Privacy and data protection

Singapore consults on personal data rules for generative AI

Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation on proposed advisory guidelines governing the use of personal data in generative AI systems. Published on 2 June, the draft guidelines seek feedback on how Singapore’s Personal Data Protection Act (PDPA) applies when personal data is used in the development and deployment of generative AI systems.

The proposed guidelines address the collection and use of personal data for generative AI model development, the allocation of data protection responsibilities across the AI lifecycle, and the handling of individual rights requests relating to personal data. The guidance is organised around development, deployment, and post-deployment stages.

For model development, the draft guidelines clarify how organisations may rely on exemptions for publicly available information when using web-scraped datasets containing personal data. They also set out considerations for data behind digital barriers such as paywalls, registration requirements, authentication mechanisms, and tools that block automated access.

The PDPC proposes that general privacy notices should not be considered sufficient for obtaining consent to use personal data for large-scale AI training or fine-tuning. Organisations would instead be expected to provide AI-specific notices explaining the categories of personal data used, the purpose of the processing, the model’s intended functions, and how individuals can refuse or withdraw consent.

The proposed guidelines also outline responsibilities for model providers, system providers, and system deployers, including retention, protection, purpose limitation, and accountability obligations. The post-deployment guidance addresses access and correction requests while recognising technical challenges associated with large datasets, embeddings, temporary context windows and the removal of specific information from trained models. Interested parties may submit comments to the PDPC by 1 July 2026.

Why does it matter?

The consultation highlights the growing challenge of applying existing data protection laws to generative AI systems that rely on large-scale data collection and model training. Regulators worldwide are increasingly examining how privacy principles such as consent, transparency and purpose limitation should operate in AI development.

Singapore’s proposed guidance could provide an important reference point for organisations developing or deploying generative AI, particularly in areas such as web scraping, AI training datasets and the allocation of responsibilities across the AI value chain.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK strengthens Online Safety Act protections against intimate image abuse

The UK Government has announced an amendment to Ofcom’s Illegal Content Codes of Practice under the Online Safety Act, introducing new measures to tackle non-consensual intimate images. The update was outlined in by the Minister for AI and Online Safety, Kanishka Narayan.

The amendment requires relevant online services to use perceptual hash-matching technologies, or equivalent tools, to identify and prevent the re-upload of known non-consensual intimate images, including AI-generated intimate image deepfakes.

According to the government, the change strengthens the framework established by Ofcom’s Illegal Content Codes of Practice, which entered into force in 2025. The updated approach aims to ensure that once abusive content has been identified and removed, systems are in place to prevent it from being repeatedly shared.

The amendment has been laid before Parliament for scrutiny and will take effect if neither House objects. The government said the measure is intended to strengthen protections for victims, particularly women and girls, and forms part of the ongoing implementation of the Online Safety Act in the UK.

Why does it matter?

Governments and regulators are increasingly treating AI-generated intimate imagery as a form of image-based abuse alongside authentic non-consensual intimate content. As generative AI tools make it easier to create and distribute realistic deepfakes, policymakers are looking for mechanisms to prevent harmful content from repeatedly reappearing online.

The UK’s proposal reflects a broader trend towards requiring platforms to deploy technical measures that can identify and block known abusive content while strengthening protections for victims of online harms.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Australia launches AI Safety Institute to boost trust in AI adoption

Australia’s AI Safety Institute became operational on 2 June as the government seeks to strengthen public trust in AI development, deployment and governance. The announcement was made during the AFR AI Summit in Canberra, where the government described public trust as essential to building a domestic AI industry.

According to Assistant Minister for Science, Technology and the Digital Economy Hon Dr Andrew Charlton, Australia’s national AI plan rests on three pillars:

  • Capturing the opportunity
  • Sharing the benefits
  • Keeping Australians safe.

The AI Safety Institute is intended to support that effort by testing AI systems, assisting regulators and strengthening public confidence in the technology.

In his speech, Charlton also argued that Australia faces a choice between building a world-class AI industry or relying on foreign capability, while warning that low public trust could slow AI adoption and investment.

Charlton cited survey findings showing that only 30% of Australians believe the benefits of AI outweigh the risks, while 78% are concerned about potential negative impacts, and 36% say they trust the technology. It linked public scepticism to concerns that AI benefits may flow offshore while costs linked to jobs, privacy, power bills, and local communities are borne domestically.

Data centres were highlighted as an example of how trust considerations are shaping AI policy. The government said data-centre developers should contribute new renewable energy capacity, cover an appropriate share of transmission and distribution costs, engage with local communities and avoid creating pressure on water resources.

The AI Safety Institute will analyse and test AI models and applications, support regulators responding to emerging AI-related harms, and contribute to national and international discussions on safe AI development and governance. The speech also pointed to wider work on privacy reform, online safety, workplace impacts, competition, consumer issues, and public-sector AI adoption.

Why does it matter?

Australia is positioning trust as a key component of its AI strategy at a time when governments are balancing economic opportunities from AI with concerns about safety, privacy, employment and infrastructure impacts.

By creating a dedicated AI Safety Institute, Australia joins a growing number of countries establishing specialised institutions to evaluate AI risks, support regulators and build public confidence in the deployment of increasingly capable AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

G7 digital and technology ministers agree on priorities on AI, resilience and online child safety

G7 digital and technology ministers have agreed on priorities covering secure AI, AI openness, digital sector resilience and online safety for minors following a meeting in Paris under France’s presidency. Ministers said digital technologies are central to innovation, productivity and competitiveness, while also creating new challenges for users, businesses and service providers.

The statement reaffirmed support for Data Free Flow with Trust, while highlighting privacy, data protection, intellectual property and security considerations. Ministers also welcomed G7 work on semiconductors, digital standards, quantum technologies, and competition in AI inputs, including computing power, data, energy, and talent.

On AI, ministers said secure, responsible and trustworthy systems are needed to maintain public trust and support adoption. They welcomed the revised Hiroshima AI Process Reporting Framework and said France’s presidency would start discussions with stakeholders, the OECD, and members of the International Network for Advanced AI Measurement, Evaluation and Science to improve comparability between AI risk assessment frameworks.

The G7 also backed a Vision on AI Openness, intended to clarify terminology and support access to open-source and open-weight AI approaches. Ministers said AI openness can help diffuse AI, support research collaboration, and contribute to innovation and economic growth, while clearer language can reduce ambiguity and support trust.

Ministers also supported a G7 SME AI Readiness Tool, developed with the OECD and in cooperation with the G7 Social-Employment working group. The tool is expected to be made available through the G7 AI Training Hub to help micro, small and medium-sized enterprises assess their digital and AI readiness, improve AI literacy and lower adoption barriers.

The statement also addresses digital and AI sector resilience, resource efficiency and growing pressure on energy grids and digital infrastructure. On child online safety, ministers supported a Common G7 Set of Principles for a safe and secure digital space for minors, covering digital literacy, AI education, risk mitigation by digital service providers, support for parents and guardians, and protection against online harms.

Why does it matter?

The G7 statement reflects growing international coordination around AI governance, digital resilience and online child safety. By addressing AI risk assessment, openness, SME adoption and digital infrastructure pressures in one framework, ministers are linking technological innovation with trust, security and economic competitiveness.

The agreement also signals that online safety for minors is becoming a core part of digital policy cooperation among major economies, particularly as AI systems and digital platforms play a larger role in children’s online experiences.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

China tightens controls on technology leaks with updated secrecy laws

China has updated its trade secret protection rules to formally include data, algorithms, computer programs, code, and other technical information, reflecting the growing importance of digital assets in commercial competition.

The Provisions on the Protection of Trade Secrets, issued by the State Administration for Market Regulation, took effect on 1 June 2026 and replaced rules dating back to 1995. The framework defines trade secrets as technical, business, and other commercial information that is not publicly known, has commercial value, and is protected through corresponding confidentiality measures.

The new rules encourage companies to strengthen internal compliance and trade secret management systems. They identify reasonable confidentiality measures, including confidentiality agreements, employee training, access restrictions, data classification, encryption, isolation, and limits on copying, storing, or accessing sensitive information.

The regulations also address digital working environments. For remote work and cross-border collaboration, companies are encouraged to implement measures such as permission tiering, data masking, and operational logging to protect confidential information.

The rules prohibit acquiring trade secrets through theft, bribery, fraud, coercion, electronic intrusion, or other improper means. They also cover unauthorised access to digital office systems, servers, email accounts, cloud storage, and application accounts, as well as the use of malware or the exploitation of vulnerabilities to obtain trade secrets.

The framework applies to trade secret infringements committed outside China where they disrupt domestic market competition or harm the lawful rights and interests of Chinese business operators.

Alongside the new rules, SAMR has launched the fourth Enterprise Trade Secret Protection Capacity Enhancement Service Month in June 2026. The campaign will focus on compliance guidance, stronger enforcement, regional cooperation, and support for key industries, including biomedicine, integrated circuits, and AI.

Why does it matter?

The updated rules show how trade secret protection is being adapted to digital and data-driven industries. By explicitly covering data, algorithms, software and code, China is treating digital knowledge assets as core components of commercial competitiveness. The framework also raises compliance expectations for companies operating in China, especially those working across remote teams, cloud environments, cross-border collaboration, AI, semiconductors, and other high-value technology sectors.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

EDPB approves global extension of Europrivacy certification

The European Centre for Certification and Privacy announced that the European Data Protection Board (EDPB) has approved the extension of the Europrivacy certification scheme beyond Europe. Organisations worldwide that are subject to the General Data Protection Regulation (GDPR) will now be able to seek Europrivacy certification.

The Centre also announced approval of a specific version of the certification criteria for use as a safeguard mechanism for international data transfers. The measure is intended to support organisations outside the EEA in demonstrating compliance when handling transferred personal data.

According to the organisation, the decisions are intended to strengthen legal certainty, support trusted cross-border data flows and provide an additional compliance mechanism based on independent assessments and regular audits.

The decisions represent a significant step towards broader adoption of data protection certification mechanisms at the international level. The announcement follows recent EDPB approvals and reflects the growing role of certification mechanisms in international data governance and cross-border data transfers across the EU.

Why does it matter?

Certification mechanisms are becoming an increasingly important part of international data governance, particularly as organisations seek to demonstrate compliance with GDPR requirements across jurisdictions.

The expansion of Europrivacy beyond Europe and its use in international data transfers could provide organisations with an additional tool for demonstrating accountability, supporting cross-border data flows and navigating evolving data protection obligations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

IWF and CaseScan partner to strengthen the detection of child abuse material

The Internet Watch Foundation has announced a new partnership with CaseScan aimed at improving the detection and identification of child sexual abuse material online.

CaseScan, a specialist technology company supporting child protection investigations and digital safety work, has joined the IWF as a member. The company develops tools that help specialist teams identify, classify, and prioritise illegal material more efficiently, reducing manual workloads and supporting faster responses when criminal content is found.

Through its membership, CaseScan will be able to draw on IWF intelligence and services to strengthen how it helps approved clients detect child sexual abuse material. The IWF said the collaboration will support faster identification of criminal content.

The partnership comes amid a rapidly evolving online threat landscape. According to the IWF’s 2025 Annual Data & Insights Report, new technologies, systemic vulnerabilities, and the continued distribution of child sexual abuse material are increasing the challenges faced by investigators and online safety organisations.

CaseScan said the collaboration will strengthen its ability to support professionals working on the front line of child protection investigations. The IWF said industry partnerships are essential to disrupting the criminal distribution of abusive images and videos and preventing the repeated victimisation of children online.

Why does it matter?

The partnership shows how child safety organisations and specialist technology providers are working to improve the speed and accuracy of CSAM detection. As the volume and complexity of illegal material online grow, trusted intelligence and specialist detection tools can help investigators and approved organisations prioritise cases, reduce manual review burdens, and respond more quickly to harmful content.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

UK proposes hash-matching rules to combat intimate image abuse in search results

The UK government has published draft amendments to the Illegal Content Codes of Practice for search services under the Online Safety Act, proposing new measures to help detect intimate image abuse content. The amendments, published on 1 June, would add a recommended measure for large general search services to use hash-matching technology to detect intimate-image abuse content.

According to the draft, Ofcom prepared the amendments under section 41 of the Online Safety Act and submitted them to the Secretary of State on 15 May. The document was presented to Parliament under section 43 of the Act and is due to lie before both Houses for 40 days.

The proposed measure, designated ICS C8, would apply to providers of large general search services. The measure recommends the use of perceptual hash matching to identify known intimate image abuse content, or cryptographic hash matching where perceptual matching is not supported by the provider’s hash database.

Under the proposal, content matching an unverified hash for the first time would be treated as potentially illegal and subjected to review under Ofcom’s search moderation procedures. Other matches may be treated as illegal content or reviewed as suspected video and image abuse, depending on the provider’s assurance in the detection outcomes.

The amendments also set expectations for human moderator review, regular updates to hash databases, removal of hashes found not to relate to intimate image abuse content, and reviews of precision and recall at least every six months. Ofcom said the proposed measure includes safeguards intended to protect freedom of expression and privacy rights while supporting the detection of illegal content.

Why does it matter?

The proposal reflects growing efforts by regulators to address the spread of non-consensual intimate imagery, including AI-generated content, through proactive detection and moderation measures.

By encouraging the use of hash-matching technologies, UK authorities aim to reduce the repeated circulation of known abusive material while maintaining safeguards for privacy and freedom of expression.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU welcomes G7 adoption of online child protection principles

The European Commission has welcomed a new agreement by G7 digital and technology ministers on a shared set of principles aimed at improving online safety for children and teenagers. The principles reflect approaches already present in several EU initiatives, including measures focused on online safety, digital literacy and the protection of minors.

The principles build on existing EU measures, including the Digital Services Act, the Better Internet for Kids Strategy and the AI Act. They focus on improving online safety while safeguarding privacy, fundamental rights and access to digital opportunities.

The framework promotes safety-by-design measures, privacy-conscious age assurance tools, stronger protections against harmful and illegal content, parental controls, and digital literacy initiatives. It also promotes greater cooperation between technology companies, researchers, governments and civil society organisations.

Why does it matter?

Governments are increasingly examining how digital platforms, recommendation systems and generative AI tools affect children’s wellbeing, privacy and online experiences. Concerns about harmful content, exploitation and age-inappropriate services have prompted policymakers worldwide to explore new approaches to online child protection.

The G7 agreement signals growing international convergence around child safety principles, while emphasising the need to balance protection measures with privacy, fundamental rights and access to digital opportunities.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Finland proposes rules for EU Cyber Resilience Act

The Finnish Government has proposed the approval of national provisions supplementing the EU Cyber Resilience Act, which sets cybersecurity requirements for products with digital elements.

The legislation will enter into force on 1 June 2026, with phased application aligned with the Cyber Resilience Act’s transitional periods during 2026 and 2027. The aim is to improve the cybersecurity of connected devices and software placed on the EU market.

The Cyber Resilience Act will be supplemented in Finland by a new national act on the cyber resilience of certain products and cybersecurity certification. The act covers supervision of product-related obligations, notification of conformity assessment bodies under the Cyber Resilience Act, administrative sanctions, and national provisions linked to the EU cybersecurity certification.

Market surveillance under the Cyber Resilience Act, along with the designation and supervision of notified bodies, will be assigned to the Finnish Transport and Communications Agency, Traficom. Market surveillance of high-risk AI systems will be carried out by the authorities responsible for supervising compliance with the AI Act, depending on the sector.

Conformity assessment bodies will be able to apply to Traficom from 11 June 2026 to be notified for assessment tasks under the Cyber Resilience Act. Bodies notified by Finland will be able to carry out conformity assessments across the EU member states within their area of competence.

Finland will also add a new chapter to the Act on Electronic Communications Services concerning the collection and disclosure of domain name registration data under the NIS2 Directive. The obligations will extend beyond .fi and .ax domains where the registrar or top-level domain registry is located in Finland, after a three-month transitional period.

The Government said the domain name provisions will complement Finland’s national implementation of NIS2 and improve the availability of registration data, making it easier to tackle illegal activity online.

Why does it matter?

Finland’s legislation shows how EU cybersecurity rules are being translated into national enforcement structures. The Cyber Resilience Act sets product security obligations at the EU level, but member states still need national provisions for supervision, notified bodies, sanctions, and certification. The added NIS2 domain registration rules also show how cybersecurity implementation is expanding beyond products into online infrastructure and data availability for enforcement.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.