EDPB orders Belgian regulator to examine VRT cookie complaint

The European Data Protection Board (EDPB) has instructed the Belgian Data Protection Authority to examine a complaint about VRT cookie banners on its merits rather than dismissing it as an alleged abuse of rights under the GDPR.

The EDPB published its binding decision of 28 May 2026 following a dispute between the Belgian and Austrian data protection authorities. The case concerns cookie banners used by Belgium’s public broadcaster, Vlaamse Radio-en-Televisieomroeporganisatie (VRT).

Austrian privacy organisation Noyb lodged the complaint with the Austrian Data Protection Authority on behalf of an individual. Because VRT is based in Belgium, the Belgian authority acted as the lead supervisory authority under the GDPR’s one-stop-shop mechanism.

The Belgian regulator proposed dismissing the VRT cookie banner complaint, arguing that the complainant had abused the rights provided under Articles 77 and 80(1) of the GDPR.

The Austrian DPA objected, arguing that the complaint should not be rejected on procedural grounds. Instead, it said the Belgian authority should assess the substance of the allegations and determine whether VRT’s cookie banners complied with the GDPR.

After the Belgian DPA declined to follow the objection, it referred the dispute to the EDPB under Article 65(1)(a) of the GDPR.

The EDPB concluded that the Austrian authority’s objection was both relevant and reasoned. Applying the Court of Justice of the European Union’s test for abuse of rights, the Board found that neither the objective nor the subjective element required to establish abuse had been demonstrated.

The decision does not determine whether VRT’s cookie banners violate the GDPR. Instead, it requires the Belgian DPA to assess the complaint on its merits and submit a new draft decision to the other supervisory authorities involved under Article 60(3) of the GDPR.

Why does it matter?

The decision reinforces the principle that GDPR complaints should generally receive a substantive assessment rather than being dismissed on procedural grounds without clear evidence of abuse. It also clarifies the high threshold regulators must meet before concluding that individuals have misused their rights under the GDPR.

The ruling further strengthens the GDPR’s cross-border enforcement system by confirming the role of the EDPB in resolving disputes between national data protection authorities and promoting consistent application of EU data protection law.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Parliament committee backs stronger online protections for children

The European Parliament’s Committee on Culture and Education has adopted a report calling for stronger enforcement of existing EU digital legislation to create a safer online environment, particularly for children and young people.

MEPs argue that platforms should be held more accountable for the impact of their services through stronger safeguards, greater algorithmic transparency and stricter protections against addictive digital design.

The European Parliament report calls for a ban on the most harmful addictive platform features and supports introducing a dedicated ‘youth mode’ that would disable targeted advertising and reduce minors’ exposure to addictive design practices.

MEPs also propose greater transparency around recommender systems so users can better understand why content is promoted, restricted or removed. They further suggest introducing personal liability for serious and persistent failures to comply with child protection obligations.

Beyond platform design, the report recommends an EU-wide code of conduct for influencers and stronger safeguards against practices such as kidfluencing and sharenting, where children are used in commercial content or exposed excessively online.

MEPs also call for mandatory ethical standards for AI companions, greater transparency around AI model training, measures against AI-generated impersonation scams, stronger protection against synthetic child sexual abuse material, and systematic monitoring of children’s digital habits across the EU.

The committee said these measures should complement existing legislation, including the Digital Services Act, AI Act, GDPR and Audiovisual Media Services Directive, creating a more coherent EU framework for protecting minors online. The report will now be submitted to Parliament’s plenary session in September 2026.

Why does it matter?

The report signals growing political support for strengthening children’s online safety by making platforms more accountable for the design and operation of their services. Rather than relying solely on new legislation, MEPs are urging stronger enforcement of existing EU rules alongside targeted measures addressing addictive design, recommender systems and AI-powered services.

Although the report is not legally binding, it could influence future EU legislation and enforcement priorities by reinforcing the shift towards safety-by-design, greater transparency and stronger protections for minors across digital platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

AI is beginning to carry out live cyberattacks, Check Point warns

AI is moving beyond assisting cybercriminals to carrying out operational tasks during live intrusions, according to Check Point Research’s Annual AI Security Report 2026.

The report argues that AI-enabled cyber operations are entering a new phase in which AI systems can execute parts of an attack rather than simply helping attackers write code, research targets or prepare phishing campaigns. The shift could make cyber operations faster and less dependent on continuous human oversight.

Check Point said it observed AI carrying out hands-on tasks during incidents ranging from China-linked campaigns to a criminal breach affecting several Mexican government agencies. According to the company, these capabilities are spreading beyond state-backed actors to financially motivated cybercriminals.

AI is also being used to create deployment-ready malware and offensive frameworks. One developer reportedly used an AI coding environment to build VoidLink, an 88,000-line command-and-control framework, in less than a week. Check Point noted that AI involvement may be difficult to identify once the finished tool is deployed.

According to the report, attackers increasingly favour commercial AI models over self-hosted alternatives. Rather than relying solely on jailbreak prompts, some are targeting agentic architectures by planting configuration files that AI agents continue to trust across multiple sessions.

The market supporting AI cyberattacks is also becoming more established. Check Point identified phishing-as-a-service products that embed language models with built-in restrictions bypasses, alongside conversational voice-agent services used for vishing and one-time-password theft.

The report warns that synthetic identities are weakening traditional trust signals. Convincing imitations of voices, faces, identity documents, and live video can now be combined across multiple channels, making social engineering operations more coordinated and harder to detect.

AI systems themselves are also emerging as an important attack surface. Models may struggle to distinguish instructions from the content they process, allowing attackers to manipulate AI agents through malicious files, webpages and other external data sources.

Indirect prompt injection is emerging as one of the most important threats to AI systems. Check Point said detections of longer malicious payloads increased roughly fivefold between March and May 2026, reaching close to 1% of observed prompts. Longer payloads are commonly associated with content-based and agentic attack paths.

Enterprise data leakage through generative AI also remains a growing concern. The share of prompts classified as high risk doubled from 2% to 4% over the previous year, while organisations used an average of ten AI applications each month, including tools that had not received official approval.

Exposure varied considerably by sector. Business services recorded the highest rate of high-risk generative AI prompts, at 5.91%, meaning approximately one in every 17 interactions presented a significant risk of exposing sensitive information.

The findings suggest organisations must prepare for threats from two directions: adversaries using AI to automate cyber operations and employees or AI systems exposing sensitive data through insecure adoption.

Why does it matter?

The report suggests AI is reshaping cybersecurity on both sides of the equation. Attackers are increasingly using AI to automate complex tasks, while organisations adopting AI are creating new attack surfaces and data security risks.

As AI systems become more autonomous, cybersecurity strategies will need to extend beyond traditional endpoint and network protection to include AI agents, model security, prompt injection defences, identity verification and governance over how AI is deployed across the enterprise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Two in five UK children say they bypass online age checks

Nearly two in five UK children aged 11 to 17 say they have successfully bypassed an online age check, according nationally representative research commissioned by the Department for Science, Innovation and Technology (DSIT).

The study surveyed 2,299 children in May 2026 to examine their experiences with age assurance, VPN use and methods of bypassing age checks. It also included an additional sample of recent VPN users.

Overall, 39% said they had successfully bypassed an age check at least once, while another 14% had tried unsuccessfully. Success rates rose from 28% among 11- to 12-year-olds to 43% among older teenagers.

Many children avoided age checks altogether by choosing websites, apps or games that either had no age verification or appeared easy to bypass. Among those who successfully circumvented checks, 63% said they simply pretended to be older, most commonly by entering a false date of birth.

Most successful circumvention involved simple self-declaration systems such as tick boxes and date-of-birth fields, which children also rated as the least effective.

By contrast, 86% of respondents who had encountered government ID verification considered it effective, while third-party identity services, payment card verification and facial age estimation also received substantially higher ratings.

Privacy was the most common reason for using a VPN. However, 22% of VPN users said they had used one to access age-restricted websites, apps or games, equivalent to 7% of all children surveyed.

Parents were involved in some VPN use. Among children who had used one, 22% received help from a parent to set it up, while 43% of current users said a parent paid for the service. However, older teenagers were more likely to install VPNs without parental knowledge.

Friends were the main source of information about bypassing age checks, cited by half of children who had done so. Practical consequences appeared to be the strongest deterrents, including harder-to-defeat checks, permanent account bans, and notifying parents about circumvention attempts.

The report also found an association between bypassing age checks and exposure to harmful content. Among children who had circumvented age checks, 51% reported later encountering at least one form of harmful material, including explicit content, contact from unknown adults and requests for personal information.

The researchers cautioned that the findings rely on self-reported behaviour and do not establish that VPN use or circumvention directly caused exposure to harmful content.

Why does it matter?

The findings suggest that basic self-declaration systems provide limited protection for children and are easily circumvented. As regulators increasingly require stronger age assurance under frameworks such as the UK’s Online Safety Act, the challenge will be deploying systems that are both effective and proportionate while protecting users’ privacy.

The research also highlights that technology alone is unlikely to solve the problem. Children’s motivations, platform design, parental involvement and digital literacy all influence whether age restrictions are respected, suggesting that meaningful online safety will require a combination of technical safeguards, regulation and education.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Greece adds digital passport to Gov.gr Wallet

The Greek Ministry of Digital Governance and Artificial Intelligence has added the national passport to the Gov.gr Wallet, allowing citizens with active ordinary passports to store a secure digital version on their mobile devices.

The digital passport can be used for identification and as a travel document within Greece. Diplomatic and service passports are not currently supported.

The passport becomes the thirteenth document available through the Gov.gr Wallet, joining digital identity cards, driving licences, disability cards, unemployment cards, academic IDs, insurance information, vehicle records, driver penalty points, pet records, the Athens Ring Road permit and the Real Estate File.

According to the Ministry, more than 2.5 million digital identity cards and almost 2 million digital driving licences have already been added to the application.

The Gov.gr Wallet is available on both Android and iOS devices through wallet.gov.gr. The service was developed by the General Secretariat for Information Systems and Digital Governance and GRNET, in cooperation with the Ministry of Citizen Protection and the Hellenic Police.

Citizen data is retrieved through the government’s Interoperability Centre.

Why does it matter?

The addition of the passport further expands Greece’s digital identity ecosystem and reflects the country’s continued investment in digital public services. By enabling citizens to carry more official documents securely on their mobile devices, the government is reducing reliance on physical credentials while improving access to public services.

The initiative also aligns with wider European efforts to strengthen digital identity infrastructure. As more governments develop interoperable digital wallets and electronic identity systems, mobile credentials are expected to play an increasingly important role in public administration and cross-border digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Saudi Arabia launches AI tool for national data insights

Saudi Arabia’s Ministry of Economy and Planning has launched the beta version of INSAIGHTS, an agentic AI tool integrated into the Data Saudi Platform. The system is designed to improve how users access, analyse, and interact with national economic and social data.

INSAIGHTS allows users to convert questions into instant insights and analytics by drawing on more than 7,500 indicators available through the platform. The tool aims to support decision-makers, researchers, analysts and the public with faster access to reliable information for data-driven decisions.

The launch forms part of Saudi Arabia’s wider digital transformation agenda under Vision 2030 and the National Transformation Program. The Ministry plans to continue expanding the tool’s capabilities while using emerging technologies to improve transparency, innovation and user experiences across its digital ecosystem.

Why does it matter?

The INSAIGHTS highlights Saudi Arabia’s growing focus on AI as a tool to improve public data accessibility and strengthen evidence-based decision-making. By combining AI capabilities with extensive national datasets, the platform could help organisations and individuals extract insights more efficiently.

The initiative also demonstrates how governments are increasingly adopting agentic AI systems to enhance digital services and economic planning. As the technology develops, platforms like INSAIGHTS may become important models for using AI to improve transparency, research capabilities and public-sector innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Ofcom proposes tougher rules on scam ads

Ofcom has proposed new rules requiring major online platforms to do more to prevent scam advertising, including verifying advertisers, blocking repeat fraudsters and making fraudulent adverts easier to report.

The draft Fraudulent Advertising Code is being developed under the UK’s Online Safety Act and would apply to some of the country’s largest social media platforms, search engines and other online services.

According to Ofcom, more than half of UK adults have encountered potentially fraudulent adverts online, while victims lose an estimated £200 million each year. The regulator said online platforms have not done enough to stop criminals exploiting their advertising systems.

The proposed code sets out nearly 40 measures, including banning accounts that publish scam adverts, preventing repeat offenders from opening new accounts, verifying the identity of advertisers and confirming that firms promoting banking or investment services are properly authorised.

Platforms would also be expected to strengthen account security, reduce the risk of account hijacking, test AI-powered advertising tools against misuse and establish dedicated reporting channels for trusted organisations, including law enforcement agencies, to flag fraudulent adverts for rapid removal.

Ofcom also wants platforms to use proactive technologies to detect and block fraudulent advertising before it reaches users. A separate consultation on those proposals is expected this autumn alongside a broader package of online safety measures.

The consultation remains open until 2 October, with final decisions expected next year. Once approved by Parliament, companies that fail to comply could face fines of up to £18 million or 10% of global annual revenue, whichever is higher.

Alongside the advertising proposals, Ofcom also published draft rules for Category 1 services under the Online Safety Act. These include stronger protections for journalistic content and democratic debate, improved user controls over harmful content, more effective complaints procedures and greater transparency through published risk assessment summaries.

Why does it matter?

The proposals would expand platform responsibility beyond user-generated content to the advertising systems that increasingly enable online fraud. By introducing requirements for advertiser verification, proactive detection and stronger enforcement against repeat offenders, Ofcom is seeking to make scam prevention a core responsibility of online platforms rather than relying primarily on users to identify fraudulent adverts.

The draft code also reflects a broader regulatory trend towards greater accountability for digital advertising ecosystems. As AI-generated content and increasingly sophisticated scams become more common, regulators are placing greater emphasis on platform governance, advertiser verification and proactive risk management.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New York City targets junk fees and subscription traps

New York City has introduced two major consumer protection measures targeting hidden charges and difficult subscription cancellations, combining mandatory all-in pricing with new ‘Click-to-Cancel’ requirements.

The Click-to-Cancel rule will take effect on 1 October 2026, making New York City the first municipality to require businesses to offer subscription cancellations that are as simple as sign-up. Companies must clearly disclose subscription terms and provide straightforward cancellation mechanisms, ending practices that rely on confusing procedures or hidden recurring charges. According to the Roosevelt Institute, the rule could save New Yorkers between $21.5 million and $162.5 million each year.

The proposed Junk Fees rule would require businesses to display the full price upfront, including all mandatory charges. Companies would be prohibited from advertising misleading prices and would have to include service and processing fees in advertised prices. Businesses that violate either rule could face consumer restitution and civil penalties starting at $525 per violation.

Consumer Reports estimates that hidden fees cost the average family of four around $3,200 annually. The Department of Consumer and Worker Protection has published guidance explaining the proposed all-in pricing rules, with public consultation remaining open until a hearing on 7 August.

Why does it matter?

The measures reflect a growing regulatory effort to tackle so-called ‘dark patterns’—design practices that make prices harder to understand or subscriptions more difficult to cancel. By requiring transparent pricing and straightforward cancellation, New York City is shifting responsibility from consumers to businesses to ensure commercial practices are fair by design.

The rules could also influence wider consumer protection policy. As many companies operate nationally or globally, local requirements on pricing transparency and subscription management may encourage businesses to adopt similar practices across multiple markets, potentially shaping future regulation in other jurisdictions.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Cybercrime accounts for one in five crimes in Spain

Spain recorded 488,426 cybercrimes in 2025, accounting for 19.8% of all reported crime, according to the Spanish Ministry of Interior’s latest Cybercrime Report. The figure shows a 5.1% increase from 2024, demonstrating the growing threat of digital crime nationwide.

Computer fraud and online scams continued to dominate cybercrime, accounting for nearly nine in ten reported offences with 429,677 cases. Internet-related forgery increased by 11.3% to 21,690 cases, while sexual offences rose by 21% and illegal access or interception offences surged by 40.7%, highlighting the growing diversity of cybercriminal activity.

The number of cybercrime victims reached 383,285, up 9.3% from 2024. People aged 51 to 65 were the most frequently targeted, particularly through credit card fraud and travel cheque scams, accounting for 146,737 victims. Although most victims were male, the types of cybercrime varied considerably across age groups and demographics.

Critical infrastructure operators experienced 90 cyberattacks in 2025, a 43.8% decrease from the previous year. The transport sector accounted for 42.2% of incidents, followed by the information and communications technology sector with 15.5%.

Why does it matter?

The report shows that cybercrime has become a mainstream form of criminal activity, accounting for nearly one in five reported offences in Spain. The continued growth in fraud, online scams and unauthorised access highlights how digital crime is evolving alongside greater reliance on online services by individuals, businesses and public institutions.

Although attacks on critical infrastructure declined, the overall increase in cybercrime and victim numbers suggests that law enforcement and cybersecurity authorities will need stronger investigative capabilities, cross-border cooperation and preventive measures to keep pace with increasingly sophisticated digital threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

European Commission panel recommends social media restrictions for under-13s

A special panel convened by the European Commission has recommended restricting access to social media and other high-risk digital services for children under 13, arguing that platforms should prove they are safe before minors are allowed to use them.

The report was prepared by the co-chairs of the Special Panel on Child Safety Online, Prof. Dr. Jörg M. Fegert and Dr. Maria Melchior, whom European Commission President Ursula von der Leyen appointed in March 2026 to advise on child safety online and possible age restrictions for social media.

The panel met three times between March and June 2026 to examine scientific evidence on the impact of social media and digital environments on minors, review existing EU and national rules, and develop recommendations to better protect and empower children online.

The report uses the term ‘social media+’ to describe social media and other digital services that expose minors to potentially harmful features, including addictive design, infinite scroll, autoplay, recommender systems, persistent notifications, AI companions, video games and video-sharing platforms.

The co-chairs argue that providers, not children or parents, should bear the burden of demonstrating that their services are safe by design and appropriate for young users. Until then, they recommend restricting access for children under 13, while allowing member states to introduce additional precautionary measures for older adolescents if needed.

The recommendations also call for proportionate age-assurance systems, stronger safety-by-design requirements, limits on addictive platform features, more effective complaints mechanisms for minors and stronger enforcement of existing EU legislation, including the Digital Services Act, GDPR and AI Act.

The report also urges the EU to close legislative gaps on child sexual abuse online by adopting permanent obligations requiring providers to prevent, detect, report and block abuse, including in interpersonal communications.

Beyond restrictions, the report emphasises digital empowerment through stronger media literacy for children, parents, teachers and caregivers, greater participation by young people in policymaking, improved parental guidance, increased support for civil society organisations and helplines, and more investment in offline activities such as sports, arts and youth spaces.

The report concludes that protecting children online requires an ecosystem-wide approach involving regulators, digital service providers, educators, parents, caregivers and children themselves. It argues that children’s rights should apply online just as they do offline, balancing protection with opportunities to learn, participate and communicate.

Why does it matter?

The report could significantly influence future EU policy on children’s access to digital services, platform design and online safety. By recommending a default restriction for children under 13 and placing responsibility on providers to demonstrate that their services are safe, it shifts the debate away from parental responsibility towards platform accountability.

Although the recommendations are not legally binding, they are likely to inform future discussions on the Digital Services Act, the AI Act and wider EU child protection policies. If adopted, they could reshape how online platforms design services for younger users across Europe.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!