LinkedIn faces allegations over data access practices

Privacy rights group noyb has filed a complaint against LinkedIn, alleging that the platform restricts access to certain user data by placing it behind a paid Premium subscription.

The complaint centres on LinkedIn’s ‘Who’s viewed your profile’ feature, which shows users who have visited their profile. According to noyb, LinkedIn tracks profile visits and makes detailed visitor information available to Premium subscribers, while refusing to provide the same data free of charge when users submit an access request under Article 15 of the GDPR.

Noyb argues that users have the right to receive their own personal data free of charge under the EU data protection rules. The organisation claims that LinkedIn has cited data protection concerns when refusing access requests, despite making similar information available through its paid subscription service.

The complaint was lodged with the Austrian Data Protection Authority and seeks enforcement action requiring LinkedIn to provide the data requested, as well as potential penalties. Noyb also questions whether LinkedIn’s tracking of profile visits complies with the EU consent requirements.

LinkedIn has reportedly denied the allegations, saying it complies with applicable rules and provides relevant information in accordance with its privacy policies.

The case adds to ongoing scrutiny of how digital platforms handle data access rights in the EU, particularly when information collected about users is also used for paid services.

Why does it matter?

The complaint tests whether platforms can monetise access to information that may also fall under users’ GDPR right of access. If regulators side with noyb, the case could affect how subscription-based platforms structure premium features that involve personal data, especially when the same data is withheld from non-paying users who make formal access requests.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

EESC backs revised Cybersecurity Act with warnings on ENISA and supply chains

The European Economic and Social Committee has backed the EU’s proposed revision of the Cybersecurity Act, supporting reforms to ENISA, the cybersecurity certification framework and ICT supply-chain security, while warning that the next phase of the EU cyber policy must remain workable in practice.

In its opinion, the committee argues that cybersecurity and ICT supply-chain security should not be treated as narrow technical questions. Instead, it presents them as matters of economic security and geopolitical resilience, closely linked to the EU’s competitiveness, legal certainty and broader resilience.

The opinion welcomes the European Commission’s attempt to update the Cybersecurity Act and align related rules under NIS 2, particularly where the package aims to simplify compliance and reduce overlapping obligations. At the same time, the committee says that a stronger ENISA will require stronger backing. If the agency is expected to take on more responsibilities, those tasks should come with adequate resources, specialist staff and a mandatory workforce plan.

The committee also supports a single-entry point for incident reporting. It says parallel reporting requirements under NIS 2, DORA and sector-specific rules should be streamlined so that one comprehensive report can serve all relevant regulatory regimes.

On ICT supply-chain security, the opinion supports a structured EU framework for identifying key assets and addressing high-risk suppliers. However, it warns that restrictions and phase-outs should be transparent, proportionate and supported by realistic transition plans that account for replacement timelines, service continuity, costs, labour-market effects and the risk of shifting compliance burdens onto smaller firms outside the regulation’s scope.

The committee also calls for the cyber debate to address democratic resilience. A proposed amendment would give ENISA a clearer role in supporting election security, democratic resilience and public awareness of cyber threats, disinformation and safe digital behaviour.

Why does it matter?

The opinion supports a more centralised and strategic EU cybersecurity framework, but also highlights the practical risks of expanding cyber regulation faster than institutions and companies can implement it. The debate around ENISA’s mandate, incident reporting and ICT supply-chain restrictions will shape how far the EU can strengthen cyber resilience without creating fragmented obligations or disproportionate burdens for smaller firms.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Singapore Ministry of Health addresses AI-developed drugs and patient data safeguards

Singapore’s Ministry of Health has said that drugs developed with the use of AI will be subject to the same regulatory expectations as conventionally developed medicines, including requirements on quality, safety and efficacy.

The ministry made the statement in response to a parliamentary question on the regulation of AI-developed drugs, clinical trials and safeguards for patient data used in AI-related healthcare innovation.

It said the Health Sciences Authority’s approach is aligned with international regulatory principles on the responsible use of AI in drug development, including those outlined by the US Food and Drug Administration and the European Medicines Agency.

The ministry also said that patient data used for AI development is covered by existing data protection and cybersecurity safeguards, including obligations under Singapore’s Personal Data Protection Act to maintain patient confidentiality and prevent data leakage.

Authorities will continue to monitor developments in AI-related healthcare innovation and strengthen safeguards where necessary.

Why does it matter?

The response signals that Singapore is not creating a separate, lighter pathway for AI-developed medicines, but is applying existing drug safety standards while monitoring how AI changes research, development and clinical use. The issue is relevant for digital health governance because AI in drug development depends not only on regulatory approval of final products, but also on the protection of patient data used to train, test or validate health-related AI systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

French CNIL hosts global privacy talks in Paris

The French Commission Nationale de l’Informatique et des Libertés will host the G7 roundtable of data protection and privacy authorities in June 2026. The meeting aims to strengthen international cooperation amid rapid digital and AI developments.

The roundtable, created in 2021, brings together data protection authorities from G7 countries and the EU. It focuses on sharing legal and technological developments and encouraging coordinated approaches to common challenges.

Key areas of work for 2026 include emerging technologies, enforcement cooperation and the free flow of data. The discussions are expected to address growing concerns about data protection amid expanding AI use.

The CNIL stated that the French presidency will prioritise dialogue and practical cooperation, aiming to support global governance that respects fundamental rights, and that the event will take place in Paris.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

OpenAI found non-compliant in Canadian ChatGPT privacy probe

Canada’s federal and provincial privacy regulators have found that aspects of OpenAI’s collection, use, and disclosure of personal information through ChatGPT did not comply with applicable private-sector privacy laws, particularly in relation to model training on publicly accessible online data and user interactions.

The joint investigation was conducted by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, and the privacy commissioners of British Columbia and Alberta.

It examined OpenAI’s GPT-3.5 and GPT-4 models as used in ChatGPT, focusing on whether the company’s handling of personal information from public internet sources, licensed third-party datasets, and user interactions met legal requirements on appropriate purposes, consent, transparency, accuracy, access, retention, and accountability.

The regulators accepted that OpenAI’s overall purposes for developing and deploying ChatGPT were legitimate and appropriate. However, they found that the company’s initial collection of personal information from publicly accessible websites and licensed third-party sources for model training was overbroad and therefore inappropriate, given the scale, sensitivity, and potential inaccuracy of the data involved, as well as the limits of the mitigation measures in place at the time.

The Offices also found that OpenAI failed to obtain valid consent to collect and use personal information from public internet sources to train its models. They concluded that implied consent was not sufficient because the data could include sensitive personal information and because individuals would not reasonably have expected information about them posted online to be scraped and used for AI model training in this way.

On user interactions with ChatGPT, the regulators accepted that using some chat data for model improvement could serve OpenAI’s legitimate purposes. Still, they found that express consent should have been obtained.

They said OpenAI’s safeguards at the time were not strong enough to ensure that sensitive personal information would not be included in training data, and that many users would not reasonably have understood that their conversations could be used to train models or reviewed by human trainers.

The report also found that OpenAI should have obtained express consent for certain disclosures of personal information through ChatGPT outputs, especially where the information was sensitive or fell outside individuals’ reasonable expectations.

While OpenAI had introduced measures to reduce the risk of sensitive disclosures, the regulators said those measures covered a narrower set of information than the broader categories of personal information protected under the relevant privacy laws.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Generative AI guidance issued by Australia’s New South Wales tribunal

The New South Wales Civil and Administrative Tribunal has issued guidance on the acceptable use of generative AI in tribunal proceedings as part of Privacy Awareness Week NSW 2026, which this year focuses on personal information risks in the age of AI.

According to NCAT, generative AI tools may be used to assist with administrative and organisational tasks such as summarising material, organising information, or preparing chronologies. At the same time, the tribunal warns that such tools can create privacy risks if users enter personal, sensitive, or confidential information.

The guidance is set out in NCAT Procedural Direction 7 on the use of generative AI, together with an accompanying fact sheet. NCAT says the aim is to clarify when generative AI may be used in tribunal-related work while reinforcing obligations to protect personal and confidential information.

The tribunal also draws a clear line around evidentiary material. Generative AI must not be used to generate or alter evidence in tribunal proceedings, including statements, affidavits, statutory declarations, character references, or other evidentiary documents.

NCAT further states that generative AI must not be used to generate content for an expert report unless the tribunal has given permission. It is encouraging parties and their representatives to review the guidance before using such tools in proceedings.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

China closes consultation on digital virtual human services

The Cyberspace Administration of China has closed its public consultation on the draft Administrative Measures for Digital Virtual Human Information Services, which set out proposed rules for digital virtual human services provided to the public in China.

The notice states that the consultation opened in April 2026 and that comments were accepted until 6 May 2026. According to the draft, the measures would apply to internet information services delivered to the public within China through digital virtual humans.

The draft says providers and users must process data for lawful purposes and within a lawful scope, use data from legal sources, and fulfil their data security responsibilities. It also requires technical and other necessary measures to protect data storage and transmission and to prevent leaks or improper use.

The text further requires digital virtual human service providers and users to establish security risk monitoring, warning, emergency response, anti-addiction mechanisms, and stronger content-direction management, while also retaining logs. Providers whose services have public opinion attributes or social mobilisation capacity would also be required to complete algorithm filing procedures and security assessments in line with existing national rules.

Beyond cybersecurity and data protection, the draft includes provisions on personal information, personality rights, intellectual property, content controls, labelling requirements, and protections for minors. It defines digital virtual humans as virtual figures in the non-physical world that simulate human appearance and may have voice, behaviour, interaction abilities, or personality traits, using graphics, digital image processing, or AI technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New Meta age assurance system aims to prevent underage access

Meta has expanded its use of AI to strengthen age assurance and improve enforcement of underage account policies across its platforms. The systems are designed to detect users under 13 for removal and to place suspected teens into protected Teen Account settings on Instagram and Facebook in regions including the EU, Brazil, and the US.

The technology analyses a range of signals, including profile information, user activity, and other contextual indicators, to estimate age more accurately. Automated systems are also being used to support faster and more consistent review of reports related to underage use.

Visual analysis has also become part of Meta’s broader detection approach, with the company saying its systems look for general age-related indicators rather than attempting to identify specific individuals. Reporting tools have been simplified, and AI-assisted moderation is being used to improve the speed and reliability of enforcement decisions.

Alongside these enforcement measures, Meta is increasing parental engagement through notifications and guidance to encourage more accurate age reporting and safer online behaviour. The wider effort reflects growing pressure on platforms to move beyond self-declared age checks and to build stronger systems to protect younger users.

Why does it matter?

The significance of the move lies in the fact that age assurance is becoming a core platform governance issue rather than a secondary moderation tool. Meta is trying to show that large social platforms can use AI not only to recommend or personalise content, but also to enforce minimum age rules at scale. That matters because regulators are increasingly questioning whether self-declared age data is enough to protect minors online. It also points to a broader shift in which platforms are expected to combine safety obligations, automated detection, and parental tools into a more active system of child protection.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!  

Cybersecurity and AI safety in focus at European Parliament discussion

Members of the European Parliament’s Committee on the Internal Market and Consumer Protection are set to discuss the safety of AI systems that could pose serious security risks.

According to the event description, the discussion will examine how existing EU legislation applies in practice, particularly the AI Act and the Cybersecurity Act. It will focus on how advanced AI systems are developed and managed when they may present security risks, and on how companies are implementing the EU rules and the challenges they face.

Experts from ENISA, the European Union Agency for Cybersecurity, and the European Commission are expected to take part. They will explain how the relevant legal and regulatory frameworks operate in practice across the EU, including the rules governing AI systems.

The discussion also comes as the European Commission has proposed changes to the Cybersecurity Act. In the European Parliament, the Committee on Industry, Research and Energy is leading work on the file, while IMCO is contributing an opinion focused on internal market and consumer protection aspects.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Data access emerges as cornerstone of EU AI plan

The European Commission has unveiled its AI Continent Action Plan, setting out a strategy to strengthen Europe’s position in the global AI landscape. The plan responds to rapid international advances and seeks to accelerate AI adoption across European industry and public services, where progress remains uneven.

Rather than introducing a new regulatory framework, the plan brings together targeted investments and policy measures around five priorities: expanding AI infrastructure, improving access to data, accelerating adoption in strategic sectors, strengthening skills, and supporting the implementation of existing rules.

Access to high-quality and interoperable data is presented as one of the key conditions for scaling AI in Europe. The plan links this objective to the EU’s wider data strategy and to efforts to make cross-border data use more practical, enabling organisations to train and deploy AI systems more effectively while operating within Europe’s transparency and accountability standards.

The broader ambition is to move Europe from fragmented experimentation towards more scalable and trustworthy AI deployment. In that sense, the Action Plan treats data, infrastructure, skills, and implementation capacity as parts of the same competitiveness agenda rather than separate policy tracks.

Why does it matter?

Europe’s AI challenge is no longer only about regulation, but about whether companies and public institutions can actually build and use AI at scale. If access to data remains fragmented across borders, sectors, and technical systems, the EU risks falling further behind competitors that already combine compute, capital, and data more effectively. By putting data access alongside infrastructure and skills, the Commission is signalling that AI competitiveness will depend as much on operational capacity as on rules or research strength.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!