Privacy and data protection Archives | Page 2 of 343

EU agrees tougher child protection rules against AI-generated abuse

The agreement between the European Parliament and the Council updates legislation first adopted in 2011, reflecting the growing role of digital technologies and AI in facilitating abuse.

Under the revised directive, designing, adapting or distributing AI systems intended to generate child sexual abuse material would become a criminal offence. The updated rules would also cover deepfake abuse material, livestreamed child sexual abuse, sexual extortion, and the possession or distribution of instructions on how to commit such crimes.

The agreement also strengthens rules on consent. It clarifies that consent must be given voluntarily, cannot be inferred from silence, lack of resistance or a previous relationship, and can be withdrawn at any time.

Grooming offences would be expanded to cover situations involving coercion, threats or deception, including cases where offenders falsely present themselves as peers of the child.

Victim protection would also be strengthened through access to healthcare, legal aid, helplines, accommodation support and compensation mechanisms. The agreement also extends limitation periods, recognising that many victims need years or decades before reporting abuse.

The revised directive still requires formal adoption by the European Parliament and the Council before entering into force.

Why does it matter?

The agreement shows how EU criminal law is being adapted to AI-enabled and online forms of child sexual abuse. Criminalising AI systems designed to generate abusive material is especially significant because it targets not only harmful content but also the tools used to produce it. The revised directive also strengthens victim support and prosecution timelines, addressing the reality that many survivors report abuse years after it occurred.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

IWF challenges misconceptions about child abuse detection technologies

The Internet Watch Foundation (IWF) has published a new analysis aimed at countering what it describes as persistent misconceptions about technologies used to detect child sexual abuse material (CSAM) online.

According to the organisation, public discussions increasingly focus on privacy and surveillance concerns while overlooking the role these technologies play in identifying and removing illegal content at scale.

The article argues that detection tools are not experimental technologies but rather adaptations of established cybersecurity methods already used throughout the digital ecosystem.

The IWF highlights hash matching technologies, which compare the mathematical signatures of files against databases of known illegal content, as a long-established and widely used approach to content detection.

The IWF stresses that these systems do not involve mass surveillance and do not require access to the contents of private communications.

The organisation also points to perceptual hashing technologies such as PhotoDNA, which can identify known abuse images even when files have been modified or resized. Similar approaches are commonly used in cybersecurity for malware detection, phishing prevention and file verification.

According to the IWF, the principles behind child protection technologies are therefore consistent with existing online security practices.

The article further argues that no single technology can effectively address the challenge of child sexual abuse material online. Instead, platforms require multiple layers of protection, including known-content detection, identification of previously unknown material, behavioural analysis, reporting mechanisms and human moderation.

The IWF warns that limiting detection capabilities would reduce the ability of platforms and law enforcement authorities to identify abuse and protect victims.

Why does it matter?

The publication contributes to an increasingly important policy debate over how to balance privacy, encryption and child protection online. As governments consider new online safety laws and content moderation requirements, questions about whether detection technologies constitute surveillance have become central to discussions involving regulators, technology companies and civil society groups.

The IWF’s intervention also highlights a broader governance challenge. While privacy advocates warn against measures that could weaken encryption or expand monitoring, child protection organisations argue that effective detection capabilities remain essential for identifying abuse, removing illegal content and supporting law enforcement investigations. The outcome of these debates could shape future approaches to online safety, platform accountability and digital rights worldwide.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

US sets post-quantum cryptography deadlines for federal systems

US President Donald Trump has signed an executive order setting deadlines for federal agencies to migrate high-priority systems to post-quantum cryptography.

Executive Order 14409 says large-scale quantum computers could threaten widely used cryptographic systems and create risks for sensitive government data, critical infrastructure and the digital economy. It also highlights ‘harvest now, decrypt later’ attacks, where adversaries collect encrypted information today and decrypt it once quantum capabilities become available.

The order makes it US policy to transition federal information systems to National Institute of Standards and Technology-approved Federal Information Processing Standards for post-quantum cryptography. It also directs the federal government to assist critical infrastructure owners and operators with their own migration planning.

Within 30 days, each federal agency must name a post-quantum cryptography migration lead responsible for cryptographic inventories, migration planning and cross-agency coordination.

The Office of Management and Budget must issue guidance within 90 days requiring agencies to review inventories of high-value assets and high-impact systems (excluding National Security Systems) and submit migration plans.

Federal high-value assets and high-impact systems must transition to post-quantum cryptography for key establishment by 31 December 2030 and for digital signatures by 31 December 2031.

The order also directs CISA, in coordination with NIST, to publish public guidance within 270 days on minimum elements for a cryptographic bill of materials, supporting automated assessment of cryptographic assets in hardware and software.

Procurement rules are also expected to change. The Federal Acquisition Regulatory Council must propose requirements for covered contractors to comply with NIST cryptographic standards, including applicable post-quantum standards, by 31 December 2030.

Why does it matter?

The order gives the US post-quantum transition concrete deadlines and turns cryptographic migration into an operational, procurement and critical infrastructure issue. Quantum-capable attacks remain a future risk, but encrypted data can be stolen now and decrypted later. By requiring inventories, migration leads, contractor obligations and cryptographic bills of materials, the EO pushes agencies and suppliers to understand where vulnerable cryptography is used before quantum threats become practical.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Oxford researchers develop AI tool to map hidden effects of high blood pressure

Researchers led by the University of Oxford have developed an AI tool called ‘HyperScore’ that could help doctors better understand how high blood pressure affects different organs and individuals in different ways. The approach could support more personalised treatment strategies in the future.

Using the AI tool, researchers identified six distinct patterns of hypertension-related disease by analysing hundreds of measurements, including cardiac imaging, brain MRI scans, blood tests and assessments of the kidneys, liver and vascular system.

The study found that individuals with higher HyperScores faced a greater risk of future cardiovascular events, even when conventional blood pressure measurements did not fully capture that risk. Changes detected through brain MRI imaging emerged as some of the strongest indicators of hypertension-related organ damage.

The researchers analysed data from more than 27,000 participants in the UK Biobank and validated their findings in an additional cohort of more than 5,500 individuals in the US. The researchers cautioned that the approach remains at an early stage and is not yet ready for routine clinical use in the UK.

Why does it matter?

High blood pressure is one of the world’s leading risk factors for heart disease, stroke and other chronic conditions, yet patients with similar blood pressure readings can experience very different health outcomes. The study suggests that AI may help identify hidden patterns of organ damage that are not captured by conventional measurements, potentially enabling more accurate risk assessment and personalised treatment strategies.

The research also highlights the growing role of AI in precision medicine. By combining imaging, laboratory data and clinical information, AI systems may help clinicians move beyond one-size-fits-all approaches to disease management. Although HyperScore remains at an early research stage, the findings demonstrate how AI could support earlier intervention and more targeted care for patients with complex cardiovascular risks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Spain reports higher removal of online hate speech content

Spain’s Observatory on Racism and Xenophobia identified 31,003 pieces of hate speech and discriminatory content on social media in May 2026, according to its monthly monitoring report.

The Observatory, known as OBERAXE, said digital platforms removed 65% of notified content, up from 56% in April. TikTok, X and Instagram recorded the highest removal rates, while the Trusted Flagger route continued to perform better than ordinary user reporting.

Trusted Flagger notifications accounted for 53% of removed content, compared with 48% in April. Content reported through ordinary user channels reached a removal rate of 12%, up from 8% the previous month.

The report found that 73% of detected content presented targeted groups as a threat, while dehumanising and severely degrading messages increased sharply compared with April. It also recorded frequent use of aggressive language and growing reliance on images, videos, memes and coded expressions.

People from North Africa remained the main target of online hate speech, followed by African and Afro-descendant people and Roma people. Narratives linked to citizen insecurity accounted for the largest share of detected content, followed by content related to social benefits and access to public resources.

OBERAXE said continued cooperation with digital platforms is essential to improve detection, removal procedures and policies aimed at combating discrimination online.

Why does it matter?

The report shows how hate speech monitoring is becoming part of platform governance and anti-discrimination policy. Spain’s data suggest that trusted reporting channels can improve removal rates, but the scale and persistence of hostile narratives show the limits of reactive moderation. The findings also raise wider questions about transparency, platform accountability and how governments can address online hate while protecting freedom of expression.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cybercriminals exploit World Cup hype with phishing schemes

Cybercriminals are exploiting World Cup interest through fake streaming platforms, phishing campaigns, counterfeit online stores and betting-related scams, according to Kaspersky researchers.

The security company said it had identified more than 336 fake websites designed to imitate official World Cup pages. Many scams target fans looking for cheaper tickets, free match streams or tournament merchandise.

Some fake streaming sites ask users to register and pay for access to matches, sometimes using cryptocurrency. Others collect personal data that can later be used in further phishing attacks.

Kaspersky also identified counterfeit merchandise shops, fraudulent betting schemes and phishing emails promoting fake offers or paid predictions. Some scams rely on urgency, limited-time claims and professional-looking websites to pressure users into sharing payment or personal information.

The company warned that AI-generated websites and more polished scam designs are making fraudulent pages harder to distinguish from legitimate services during high-demand events.

Kaspersky advised fans to use official sources, check website addresses carefully and avoid offers that promise free access, unrealistic discounts or guaranteed betting results.

Why does it matter?

Major sporting events create ideal conditions for online fraud because demand, urgency and emotion are all high. World Cup scams show how criminals combine phishing, fake e-commerce, streaming fraud and social engineering to steal money and personal data. The use of polished or AI-generated websites also reflects a wider challenge for consumer protection: scams are becoming easier to create at scale and harder for users to recognise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Ofcom fines adult site over age check failures

Ofcom has imposed an £80,000 fine on pornography provider First Time Videos LLC after finding that the company failed to implement legally required age assurance measures under the Online Safety Act.

The regulator concluded that the provider failed to implement the ‘highly effective’ age assurance measures required to prevent children from accessing pornographic content. According to Ofcom, robust age assurance measures are a central requirement of the UK’s online safety framework and play a key role in protecting minors online.

Alongside the enforcement action, Ofcom announced its provisional view that xgroovy.com may also have failed to comply with age assurance obligations under the legislation. The regulator further expanded an existing investigation into Sun Social Media Inc. to cover an additional adult website operated by the company.

Ofcom said the penalty was determined with regard to the size and turnover of the service, ensuring that the sanction remained proportionate while reinforcing compliance expectations across the sector.

Why does it matter?

The decision marks an important milestone in the implementation of the UK’s Online Safety Act, demonstrating that age assurance requirements are moving beyond policy commitments into active regulatory enforcement. By imposing financial penalties on non-compliant providers, Ofcom is signalling that online platforms hosting adult content will be expected to adopt effective measures to prevent children’s access.

The case also reflects a broader international trend towards stronger child online safety regulation. Governments and regulators increasingly view age assurance technologies as a key tool for protecting minors in digital environments, while balancing concerns around privacy, proportionality and implementation. Future enforcement actions could shape how platforms design and deploy age verification systems both in the UK and beyond.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Apple expands app distribution options in Brazil

Apple will introduce changes to iOS in Brazil following an agreement with the country’s competition regulator, Conselho Administrativo de Defesa Econômica.

The changes, beginning with iOS 26.5, will give developers new options to distribute apps through alternative app marketplaces, operate those marketplaces and process payments for digital goods and services outside Apple’s In-App Purchase system.

Apple said the changes reflect a recent agreement with CADE and are intended to create new options for developers in Brazil. The agreement follows competition scrutiny of Apple’s App Store rules in the country.

The company warned that alternative app distribution and payment options may create new risks, including malware, fraud, scams and privacy and security concerns. It said it has worked with CADE on measures designed to reduce those risks, including app notarisation, marketplace authorisation and protections for children.

Apple also said all current members of the Apple Developer Program must agree to updated licence terms by 6 July 2026 to access the new options in Brazil. The company has made online appointments available for developers seeking more information.

Why does it matter?

The changes show how competition enforcement is reshaping closed app ecosystems beyond the EU. Brazil’s intervention adds pressure on Apple to allow alternative distribution and payment models while preserving security and privacy safeguards. The case also highlights a recurring policy tension: regulators want more competition and developer choice, while Apple argues that opening iOS can increase risks for users.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UNESCO assessment supports ethical AI roadmap in El Salvador

El Salvador has advanced its national AI agenda following the presentation of a Readiness Assessment Methodology (RAM) report developed by UNESCO in cooperation with the National Artificial Intelligence Agency (ANIA). The initiative brings together government institutions, international organisations, academia and the private sector to assess the country’s preparedness for ethical, inclusive and sustainable AI development.

The assessment is grounded in the UNESCO Recommendation on the Ethics of Artificial Intelligence, which establishes principles for safe and responsible AI deployment. According to the assessment, El Salvador’s legal and institutional framework, including measures related to data protection, cybersecurity and AI governance, has strengthened its position in regional AI readiness indicators.

The report highlights AI deployments already being used in public services, including digital health diagnostics, automated legal processes and large-scale digitisation of government records. Education systems are also integrating AI tools to expand access to learning, while projected economic gains suggest significant growth potential if ethical adoption continues to scale.

Alongside the findings, authorities outlined priorities aimed at reducing inequalities in access to technology, expanding participation in STEM education and ensuring that AI-related benefits reach both urban and rural communities.

The new National Artificial Intelligence Strategy 2026 sets out these priorities as part of a broader human-centred development model.

Why does it matter?

The initiative positions El Salvador as a test case for how emerging economies can align rapid AI adoption with structured governance and ethical safeguards. By embedding human-centred principles into national strategy and law, the country aims to prevent AI-driven gains from widening social or geographic inequalities while strengthening long-term digital readiness.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

EDPS and EU data protection officers focus on AI, cybersecurity and compliance

The European Data Protection Supervisor (EDPS) and data protection officers (DPOs) from EU institutions, bodies, offices and agencies met in Brussels on 18 June to discuss emerging data protection priorities and compliance challenges.

The 58th meeting of the EDPS-DPO network was hosted by the Executive Agencies of the European Commission. The meeting brought together DPOs from across the EU administration at a time of significant regulatory and technological change.

European Data Protection Supervisor Wojciech Wiewiórowski opened the meeting by emphasising the importance of safeguarding DPO independence in practice. He pointed to recent EDPS action, guidance, and procedures intended to safeguard the role of DPOs across EU institutions.

Wiewiórowski also reviewed key developments from 2025, including the closure of the EDPS investigation into the European Commission’s use of Microsoft 365, a rise in complaints, and the growing impact of AI-generated submissions. He noted that regulatory simplification should reduce unnecessary administrative burdens without undermining fundamental rights protections.

Thomas Zerdick, Head of the EDPS Supervision and Enforcement Unit, introduced a follow-up tracker designed to maintain continuity between EDPS-DPO meetings. The first tracker focused on EDPS supervisory guidance on the role of DPOs in EU institutions and the EDPS decision on prior consent to DPO dismissal.

Zerdick also presented recent developments in supervision and enforcement, including complaint handling, compliance issues affecting several EU institutions, and practical guidance on international transfers and data protection impact assessments. The update also covered work linked to the Area of Freedom, Security and Justice, including audits, opinions, and preparations for upcoming systems.

Luis Velasco, Head of the EDPS Technology and Privacy Unit, outlined initiatives to help EU institutions meet compliance requirements for automated systems and AI. He announced that an updated version of the EDPS guidance on risk management for AI systems is expected to be published later this summer.

Velasco also referred to a practical checklist on human intervention, intended to help organisations establish effective safeguards for automated systems. He warned that cyberattacks targeting EU institutions pose a growing threat and pose serious risks to individuals’ personal data.

The discussion also addressed the response to a personal data breach. Velasco stressed that individuals affected by a personal data breach should be informed without undue delay when a breach is likely to pose a high risk to their rights and freedoms.

A practical workshop focused on developing a common data protection impact assessment template under the EU Data Protection Regulation. Participants tested a draft template through a case study and discussed issues, including necessity, proportionality, and risk assessment.

The afternoon sessions included a discussion of the 2024 data breach at the European Agency for Law Enforcement Training. The CEPOL DPO and the EDPS Data Breach Notification Team shared lessons with the wider DPO community, highlighting that major data breaches create organisational and human challenges as well as compliance obligations.

The meeting also included a session on privacy and data protection case law, presented by Zerdick. The session focused on the EDPS’s interpretation of recent judgments and their practical implications for supervisory work and controllers.

Participants also received an update on the EDPS Website Compliance Awareness Campaign. Following pilot phases in 2024 and 2025, the Technology and Privacy Unit presented preliminary findings from the first wave of the campaign’s second phase, which involved automated scans of public-facing websites of EU institutions.

The EDPS said the meeting demonstrated the value of bringing together the EU’s DPO community to address shared challenges, exchange practical experience and strengthen compliance across institutions. The discussions focused on practical cooperation, support for compliance, and stronger data protection safeguards across the EU administration.

Why does it matter?

The meeting highlights how data protection within EU institutions is evolving beyond traditional compliance issues toward broader challenges involving AI governance, cybersecurity, automated decision-making and digital service oversight. As public administrations increasingly adopt AI-enabled systems and process larger volumes of personal data, data protection officers are playing a more strategic role in managing operational and regulatory risks.

The discussions also illustrate a growing emphasis on practical implementation. Common templates, coordinated guidance and shared lessons from data breaches can help institutions apply data protection rules more consistently across the EU administration. This is particularly important as regulators seek to align privacy requirements with emerging frameworks governing AI, cybersecurity and digital public services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!