Privacy and data protection

EU adopts unified cyber incident reporting templates under NIS2

The NIS Cooperation Group has adopted common templates for cybersecurity incident reporting across the EU, marking a step towards more harmonised compliance requirements for companies subject to the NIS2 Directive.

The templates were adopted during the group’s 39th plenary meeting in Cyprus and are intended to provide a uniform format for reporting cyber incidents across member states. The NIS Cooperation Group brings together the EU member states, the European Commission, and the EU Agency for Cybersecurity (ENISA) as part of wider EU cybersecurity coordination efforts.

According to the Commission, the standardised templates are designed to reduce administrative burdens and simplify compliance for companies required to report cybersecurity incidents under NIS2. The move also aligns with broader EU efforts to create a single-entry point for incident reporting under the proposed Digital Omnibus initiative.

The Commission now plans to adopt the templates through an implementing act, which would make them mandatory for all member states. The EU officials say harmonised reporting fields should reduce fragmentation, simplify reporting obligations, and help strengthen cybersecurity resilience across the bloc.

Why does it matter?

Cybersecurity reporting requirements across Europe have often created complexity for companies operating in multiple jurisdictions. Common templates could reduce duplication, make reporting procedures more predictable, and improve coordination between national authorities. The move also fits into the EU’s broader push to simplify digital compliance while strengthening cyber resilience under NIS2.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

WhatsApp introduces private AI chat mode for Meta AI conversations

WhatsApp has introduced a new private mode for conversations with Meta AI that limits storage and retention of chat data. According to Meta, conversations are designed to disappear after chats end and are not stored on company servers.

WhatsApp head Will Cathcart said the feature responds to user demand for more private AI interactions involving sensitive topics. Meta CEO Mark Zuckerberg described the feature as an AI product designed without persistent server-side conversation logs.

Professor Alan Woodward of the University of Surrey reportedly raised concerns about how disappearing conversations could affect accountability and investigations into harmful AI interactions. According to reports, critics argued that limited data retention could complicate review processes in cases involving harm or misuse.

Meta stated that the feature will initially support text-based interactions and include safeguards intended to block harmful or illegal requests. The announcement comes amid Meta’s broader expansion of AI-related products and infrastructure investments.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Argentina launches AI ‘Digital Twin’ system for social policy simulations

Argentina’s Ministry of Human Capital has launched the ‘Digital Twin’ initiative, an AI-based system intended to simulate potential impacts of social policies before implementation. According to the government, the project is part of broader efforts to use data analysis and predictive tools in public policy planning.

The system is designed to model scenarios related to areas including poverty, subsidies, and human capital development using large-scale datasets. Officials said the initiative could support more anticipatory and data-informed policymaking processes.

The announcement by President Javier Milei was followed by public criticism related to promotional materials associated with the initiative. Opposition representatives have requested additional information concerning the project’s legal basis, data usage, and privacy safeguards.

Privacy specialists and analysts also raised concerns about governance frameworks, data aggregation, and potential profiling risks. The government has not yet publicly detailed oversight mechanisms or specific data protection standards linked to the initiative.

Why does it matter?

Argentina’s Digital Twin project reflects a broader global shift towards using AI to simulate and predict social and economic outcomes, potentially reshaping how governments design and test public policy. If effective, such systems could improve efficiency by allowing policymakers to model interventions before implementation, reducing costly or ineffective decisions.

At the same time, the initiative raises significant governance and civil liberties concerns, particularly around large-scale data aggregation and the potential for algorithmic profiling of citizens.

Without clear transparency, oversight, and privacy safeguards, predictive governance tools risk shifting from policy optimisation instruments into systems that enable expanded state surveillance and reduced accountability.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

NSW privacy survey highlights concern over AI and data breaches

Australia’s NSW Privacy Commissioner has published the latest biennial survey on community attitudes towards privacy, highlighting strong public concern over data breaches and the use of AI and automated decision-making by government agencies.

The Information and Privacy Commission’s 2026 Community Attitudes Survey provides an indicative picture of public views in New South Wales on privacy rights, data breaches, access to personal information, and government use of emerging technologies. For the first time, the survey also includes findings on AI and automated decision-making.

The survey found that 70% of respondents were concerned about the NSW government’s use of AI and automated decision-making technologies in public decisions. It also found that 99% of respondents considered the NSW Government’s protection of personal information important, the highest result recorded in the survey. Just under 75% were aware that they could access and amend their personal information, apply for a review, or make a complaint with a NSW Government agency.

Concern about data breaches was also high, with 84% to 91% of respondents worried about deliberate hacking, inappropriate sharing, accidental release, and unauthorised access to personal information. Among respondents affected by a breach, 53% had contact information compromised, while 44% had identification information compromised.

Privacy Commissioner Sonia Minutillo said the findings showed that the public places a high value on privacy and is concerned about the risks posed by data breaches and new technologies. She said NSW public sector agencies could strengthen trust by implementing robust governance frameworks for the use of personal information and maintaining strong privacy practices.

The IPC said it will use the results to identify ways to support agencies and the community, and to inform its forward work under the Privacy Proactive Regulatory Initiatives Program.

Why does it matter?

The findings point to a growing trust challenge for public-sector AI deployment. As governments expand the use of AI and automated decision-making, public confidence will depend not only on technical safeguards but also on privacy governance, transparency, and clear avenues for people to access, amend, or challenge the use of their personal information.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Commission marks 10 years of GDPR

The European Commission has marked ten years since the General Data Protection Regulation (GDPR) entered into force across the European Union.

The GDPR entered into force on 24 May 2016 and established a common data protection framework across EU member states, and introduced rules governing the collection and processing of personal data. According to the European Commission, the regulation strengthened individuals’ rights regarding how personal data is collected, processed, corrected, deleted, and shared.

The framework applies to organisations ranging from small businesses to multinational technology companies. Authorities across the EU have also issued significant penalties in cases involving non-compliance with the regulation.

The GDPR has influenced privacy and data protection discussions internationally and contributed to wider adoption of similar regulatory approaches.

The Commission linked the GDPR to broader EU digital regulation efforts, including the Digital Services Act, the Digital Markets Act, and the AI Act. According to the Commission, these measures address issues including platform accountability, competition, and AI governance.

The Commission also referenced online child protection initiatives, including work on age verification and cyberbullying prevention. It said the EU’s approach reflects the principle that the online world should serve people.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU advances DSA researcher access with platform roundtable

The European Commission and a group of Digital Services Coordinators have held a roundtable with Very Large Online Platforms and Very Large Online Search Engines to support the first data access requests by vetted researchers under the Digital Services Act.

The meeting focused on the new mechanism for submitting vetted researcher status applications. The DSA and its delegated act give researchers a route to request platform data needed to study systemic risks and societal impacts, while adding safeguards to prevent misuse of accessed data.

Digital Services Coordinators told participants that they had received 49 applications for assessment as of 19 May. The applications mainly request data from social media platforms and focus on risks such as illegal content, advertising transparency and AI features.

The roundtable forms part of the EU’s wider supervision of designated platforms under the DSA. The regime applies to major online services that meet the threshold for Very Large Online Platforms or Very Large Online Search Engines, including XNXX, which was designated as a Very Large Online Platform in 2024 and is therefore subject to stricter transparency, risk assessment and researcher access duties.

The Commission said Digital Services Coordinators are assessing the applications and preparing guidance to help researchers navigate the process. VLOPs and VLOSEs also shared updates on their work to manage data access requests and make data catalogues available.

Although Digital Services Coordinators assess individual applications, the Commission remains responsible for enforcing VLOP and VLOSE compliance with vetted researcher data access obligations. It said it would closely monitor whether platforms provide researchers with access to data as required under the DSA.

The Commission noted that it has already taken action on research-related transparency obligations under the DSA, including proceedings, commitments from AliExpress and the first non-compliance decision and fine issued to X.

Why does it matter?

The roundtable marks an important step toward operationalising DSA researchers’ access. Independent researchers need platform data to study systemic risks such as illegal content, advertising transparency, AI-driven features and risks linked to large online platforms, including adult services such as XNXX. The process will test whether the DSA can turn platform transparency from a legal obligation into usable evidence for public-interest research, while balancing access with privacy, security and safeguards against misuse.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Grokipedia articles show selective political divergence from Wikipedia, research finds

A new study published in the Proceedings of the National Academy of Sciences examined structural and political differences between Wikipedia and Grokipedia, the AI-generated encyclopedia developed by xAI.

Researchers analysed 17,790 matched article pairs drawn from the 20,000 most-edited English-language Wikipedia entries. They found that Grokipedia articles are typically longer, more syntactically complex, and contain fewer references and hyperlinks per 1,000 words than their Wikipedia counterparts.

The study also identified a bimodal pattern across similarity measures, indicating that some Grokipedia entries closely resemble Wikipedia entries, while others diverge substantially in content and structure. Researchers said the findings suggest Grokipedia is not a fully independent alternative to Wikipedia, but often appears as an AI-mediated reconfiguration of Wikipedia content.

The analysis examined ideological differences by evaluating the political orientation of cited news media sources. Researchers found that divergence was concentrated primarily in politically and culturally sensitive topics, including religion, history, politics and literature.

Within those areas, Grokipedia articles showed a relative shift toward more right-leaning cited sources than Wikipedia. However, the study also noted that sources cited on both platforms remained predominantly left-leaning.

Researchers argued that Wikipedia’s human editorial processes make disputes, revisions and bias visible and contestable, while AI-generated systems may embed bias within more opaque automated workflows that are harder to scrutinise publicly.

The paper also raised broader concerns about the governance of AI-generated knowledge systems. Researchers warned that AI-generated encyclopedic content could shape future training datasets and automated information ecosystems, potentially reproducing or amplifying bias without sufficient transparency, accountability or human oversight.

Why does it matter?

The findings add to growing debates over AI-generated knowledge systems, political bias, citation quality and transparency. As generative AI increasingly produces reference and educational material, the key question is not only whether outputs are accurate, but whether their sources, editorial assumptions and revisions can be scrutinised. Grokipedia’s differences from Wikipedia show how automated knowledge systems may reshape information governance while making some forms of bias less visible.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

AppLovin lawsuit highlights scrutiny of digital advertising and data tracking systems

Amnesty International has expressed support for a class action lawsuit filed in the Netherlands against US technology company AppLovin over alleged large-scale mobile data tracking practices. The case has been brought by The Privacy Collective on behalf of Dutch internet users.

The lawsuit alleges that tracking software embedded in popular apps and mobile games collects personal data from millions of users, including children.

According to the complaint, collected data may be shared with third parties and used for targeted advertising purposes without sufficiently transparent consent mechanisms. The lawsuit references several widely used applications and games that allegedly contain the tracking software.

Amnesty International said such practices may raise concerns related to privacy, autonomy, and children’s rights in digital environments.

The Privacy Collective alleges that users may not receive clear information about the scope of data collection and tracking practices.

The case also highlights the scale of the global digital advertising ecosystem and its reliance on data-driven business models.

Why does it matter? 

The case directly challenges the scale and opacity of the modern digital advertising ecosystem, where personal data collection embedded in everyday apps may operate with limited user awareness or meaningful consent.

It highlights an emerging regulatory and human rights tension in the digital economy: whether commercial tracking systems, particularly those affecting children, can be reconciled with fundamental privacy protections and accountability standards in data-driven markets.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Singapore launches new AI, cybersecurity and quantum-readiness programmes

Singapore has announced new initiatives aimed at supporting enterprise AI adoption, strengthening cybersecurity, and preparing digital infrastructure for future quantum-related risks.

The measures were announced at ATxEnterprise 2026 by Senior Minister of State for Digital Development and Information Tan Kiat How. They include new partnerships under the Digital Enterprise Blueprint, an AI adoption playbook for enterprises, SME awards recognising AI impact, and a pilot on quantum-safe technologies.

According to IMDA’s Singapore Digital Economy Report 2025, AI adoption among SMEs increased significantly during 2024.

IMDA and the Singapore Business Federation will introduce SME AI Impact Awards recognising enterprises using AI technologies in business operations. Up to 30 winners will be recognised across categories for proprietary AI tools and adoption of ready-to-use AI solutions.

The Digital Enterprise Blueprint is being expanded through partnerships involving AI training, digital skills development, and cybersecurity support for SMEs. One programme led by Grab will provide AI-related training and courses for SMEs in sectors including retail, e-commerce, and food services.

RSM Stone Forest IT will also launch cybersecurity initiatives involving phishing simulations, awareness webinars, and tabletop exercises for SMEs. With the two partnerships, IMDA aims to reach 12,000 more SMEs, contributing to its target of supporting 50,000 SMEs by 2029.

IMDA, SkillsFuture Singapore, and Workforce Singapore have also developed an AI for Enterprise Impact Playbook to help digitally progressive enterprises assess readiness, identify support, and plan next steps for AI adoption.

Singapore additionally announced a pilot initiative focused on quantum-safe technologies for telecommunications infrastructure. IMDA signed a Memorandum of Intent with Singtel, Ericsson, and NCS Singapore to test and validate quantum-safe migration approaches.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Malaysia expands online safety rules for platforms and digital services

Malaysia’s Communications and Multimedia Commission (MCMC) has published the Child Protection Code and Risk Mitigation Code under the Online Safety Act 2025, following stakeholder engagement and a public consultation held from 12 February to 31 March 2026.

The codes form part of Malaysia’s broader online safety framework and outline expectations for service providers addressing online harms. According to MCMC, the framework follows an outcome-based approach that allows providers flexibility in implementing safety measures.

The Child Protection Code focuses on age-appropriate online experiences and child-safety-by-design principles for digital services in Malaysia. The code includes safeguards related to account registration, ownership restrictions for younger users, and protections involving higher-risk platform features.

It also introduces age-appropriate protections and restrictions on high-risk features, aiming to reduce children’s exposure to exploitative interactions and harmful content.

The Risk Mitigation Code outlines measures related to risk assessments, content governance, reporting systems, advertiser verification, and labelling of manipulated content. Measures include risk assessments, stronger content governance, effective reporting and response mechanisms, advertiser verification, and labelling manipulated content where appropriate.

Both codes are scheduled to take effect on 1 June 2026, with a transition period for implementation and verification processes. MCMC said a reasonable grace period will be provided for service providers to complete the verification process effectively.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.