Privacy and data protection Archives | Digital Watch Observatory

Google proposes a balanced approach to AI governance in the US

Google has published a policy paper proposing a two-track approach to AI governance in the United States, separating oversight of frontier AI models from rules for widely deployed AI applications.

The paper argues that AI policy should avoid what Google describes as a false choice between over-regulation and no regulation. Instead, the company calls for a pragmatic, evidence-based framework that treats the most advanced AI systems differently from everyday AI tools such as chatbots.

For frontier AI, Google proposes the creation of a Frontier AI Regulatory Organisation, or FARO. The industry-funded body would operate under federal oversight and develop standards for safety, security, incident reporting and transparency.

Google says FARO could set scientific benchmarks for frontier capabilities, particularly in areas such as cybersecurity and chemical, biological, radiological and nuclear risks. It could also oversee independent audits and require frontier AI companies to publish and follow safety frameworks before releasing highly capable models.

For widely deployed AI applications, Google argues that the federal government should rely mainly on existing legal frameworks, with targeted updates where needed. The paper says policy should focus on real-world harms and outputs rather than micromanaging AI development.

The company identifies several priority areas, including workforce preparedness, child safety, information integrity, copyright, privacy and energy infrastructure for data centres.

Google supports measures such as AI interaction guidelines for children, disclosures that chatbots are not sentient, rules for self-harm-related queries, watermarking and provenance standards for generative AI, privacy-enhancing technologies and workforce reskilling.

The paper presents the model as a way to address national security and consumer protection risks while preserving US leadership in AI development.

Why does it matter?

Google’s paper is a significant industry intervention in the US AI policy debate. Its two-track model reflects a broader governance trend: frontier AI is increasingly being treated as a national security and safety issue, while everyday AI applications are being handled through consumer protection, child safety, privacy, copyright and labour policy. The proposal could influence federal discussions, but it also reflects Google’s own regulatory preferences, including industry-funded oversight, confidential audit reports and reliance on existing law for many AI applications.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom strengthens online safety rules against cyberflashing and self-harm content

Ofcom has introduced stronger online safety measures requiring technology companies to take more robust action against cyberflashing and illegal self-harm content across dating, messaging and social media platforms.

The updated guidance builds on the UK’s Online Safety Act by expanding the obligations of online services to detect, moderate and reduce harmful content that disproportionately affects vulnerable users.

Under the revised measures, platforms must make it easier to report unsolicited sexual images, ensure moderation teams are adequately trained and resourced, remove illegal content more quickly and provide blocking and muting tools to help users manage unwanted interactions.

Companies must also strengthen safeguards against illegal self-harm content by reviewing recommendation algorithms, displaying crisis support information for relevant searches and improving reporting systems for harmful predictive search suggestions.

Ofcom also highlighted the growing threat posed by so-called ‘Com’ groups, criminal online networks that groom and manipulate victims into self-harm and other harmful behaviour.

Services offering direct messaging and presenting grooming risks will be expected to implement child safety defaults, ensuring minors can only receive messages from existing contacts. Additional measures targeting suicide and self harm content are expected later in 2026.

Technology companies must now review their online safety risk assessments and implement appropriate mitigation measures before the updated Codes take legal effect following parliamentary approval.

Ofcom said the strengthened framework reflects the evolving nature of online harms while reinforcing expectations that platforms proactively protect users from illegal and harmful content.

Why does it matter?

The updated Online Safety Codes reinforce a shift towards proactive platform accountability. Rather than relying primarily on user reports, online services are expected to identify risks, strengthen content moderation, improve safety-by-design features and reduce users’ exposure to illegal and harmful content before it spreads.

The measures also demonstrate how the UK is translating the Online Safety Act into detailed operational requirements. As regulators around the world consider similar approaches to platform governance, Ofcom’s implementation of risk assessments, child safety defaults and stronger moderation obligations could influence future online safety frameworks beyond the UK.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ireland expands Trusted Flagger network under the DSA

Ireland’s media regulator, Coimisiún na Meán, has granted Trusted Flagger status to three additional organisations under the EU Digital Services Act.

The Irish Internet Hotline, the Irish Music Rights Organisation and the Jewish Representative Council of Ireland will join the Central Bank of Ireland, which received Trusted Flagger status in 2025.

Each organisation will submit notices to online platforms within its area of expertise. The Irish Internet Hotline will report child sexual abuse material, non-consensual intimate image sharing, racism, xenophobia, financial scams and fraud. The Irish Music Rights Organisation will focus on copyright infringement, particularly music and lyrical copyright, while the Jewish Representative Council of Ireland will report illegal antisemitic material.

Under the Digital Services Act, Trusted Flaggers are recognised bodies that can notify platforms of illegal content. Platforms must give those notices priority and decide on them without undue delay, although the designation does not guarantee content removal.

Coimisiún na Meán said reports from Trusted Flaggers will also help identify online safety trends and support evidence-based supervision of online platforms.

To qualify, organisations must demonstrate expertise in detecting, identifying and notifying illegal content, operate independently from online platforms and carry out reporting activities diligently, accurately and objectively.

The three new accreditations will remain valid for 3 years and can be reviewed, revoked, or reassessed upon expiration of the accreditation period.

Why does it matter?

Trusted Flaggers are one of the practical enforcement mechanisms of the Digital Services Act. Ireland’s expansion of the network creates specialised reporting channels for different categories of illegal online content, including child sexual abuse material, non-consensual intimate images, scams, copyright infringement and antisemitic material. The model aims to improve the quality and speed of platform responses while keeping final moderation decisions with platforms under DSA procedures.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EDPS strengthens monitoring of emerging technologies

The European Data Protection Supervisor (EDPS) has developed a structured framework for monitoring emerging technologies and assessing their implications for privacy and data protection. As digitalisation accelerates, the EDPS recognises that some new technologies do not merely improve existing processes but fundamentally alter how personal data is handled, requiring proactive and ongoing scrutiny.

At the heart of the framework is an annual monitoring cycle that moves from early signal detection to in-depth analysis and public engagement. The EDPS works with the Joint Research Centre’s TIM Analytics service to identify technologies at an early stage and prioritise those most likely to affect data protection over the short and medium term.

The main output of this foresight work is TechSonar, the EDPS’s flagship report on technologies expected to become relevant within the next one to five years. Designed for a broad audience, it outlines emerging technology trends and assesses their potential implications for personal data protection.

Complementing TechSonar, the TechDispatch series provides more detailed analysis of individual technologies, including factual descriptions, preliminary privacy assessments and consideration of how they interact with GDPR principles and data subject rights.

Complementing these publications is the Internet Privacy Engineering Network (IPEN), established by the EDPS in 2014. At least once a year, IPEN brings together public authorities, academics, open-source projects, and private businesses to discuss engineering solutions to privacy challenges, with findings feeding back into the broader technology monitoring work.

The EDPS also coordinates the Internet Privacy Engineering Network (IPEN), established in 2014, which brings together regulators, researchers, open-source communities and industry to discuss technical solutions to privacy challenges and feed those insights into its wider technology monitoring work. Recent activities have included a new video series on AI literacy and a newsletter covering AI governance, the Digital Omnibus debate, and AI use in hiring practices.

Why does it matter?

Emerging technologies such as AI are evolving faster than traditional regulatory processes, making early assessment increasingly important for protecting privacy and fundamental rights. By identifying technologies before they become mainstream, the EDPS aims to help policymakers, regulators and public institutions anticipate risks rather than respond only after new technologies are widely deployed.

The framework also supports greater consistency in European data protection governance. Through publications such as TechSonar and TechDispatch, together with collaboration via IPEN, the EDPS provides a common evidence base that can inform policy development, regulatory enforcement and privacy-by-design approaches across the EU as new technologies continue to emerge.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EDPB updates right to erasure case digest

The European Data Protection Board has updated its one-stop-shop case digest on the GDPR rights to erasure and to object.

The digest is based on final one-stop-shop decisions from the EDPB’s public register under Article 60 of the GDPR. It presents key decisions on a specific theme and provides aggregate findings from relevant cross-border cases.

The updated digest focuses on how data protection authorities assess the internal processes organisations use to comply with erasure requests and objections to processing.

It also lists frequent infringements and provides an overview of corrective measures issued by data protection authorities. Cases include objections to direct marketing and requests by individuals to delete accounts or online data profiles.

The update reflects hundreds of new one-stop-shop decisions adopted by data protection authorities since the original digest was finalised.

The digest was developed under the EDPB’s Support Pool of Experts programme, which supports cooperation among European data protection authorities by providing expertise and enforcement tools.

Why does it matter?

The right to erasure and the right to object are among the GDPR rights most directly used by individuals to control how organisations handle their personal data. The updated digest can help regulators and organisations understand how data protection authorities apply these rights in practice, especially in cross-border cases. It also supports more consistent GDPR enforcement by highlighting recurring infringements, procedural weaknesses and corrective measures.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IWF backs strengthened EU child protection rules on AI-generated abuse

The Internet Watch Foundation (IWF) has welcomed the political agreement on the revised EU Child Sexual Abuse Directive, saying the legislation marks an important step in strengthening Europe’s response to online child sexual abuse and exploitation.

The organisation says the updated rules address legal gaps created by emerging technologies, particularly the misuse of AI to generate child sexual abuse material.

The revised Directive introduces new criminal offences covering the design, adaptation, distribution and supply of AI systems intended to generate child sexual abuse material. It also criminalises the possession of AI-generated abuse content and materials that provide instructions for committing child sexual abuse.

The revised rules also strengthen protections against online grooming, including cases in which offenders falsely present themselves as children or peers, and extend limitation periods to give survivors more time to pursue justice.

The IWF argues that the legislation reflects the rapidly evolving threat posed by generative AI.

According to the IWF, realistic AI-generated child sexual abuse material increased sharply during 2025, with analysts reporting that many synthetic images and videos are becoming increasingly difficult to distinguish from authentic abuse material.

IWF warns that technological advances are accelerating the scale and sophistication of online child exploitation.

Following the political agreement, the IWF has urged EU member states to transpose the Directive into national law promptly, arguing that timely implementation will strengthen legal protections and law enforcement capabilities across the EU. The organisation argues that timely transposition will be essential to ensure stronger legal protections, improve law enforcement capabilities and reduce opportunities for offenders to exploit AI technologies across the EU.

Why does it matter?

The revised Directive reflects how advances in generative AI are reshaping criminal law and child protection policy. By introducing offences specifically targeting AI systems designed to generate child sexual abuse material, the EU is adapting its legal framework to address emerging forms of technology-enabled exploitation.

The agreement also highlights the growing need for legal systems to evolve alongside AI capabilities. Alongside new offences, the Directive strengthens protections for victims and expands tools available to law enforcement, illustrating how governments are updating criminal legislation to respond to increasingly sophisticated forms of online abuse while seeking greater consistency across EU member states.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Canadian cybersecurity agency warns AI is reshaping cyber threats

Canada’s Centre for Cyber Security has warned that frontier AI models are rapidly transforming the cyber threat landscape, reducing the time organisations have to detect, contain and respond to attacks.

According to the Cyber Centre, AI is enabling cybercriminals to identify vulnerabilities, automate complex attack chains and generate increasingly convincing phishing campaigns, deepfakes and voice impersonation attacks at unprecedented speed and scale.

The advisory follows a joint statement by the Five Eyes cybersecurity agencies urging organisations worldwide to strengthen cyber resilience before AI-enabled attacks evolve into major operational, financial and national security incidents.

The Cyber Centre also highlights internal risks associated with unapproved AI use, including the exposure of sensitive information and reliance on inaccurate or manipulated AI-generated outputs.

Rather than viewing AI solely as a source of risk, the Cyber Centre encourages organisations to integrate frontier AI into cybersecurity operations. AI can help identify vulnerabilities earlier in software development, strengthen secure-by-design practices, improve security monitoring and accelerate incident detection and response.

The guidance emphasises that fundamental cyber hygiene, including timely patching, phishing-resistant multi-factor authentication, network segmentation, centralised logging and regularly tested incident response plans, remains essential despite rapid advances in AI capabilities.

Why does it matter?

The guidance reflects a shift in cybersecurity from preparing for future AI risks to responding to immediate operational challenges. As frontier AI enables attackers to identify vulnerabilities, automate exploitation and produce more sophisticated phishing and social engineering campaigns, organisations may have less time to detect and contain incidents.

The advisory also reinforces an emerging consensus among the Five Eyes partners that AI should be treated as both a cyber risk and a defensive capability. Alongside robust governance and responsible AI use, organisations are increasingly expected to combine AI-enabled security tools with strong cyber hygiene, secure-by-design practices and resilient incident response capabilities to keep pace with a rapidly evolving threat landscape.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UN to honour digital and AI-powered public service innovations

The United Nations Department of Economic and Social Affairs (UN DESA) will honour 12 public sector initiatives at the 2026 UN Public Service Awards for advancing the Sustainable Development Goals through more inclusive, transparent and participatory public services.

The awards attracted more than 700 applications from 62 countries and recognise projects ranging from digital document verification and public procurement monitoring to improving education access and supporting coastal women.

According to UN DESA, several winning initiatives leverage digital government tools, information and communication technologies (ICTs) and AI to improve service delivery and strengthen public administration capacity.

The awards ceremony will be held during the UN Public Service Forum in Tbilisi, Georgia, following the commemoration of UN Public Service Day.

Why does it matter?

The awards highlight how governments are increasingly using digital technologies and AI to improve public service delivery, strengthen administrative capacity and advance sustainable development objectives. From digital verification systems to more transparent procurement processes, technology is becoming an important tool for making public institutions more efficient, accountable and accessible.

The initiative also demonstrates the growing role of digital transformation in achieving the Sustainable Development Goals. By recognising successful public-sector innovations from around the world, the awards provide examples of how governments can use technology to address social, economic and governance challenges while promoting inclusion, transparency and citizen participation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Digital trade agreement gains legal backing in Kyrgyzstan

Kyrgyz President Sadyr Japarov has signed a law ratifying the Digital Economy Partnership Agreement between member states of the Organisation of Turkic States.

The Jogorku Kenesh adopted the law on 3 June 2026 and approved the agreement signed in Bishkek on 6 November 2024. The presidential administration said it was the first law signed in a fully digital format in Kyrgyzstan.

The agreement aims to strengthen trade relations among Turkic states through e-commerce and broader digital-economy cooperation. It also seeks to increase consumer confidence in digital services and online transactions.

The partnership covers areas including electronic commerce, consumer protection in online trade, express delivery services, personal data protection and cooperation between business communities involved in e-commerce.

The move forms part of Kyrgyzstan’s wider digital transformation agenda and adds legal backing to a regional framework for digital trade cooperation among OTS members.

Why does it matter?

The ratification supports efforts to align digital trade rules among Turkic states and make cross-border e-commerce more predictable. The agreement is relevant because it links digital economy cooperation with consumer protection, data protection and delivery infrastructure, areas that are essential for trust in online trade. It also shows how regional organisations are developing their own digital trade frameworks alongside larger global and Asia-Pacific digital economy agreements.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

EU drops browser-based cookie consent proposal from Digital Omnibus

The European Commission had proposed replacing cookie banners with an automated browser-based privacy signal as part of its ‘Digital Omnibus’ package, a move that would have allowed devices to communicate users’ tracking preferences directly to websites. The plan, outlined in Article 88b of the GDPR, was intended to cut red tape and reduce the burden on consumers navigating consent requests across the web.

According to digital rights organisation noyb, cookie banners were not created by data protection law but emerged as a mechanism for the online advertising industry to obtain users’ consent for data sharing with third parties. Studies suggest only 3 to 10 per cent of users actually wish to be tracked, yet so-called dark patterns, such as hidden ‘no’ buttons and pre-ticked boxes, allow the industry to achieve consent rates of up to 90 per cent. Across more than 450 million EU citizens, this results in billions of unnecessary clicks each year.

According to noyb, a lobbying document submitted by Google argued that removing cookie banners would effectively halt all online advertising, citing figures that the European Commission has since described as highly exaggerated. The Commission had made clear that consent would still be possible on a per-website and per-purpose basis, meaning users could grant access to specific outlets while withholding it from others. Google’s paper also claimed that media outlets would be harmed, despite the fact that they are explicitly exempt from the proposed provision.

According to noyb, the lobbying campaign appears to have influenced the legislative process. In the Council’s position paper of 18 June 2026, Article 88b was removed entirely from the Digital Omnibus. Noyb added that Germany, France, and Poland were among the member states supporting the article’s removal following lobbying by the online advertising industry.

The outcome is particularly striking given that many of the same member states have long called on the EU to simplify regulation and cut red tape. noyb, the European digital rights organisation, has described the result as a victory for lobbying over public interest, noting that the majority of EU citizens have consistently expressed frustration with cookie banners.

The European Parliament has not yet taken a position on Article 88b, and negotiations between the Parliament and the Council are ongoing. Noyb has urged the European Parliament to support reinstating Article 88b during the next stage of negotiations.

Why does it matter?

The debate highlights the growing tension between digital simplification efforts, privacy protection and the economic interests of the online advertising ecosystem. Browser-based privacy signals have long been discussed as a way to reduce repetitive consent requests while preserving users’ ability to decide when and how their personal data may be used.

The proposal’s removal also illustrates the influence that industry stakeholders can have during the EU legislative process. Whether Article 88b is reinstated during negotiations with the European Parliament could shape the future of online consent management in Europe, affecting digital advertising, user experience and the practical implementation of data protection rules.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!