Privacy and data protection

EDPB approves global extension of Europrivacy certification

The European Centre for Certification and Privacy announced that the European Data Protection Board (EDPB) has approved the extension of the Europrivacy certification scheme beyond Europe. Organisations worldwide that are subject to the General Data Protection Regulation (GDPR) will now be able to seek Europrivacy certification.

The Centre also announced approval of a specific version of the certification criteria for use as a safeguard mechanism for international data transfers. The measure is intended to support organisations outside the EEA in demonstrating compliance when handling transferred personal data.

According to the organisation, the decisions are intended to strengthen legal certainty, support trusted cross-border data flows and provide an additional compliance mechanism based on independent assessments and regular audits.

The decisions represent a significant step towards broader adoption of data protection certification mechanisms at the international level. The announcement follows recent EDPB approvals and reflects the growing role of certification mechanisms in international data governance and cross-border data transfers across the EU.

Why does it matter?

Certification mechanisms are becoming an increasingly important part of international data governance, particularly as organisations seek to demonstrate compliance with GDPR requirements across jurisdictions.

The expansion of Europrivacy beyond Europe and its use in international data transfers could provide organisations with an additional tool for demonstrating accountability, supporting cross-border data flows and navigating evolving data protection obligations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

IWF and CaseScan partner to strengthen the detection of child abuse material

The Internet Watch Foundation has announced a new partnership with CaseScan aimed at improving the detection and identification of child sexual abuse material online.

CaseScan, a specialist technology company supporting child protection investigations and digital safety work, has joined the IWF as a member. The company develops tools that help specialist teams identify, classify, and prioritise illegal material more efficiently, reducing manual workloads and supporting faster responses when criminal content is found.

Through its membership, CaseScan will be able to draw on IWF intelligence and services to strengthen how it helps approved clients detect child sexual abuse material. The IWF said the collaboration will support faster identification of criminal content.

The partnership comes amid a rapidly evolving online threat landscape. According to the IWF’s 2025 Annual Data & Insights Report, new technologies, systemic vulnerabilities, and the continued distribution of child sexual abuse material are increasing the challenges faced by investigators and online safety organisations.

CaseScan said the collaboration will strengthen its ability to support professionals working on the front line of child protection investigations. The IWF said industry partnerships are essential to disrupting the criminal distribution of abusive images and videos and preventing the repeated victimisation of children online.

Why does it matter?

The partnership shows how child safety organisations and specialist technology providers are working to improve the speed and accuracy of CSAM detection. As the volume and complexity of illegal material online grow, trusted intelligence and specialist detection tools can help investigators and approved organisations prioritise cases, reduce manual review burdens, and respond more quickly to harmful content.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

UK proposes hash-matching rules to combat intimate image abuse in search results

The UK government has published draft amendments to the Illegal Content Codes of Practice for search services under the Online Safety Act, proposing new measures to help detect intimate image abuse content. The amendments, published on 1 June, would add a recommended measure for large general search services to use hash-matching technology to detect intimate-image abuse content.

According to the draft, Ofcom prepared the amendments under section 41 of the Online Safety Act and submitted them to the Secretary of State on 15 May. The document was presented to Parliament under section 43 of the Act and is due to lie before both Houses for 40 days.

The proposed measure, designated ICS C8, would apply to providers of large general search services. The measure recommends the use of perceptual hash matching to identify known intimate image abuse content, or cryptographic hash matching where perceptual matching is not supported by the provider’s hash database.

Under the proposal, content matching an unverified hash for the first time would be treated as potentially illegal and subjected to review under Ofcom’s search moderation procedures. Other matches may be treated as illegal content or reviewed as suspected video and image abuse, depending on the provider’s assurance in the detection outcomes.

The amendments also set expectations for human moderator review, regular updates to hash databases, removal of hashes found not to relate to intimate image abuse content, and reviews of precision and recall at least every six months. Ofcom said the proposed measure includes safeguards intended to protect freedom of expression and privacy rights while supporting the detection of illegal content.

Why does it matter?

The proposal reflects growing efforts by regulators to address the spread of non-consensual intimate imagery, including AI-generated content, through proactive detection and moderation measures.

By encouraging the use of hash-matching technologies, UK authorities aim to reduce the repeated circulation of known abusive material while maintaining safeguards for privacy and freedom of expression.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU welcomes G7 adoption of online child protection principles

The European Commission has welcomed a new agreement by G7 digital and technology ministers on a shared set of principles aimed at improving online safety for children and teenagers. The principles reflect approaches already present in several EU initiatives, including measures focused on online safety, digital literacy and the protection of minors.

The principles build on existing EU measures, including the Digital Services Act, the Better Internet for Kids Strategy and the AI Act. They focus on improving online safety while safeguarding privacy, fundamental rights and access to digital opportunities.

The framework promotes safety-by-design measures, privacy-conscious age assurance tools, stronger protections against harmful and illegal content, parental controls, and digital literacy initiatives. It also promotes greater cooperation between technology companies, researchers, governments and civil society organisations.

Why does it matter?

Governments are increasingly examining how digital platforms, recommendation systems and generative AI tools affect children’s wellbeing, privacy and online experiences. Concerns about harmful content, exploitation and age-inappropriate services have prompted policymakers worldwide to explore new approaches to online child protection.

The G7 agreement signals growing international convergence around child safety principles, while emphasising the need to balance protection measures with privacy, fundamental rights and access to digital opportunities.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Finland proposes rules for EU Cyber Resilience Act

The Finnish Government has proposed the approval of national provisions supplementing the EU Cyber Resilience Act, which sets cybersecurity requirements for products with digital elements.

The legislation will enter into force on 1 June 2026, with phased application aligned with the Cyber Resilience Act’s transitional periods during 2026 and 2027. The aim is to improve the cybersecurity of connected devices and software placed on the EU market.

The Cyber Resilience Act will be supplemented in Finland by a new national act on the cyber resilience of certain products and cybersecurity certification. The act covers supervision of product-related obligations, notification of conformity assessment bodies under the Cyber Resilience Act, administrative sanctions, and national provisions linked to the EU cybersecurity certification.

Market surveillance under the Cyber Resilience Act, along with the designation and supervision of notified bodies, will be assigned to the Finnish Transport and Communications Agency, Traficom. Market surveillance of high-risk AI systems will be carried out by the authorities responsible for supervising compliance with the AI Act, depending on the sector.

Conformity assessment bodies will be able to apply to Traficom from 11 June 2026 to be notified for assessment tasks under the Cyber Resilience Act. Bodies notified by Finland will be able to carry out conformity assessments across the EU member states within their area of competence.

Finland will also add a new chapter to the Act on Electronic Communications Services concerning the collection and disclosure of domain name registration data under the NIS2 Directive. The obligations will extend beyond .fi and .ax domains where the registrar or top-level domain registry is located in Finland, after a three-month transitional period.

The Government said the domain name provisions will complement Finland’s national implementation of NIS2 and improve the availability of registration data, making it easier to tackle illegal activity online.

Why does it matter?

Finland’s legislation shows how EU cybersecurity rules are being translated into national enforcement structures. The Cyber Resilience Act sets product security obligations at the EU level, but member states still need national provisions for supervision, notified bodies, sanctions, and certification. The added NIS2 domain registration rules also show how cybersecurity implementation is expanding beyond products into online infrastructure and data availability for enforcement.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Amnesty International warns that AI models are built on privacy violations

Amnesty International has warned that major generative AI systems are powered by large-scale data pipelines rooted in mass invasions of privacy.

In a new briefing, ‘Unlawful by Design: Exposing the Human Rights Costs of Generative AI’, the organisation argues that companies developing generative AI tools rely on unlawful web scraping to collect vast amounts of online data, including personal information, often without the explicit consent of the people who created or appear in it.

The briefing examines models powering widely used standalone generative AI tools, including OpenAI’s GPT-3, Google’s Gemini, Meta’s Llama, DeepSeek, and tools by Midjourney and Stable Diffusion. Amnesty says the design choices behind these systems create systemic human rights risks, particularly around privacy, discrimination, freedom of thought, and environmental harms.

Amnesty argues that large-scale scraping and processing of online posts, images, and other personal data infringes privacy by design. It also warns that training datasets drawn from the open web can reproduce and amplify discriminatory content, stereotypes, and prejudices, especially along racial and gender lines.

The organisation also highlights the environmental costs of generative AI development, pointing to rising demand for energy-intensive chips, data centres, electricity, and water. It says AI infrastructure can negatively affect historically marginalised communities when land and resources are used to build and operate data centres.

Amnesty said it wrote to Google, OpenAI, Meta, Stability AI, Midjourney, DeepSeek, Intel, VMware, Microsoft, and Amazon about the findings and related human rights concerns. At the time of publication, it said Microsoft, Amazon, Intel, OpenAI, and Meta had responded.

The organisation is calling on states to prohibit standalone generative AI systems built using unlawful web scraping and to hold companies accountable for human rights abuses linked to the design and deployment of AI systems.

Why does it matter?

The briefing adds a strong human rights framing to the debate over the training data for generative AI. Instead of focusing only on copyright or competition, Amnesty argues that large-scale scraping of personal data raises privacy, discrimination, freedom of thought, and environmental concerns. Its recommendations would significantly raise the stakes for AI developers by treating non-consensual data extraction as a human rights issue requiring regulatory intervention.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Microsoft expands protections against AI-generated intimate imagery

Microsoft has announced new measures aimed at combating non-consensual intimate imagery (NCII), including both authentic and AI-generated content. The company says the changes are designed to make reporting easier for victims, improve detection of harmful content, and strengthen enforcement across Microsoft services.

The initiative comes as the US’s new Take It Down Act enters into force, creating additional legal protections against the distribution of intimate images without consent. Microsoft said both synthetic and authentic NCII can cause significant harm and should be addressed through a unified response.

As part of the update, Microsoft has introduced a redesigned reporting process that allows users to report both real and AI-generated intimate imagery through a simplified global reporting system. The company has also expanded its use of StopNCII.org technology, which creates privacy-preserving digital fingerprints of images to help identify and remove known abusive content across platforms.

Microsoft is further extending the use of validated StopNCII.org hashes across consumer services, including Teams Free, OneDrive and Xbox. The company says it will combine automated detection systems with human review processes while maintaining appeal mechanisms for users affected by moderation decisions.

The company also highlighted broader cooperation with governments, regulators and civil society groups. Microsoft expressed support for the US Take It Down Act, welcomed European efforts targeting AI-powered ‘nudification’ applications, and pointed to upcoming UK Online Safety Act requirements addressing illegal intimate imagery harms.

Why does it matter?

Advances in generative AI have made it easier to create realistic synthetic images, prompting governments and technology companies to strengthen measures against image-based abuse. The announcement reflects a broader trend toward treating AI-generated intimate imagery and authentic non-consensual content under similar safety, moderation and legal frameworks.

The move also highlights growing cooperation between technology companies, regulators and civil society organisations as policymakers develop new approaches to addressing AI-enabled harms online.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Australian privacy concerns rise as trust in AI companies falls

The Office of the Australian Information Commissioner has released a major survey showing that privacy concerns are rising across Australia, while public trust in AI companies and social media remains extremely low.

The Australian Community Attitudes to Privacy Survey, conducted every three years, found that 87% of respondents are more concerned about privacy than they were five years ago. The survey examines Australians’ privacy attitudes and experiences, including how recent events have shaped public expectations.

Trust was especially low for emerging and data-intensive sectors. Only 4% of respondents said they trusted AI companies, while 3% said the same for social media. Trust also declined across the insurance, telecommunications, technology, retail, and real estate sectors, while remaining highest for health service providers and Australian Government agencies.

Launching the report at the Data Privacy & Consumer Protection Summit 2026, Australian Privacy Commissioner Carly Kind said Australians’ expectations about privacy continue to sharpen as the information ecosystem becomes more complex, data-intensive, and difficult to navigate.

The OAIC said privacy complaints have increased by 73% year to date. Kind said trust is uneven across sectors and that wariness of emerging technologies is increasing, particularly around fairness, accountability, and the practical ability to exercise rights.

The survey also found that 68% of Australians would be more likely to use digital services requiring personal information if they knew their data was handled fairly and responsibly. Another 92% said data collection could be acceptable under certain conditions, including a clear purpose, consent or opt-in, limited collection, and the ability to opt out of non-essential data collection.

Kind said Australians want greater transparency in understanding their privacy rights and how their information is used, adding that improving transparency would help safeguard a healthy, informed, and vibrant democracy.

Why does it matter?

The survey shows that trust is becoming a central barrier to digital adoption, especially for AI and social media services. While Australians are willing to share data under fair and transparent conditions, the very low levels of trust in AI companies suggest that privacy, accountability, and explainability will be critical for public acceptance of emerging technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Papua New Guinea advances digital ID law

Papua New Guinea’s Ministry of Information and Communications Technology has begun drafting instructions and a proposed bill for digital identity and verifiable credentials legislation following the endorsement of the National Digital ID Policy.

ICT Minister Peter Tsiamalili Jr said the process marks a step towards a legal framework that will allow citizens to identify themselves securely and access trusted digital services.

The proposed legislation will support the national rollout of SevisPass, SevisWallet, SevisDEx, and other approved verifiable credentials. SevisWallet will allow citizens to register, hold, and present trusted digital credentials, while SevisDEx will enable secure, consent-based data exchange.

Tsiamalili said the government is moving from policy to implementation. He said SevisPass will verify identity, SevisWallet will hold and present trusted credentials, and SevisDEx will support secure data exchange based on user consent.

The minister urged banks, financial institutions, mobile network operators, telecommunications providers, government agencies, education institutions, and professional bodies to work with NICTA and the Department of ICT to complete technical, regulatory, and operational readiness by the end of July 2026.

The readiness process is intended to support electronic know-your-customer checks, SIM registration, secure onboarding, financial inclusion, and digital verification of credentials such as driver’s licences, police clearances, student and teacher IDs, education certificates, tax identification numbers, and superannuation records.

The ministry said relevant agencies, issuers, verifiers, and relying partners should align their systems and compliance pathways to support the rollout by July 2026.

Why does it matter?

Papua New Guinea’s move shows how digital identity systems are becoming foundational infrastructure for public services, financial inclusion, telecoms compliance, education records, and private-sector verification. By linking SevisPass, SevisWallet, and SevisDEx to verifiable credentials and consent-based data exchange, the planned law could shape how identity, trust, and interoperability are built into the country’s digital economy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EuroDIG 2026 debate strengthens Council of Europe digital governance push

The Council of Europe participated in EuroDIG 2026 in Brussels, contributing to discussions on digital governance, democracy, trustworthy AI, platform accountability, and the digital public sphere.

The European Dialogue on Internet Governance took place on 26 and 27 May, bringing together governments, businesses, civil society, academia, the technical community, and other stakeholders to exchange views on internet governance.

The Council of Europe participated under its New Democratic Pact for Europe, a year-long consultation focused on democratic backsliding and digital governance. The consultation covers issues including AI, data protection, media and information society, cybercrime, online discrimination and gender-based violence, digitalisation of justice, legal education, internet governance, and youth participation.

At the opening session, Claudia Luciani, Director of the Congress of Local and Regional Authorities, said democratic safeguards are critical for the integrity and functioning of Europe’s digital public sphere. She highlighted risks linked to disinformation, information bubbles, and foreign interference and manipulation campaigns.

The Council of Europe also co-organised a debate on trustworthy AI in public services, focusing on transparency, accountability, explainability, and crisis-resilient communication when automated decision-making and AI systems are used in public administration.

Another Council of Europe co-organised session addressed platform accountability and the need to strengthen the digital public sphere. Participants discussed how engagement-driven platform design, generative AI, and synthetic media can contribute to disinformation, hate speech, and other harms, and how governance frameworks could empower users as active citizens.

The Council of Europe’s European Commission for the Efficiency of Justice and its HELP programme also organised a session on how the use of AI in justice systems is changing legal professionals’ training needs.

EuroDIG 2026 was hosted by EURid, the .eu domain name registry, and supported by the European Commission.

The event was held under the theme ‘European voices for the future of the internet – celebrating 20 years of .eu and the beginning of a new internet governance era’.

Why does it matter?

The Council of Europe’s participation in EuroDIG shows how digital governance is being folded into broader debates on democratic resilience. Its focus on trustworthy AI in public services, platform accountability, synthetic media, online discrimination, and AI in justice systems reflects a broader policy shift: digital governance is increasingly treated as part of Europe’s democracy, human rights, and rule-of-law agenda, rather than solely as a technology issue.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.