not a typical conference with just panels, attendees, moderators, and lengthy speeches. The conference inspires creativity and gives the freedom to achieve it. This was proven by the diverse topics showcased in the event’s schedule over the three days.
From a fireside chat with the artist, Simon Denny, behind the conference’s art, who uses AI as a medium in some of his work, to typical discussions about the Digital Omnibus or tracking period apps, all the way to an exiled journalist talking about Russian internet censorship. There was something for everyone.
Image via Magnific
What was presented?
The breadth of topics discussed at CPDP offers insight into the issues currently shaping Europe’s digital policy agenda. There were approximately 150 panels in total, with data protection, AI, the Digital Omnibus and the topics of digital sovereignty receiving the most attention. Data protection received the most attention overall, as 33 panels were dedicated to the topic. This was followed by 26 panels on AI, 12 on the Digital Omnibus, 10 on digital sovereignty, and 7 on child-related protection.
The distribution of panels reflects the growing prominence of AI in digital policy discussions. However, data protection topics, including privacy and the GDPR, are still the frontrunners in terms of topic relevance. Newer and emerging topics reveal what is topical in the digital world.
Growing concerns over US tech reliance have intensified discussions about EU digital sovereignty. Alongside this, another heavily debated and sensitive topic is child protection in the online context and its generative AI implications, which raises questions about how to better protect children online.
Emerging topics at CPDP
Digital sovereignty is a challenging topic as it encompasses a lot and has yet to be defined, meaning that taking action can look different for a wide variety of actors. Several discussions framed digital sovereignty as a pathway towards greater digital independence and reduced reliance on external technology providers. In order to try to achieve digital sovereignty, public procurement should be steered away from non-EU actors and towards EU businesses to develop a European stack.
Yes, private partnerships are important, but public ones set the tone. Several participants argued that public procurement choices will play an important role in determining whether EU can strengthen domestic digital capabilities and reduce strategic dependencies. Digital sovereignty needs to come from all corners of the market and society; that is the challenge.
A very interesting panel on data protection and AI, the GDPR, and privacy occurred. In Academic Session I, Stephanie von Maltzan presented findings about her groundbreaking research on LLM unlearning. The larger the LLM, the more data points it will be trained on and the more complex its ‘web’ will be.
Removing data points is not a common practice, given how data points interact with each other, meaning that complexity overrides certain fundamental rights. For example, when data subjects invoke their right to erasure under Article 17 of the GDPR, they may request that certain data be deleted in an LLM, yet this request is difficult to carry out in practice.
The research highlights one of the emerging challenges at the intersection of AI governance and data protection. She presents a two tier model in which the actively deployed LLM is accompanied by a parallel ‘shadow’ model.
After receiving a valied erasure request, the ‘shadow model’ would undergo the necessary unlearning processes to remove the relevant data. In the second tier, in a scheduled update, the ‘shadow’ model, which had undergone unlearning, would replace the initial LLM, thereby upholding data subject requests.
Apart from these insightful exchanges of knowledge on AI, digital sovereignty and data protection, the conference offered practical workshops on how to brainstorm re-writing the proposed Article 88b of the Omnibus, data protection officer and cybersecurity crisis scenarios, as well as open conversations about how to protect children in online environments.
Remaining questions
The conference also highlighted several unresolved policy questions that continue to shape European digital governance debates.
Regarding the Digital Omnibus, would companies scale up overnight if we removed regulations?
Does digital sovereignty need/have a definition, or should it be left to the meaning of ‘digital independence’?
Open markets vs data protection, where is the balance?
Regarding digital sovereignty, which clouds should be used in the EU?
Should simplification mean using the once-used definition of personal data by the CJEU, or sticking to the definition relied on in law, cases, and practice?
In order to protect EU sovereignty, should parts of the stack be a public utility?
Why does it matter?
CPDP 2026 demonstrated that while privacy and data protection remain central pillars of European digital policy, debates around AI governance, digital sovereignty and online child protection are rapidly gaining prominence.
The discussions highlighted the growing challenge of balancing innovation, competitiveness, fundamental rights and strategic autonomy as Europe defines its digital future.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation on proposed advisory guidelines governing the use of personal data in generative AI systems. Published on 2 June, the draft guidelines seek feedback on how Singapore’s Personal Data Protection Act (PDPA) applies when personal data is used in the development and deployment of generative AI systems.
The proposed guidelines address the collection and use of personal data for generative AI model development, the allocation of data protection responsibilities across the AI lifecycle, and the handling of individual rights requests relating to personal data. The guidance is organised around development, deployment, and post-deployment stages.
For model development, the draft guidelines clarify how organisations may rely on exemptions for publicly available information when using web-scraped datasets containing personal data. They also set out considerations for data behind digital barriers such as paywalls, registration requirements, authentication mechanisms, and tools that block automated access.
The PDPC proposes that general privacy notices should not be considered sufficient for obtaining consent to use personal data for large-scale AI training or fine-tuning. Organisations would instead be expected to provide AI-specific notices explaining the categories of personal data used, the purpose of the processing, the model’s intended functions, and how individuals can refuse or withdraw consent.
The proposed guidelines also outline responsibilities for model providers, system providers, and system deployers, including retention, protection, purpose limitation, and accountability obligations. The post-deployment guidance addresses access and correction requests while recognising technical challenges associated with large datasets, embeddings, temporary context windows and the removal of specific information from trained models. Interested parties may submit comments to the PDPC by 1 July 2026.
Why does it matter?
The consultation highlights the growing challenge of applying existing data protection laws to generative AI systems that rely on large-scale data collection and model training. Regulators worldwide are increasingly examining how privacy principles such as consent, transparency and purpose limitation should operate in AI development.
Singapore’s proposed guidance could provide an important reference point for organisations developing or deploying generative AI, particularly in areas such as web scraping, AI training datasets and the allocation of responsibilities across the AI value chain.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The UK Government has announced an amendment to Ofcom’s Illegal Content Codes of Practice under the Online Safety Act, introducing new measures to tackle non-consensual intimate images. The update was outlined in by the Minister for AI and Online Safety, Kanishka Narayan.
The amendment requires relevant online services to use perceptual hash-matching technologies, or equivalent tools, to identify and prevent the re-upload of known non-consensual intimate images, including AI-generated intimate image deepfakes.
According to the government, the change strengthens the framework established by Ofcom’s Illegal Content Codes of Practice, which entered into force in 2025. The updated approach aims to ensure that once abusive content has been identified and removed, systems are in place to prevent it from being repeatedly shared.
The amendment has been laid before Parliament for scrutiny and will take effect if neither House objects. The government said the measure is intended to strengthen protections for victims, particularly women and girls, and forms part of the ongoing implementation of the Online Safety Act in the UK.
Why does it matter?
Governments and regulators are increasingly treating AI-generated intimate imagery as a form of image-based abuse alongside authentic non-consensual intimate content. As generative AI tools make it easier to create and distribute realistic deepfakes, policymakers are looking for mechanisms to prevent harmful content from repeatedly reappearing online.
The UK’s proposal reflects a broader trend towards requiring platforms to deploy technical measures that can identify and block known abusive content while strengthening protections for victims of online harms.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Australia’s AI Safety Institute became operational on 2 June as the government seeks to strengthen public trust in AI development, deployment and governance. The announcement was made during the AFR AI Summit in Canberra, where the government described public trust as essential to building a domestic AI industry.
According to Assistant Minister for Science, Technology and the Digital Economy Hon Dr Andrew Charlton, Australia’s national AI plan rests on three pillars:
Capturing the opportunity
Sharing the benefits
Keeping Australians safe.
The AI Safety Institute is intended to support that effort by testing AI systems, assisting regulators and strengthening public confidence in the technology.
In his speech, Charlton also argued that Australia faces a choice between building a world-class AI industry or relying on foreign capability, while warning that low public trust could slow AI adoption and investment.
Charlton cited survey findings showing that only 30% of Australians believe the benefits of AI outweigh the risks, while 78% are concerned about potential negative impacts, and 36% say they trust the technology. It linked public scepticism to concerns that AI benefits may flow offshore while costs linked to jobs, privacy, power bills, and local communities are borne domestically.
Data centres were highlighted as an example of how trust considerations are shaping AI policy. The government said data-centre developers should contribute new renewable energy capacity, cover an appropriate share of transmission and distribution costs, engage with local communities and avoid creating pressure on water resources.
The AI Safety Institute will analyse and test AI models and applications, support regulators responding to emerging AI-related harms, and contribute to national and international discussions on safe AI development and governance. The speech also pointed to wider work on privacy reform, online safety, workplace impacts, competition, consumer issues, and public-sector AI adoption.
Why does it matter?
Australia is positioning trust as a key component of its AI strategy at a time when governments are balancing economic opportunities from AI with concerns about safety, privacy, employment and infrastructure impacts.
By creating a dedicated AI Safety Institute, Australia joins a growing number of countries establishing specialised institutions to evaluate AI risks, support regulators and build public confidence in the deployment of increasingly capable AI systems.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
