Privacy and data protection

SHEIN faces Irish inquiry over EU data transfers to China

Ireland’s Data Protection Commission has opened an inquiry into Infinite Styles Services Co. Ltd. (known as SHEIN Ireland), over transfers of personal data of EU and EEA users to China.

The inquiry will examine whether SHEIN Ireland has complied with its obligations under the General Data Protection Regulation in relation to those transfers. The DPC said it will assess compliance with GDPR principles on personal data processing, transparency obligations under Article 13, and Chapter V requirements governing transfers of personal data to third countries.

The regulator said its decision to begin the inquiry was issued to SHEIN Ireland at the end of April. The case comes as data transfers to China face growing regulatory scrutiny in Europe, including through recent DPC enforcement action and complaints filed with other European supervisory authorities.

Deputy Commissioner Graham Doyle said: ‘When an individual’s personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU.’

He added: ‘Recent regulatory action by the DPC, together with complaints to other European supervisory authorities, has brought data transfers to China, in particular, into focus. The inquiry is an important strategic priority for the DPC and we intend to cooperate closely with our peer European Supervisory Authorities as part of the investigation.’

Under the GDPR, transfers of personal data outside the EU and EEA must meet specific safeguards so that the level of protection provided under EU law is not undermined. Where no European Commission adequacy decision exists for a third country, organisations must rely on alternative mechanisms, such as standard contractual clauses, and demonstrate that equivalent protections are in place.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Instagram pulls the plug on encrypted chats

Instagram will no longer support end-to-end encrypted chats from 8 May 2026, ending an optional privacy feature for some direct messages on the platform.

Users affected by the change are being prompted to download any messages or media from encrypted chats that they wish to keep before the feature is removed. Instagram’s help page says users may need to update the app to access or download their end-to-end encrypted chats.

End-to-end encryption allows only the people in a conversation to read messages or hear calls, with messages protected by encryption keys linked to authorised devices. On Instagram, however, encrypted chats were an optional feature rather than the default for all direct messages.

After 8 May 2026, users will no longer be able to send or receive end-to-end encrypted messages or calls on Instagram. The help page also notes that users can still report messages from encrypted chats and that shared content may still be forwarded outside an encrypted conversation.

The change marks a rollback of a privacy feature on one of Meta’s major social platforms, even as end-to-end encryption remains central to debates over secure communications, platform safety and user confidentiality.

Why does it matter?

End-to-end encryption is widely seen as a core privacy protection because it limits access to message content, including by the platform itself. Its removal from Instagram encrypted chats raises questions about how major platforms prioritise privacy features, user safety, product complexity and interoperability across their messaging services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our  chatbot

OpenAI introduces a trusted contact safety feature in ChatGPT

OpenAI has started rolling out Trusted Contact, an optional safety feature in ChatGPT designed to help connect adult users with real-world support during moments of serious emotional distress.

The feature allows users to nominate one trusted adult, such as a friend, family member or caregiver, who may receive a notification if OpenAI’s automated systems and trained reviewers detect that the user may have discussed self-harm in a way that indicates a serious safety concern.

OpenAI said the feature is intended to add another layer of support alongside existing safeguards in ChatGPT, including prompts that encourage users to contact crisis hotlines, emergency services, mental health professionals, or trusted people when appropriate. The company stressed that Trusted Contact does not replace professional care or crisis services.

Users can add a trusted contact through ChatGPT settings. The contact receives an invitation explaining the role and must accept it within one week before the feature becomes active. Users can later edit or remove their trusted contact, while the trusted contact can also remove themselves.

If ChatGPT detects a possible serious self-harm concern, the user is informed that their trusted contact may be notified and is encouraged to reach out directly. A small team of specially trained reviewers then assesses the situation before any notification is sent.

OpenAI said notifications are intentionally limited and do not include chat details or transcripts. Instead, they share the general reason that self-harm came up in a potentially concerning way and encourage the trusted contact to check in. The company said every notification undergoes human review and aims to review safety notifications in under one hour.

The feature was developed with guidance from clinicians, researchers and organisations specialising in mental health and suicide prevention, including the American Psychological Association. OpenAI said Trusted Contact forms part of broader efforts to improve how AI systems respond to people experiencing distress and connect them with real-world care, relationships and resources.

Why does it matter?

Trusted Contact points to a broader shift in AI safety away from content moderation alone toward real-world support mechanisms for users in moments of vulnerability. As conversational AI systems become part of everyday personal reflection and emotional support, companies face growing pressure to define when and how they should intervene, how much privacy to preserve, and what role human review should play in high-risk situations.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Central Bank moves forward with digital euro technical work

The European Central Bank is advancing technical work on the digital euro, a proposed electronic form of central bank money designed to complement cash in an increasingly digital payments landscape.

The project reflects Europe’s response to the rapid shift towards digital payments, where cards, apps and mobile wallets are increasingly used for everyday transactions. The ECB says a digital euro would provide a European payment option that could be used across the euro area, both online and offline.

Users would be able to store digital euro holdings in an account set up with a bank or public intermediary and use them for in-store, online and person-to-person payments. The ECB says the system would aim to combine the convenience of digital payments with features associated with cash, including offline functionality.

Policy objectives include strengthening Europe’s strategic autonomy in payments, supporting monetary sovereignty and ensuring access to public money in digital form. The ECB has also presented privacy as a central design feature, saying offline digital euro payments would offer cash-like privacy, with transaction details known only to the payer and the recipient.

The project remains conditional on the EU legislative process. The ECB aims to be technically ready for a potential first issuance of the digital euro in 2029, assuming the necessary EU legislation is adopted in 2026.

Supporters view the digital euro as a way to preserve the role of central bank money in digital payments and reduce reliance on non-European payment providers. Debate continues over how to balance innovation, privacy, financial inclusion, bank intermediation and public trust.

Why does it matter?

The digital euro would shape how public money functions in a digital economy increasingly dominated by private payment platforms and international card schemes. Its significance lies not only in creating a new payment tool, but in preserving access to central bank money, supporting European payment sovereignty and setting privacy expectations for public digital infrastructure.

Its success will depend on whether the final design can offer clear benefits over existing payment options while maintaining trust, usability and strong safeguards. The project also raises broader questions about how central banks remain relevant in everyday payments without crowding out private-sector innovation or weakening the role of commercial banks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our  chatbot!  

Dutch court backs Solvinity DigiD contract despite US data access fears

The District Court of The Hague has rejected an attempt by three Dutch citizens to block the government from renewing its contract with Solvinity, the company responsible for hosting and technically managing systems linked to DigiD.

The plaintiffs argued that Solvinity’s planned acquisition by US-based IT provider Kyndryl could place sensitive data from more than 16 million DigiD users under US jurisdiction, potentially exposing it to US authorities and creating risks to critical public services such as healthcare, pensions, taxes, and unemployment systems.

Despite these concerns, the court ruled in favour of the Dutch State, allowing the agreement to proceed. Judges did not accept arguments that the deal would immediately threaten data security or justify halting the contract.

The decision leaves further scrutiny to the Investment Assessment Office, which is reviewing national security risks linked to the acquisition. The case highlights ongoing tensions around digital sovereignty and data protection in the Netherlands.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

LinkedIn faces allegations over data access practices

Privacy rights group noyb has filed a complaint against LinkedIn, alleging that the platform restricts access to certain user data by placing it behind a paid Premium subscription.

The complaint centres on LinkedIn’s ‘Who’s viewed your profile’ feature, which shows users who have visited their profile. According to noyb, LinkedIn tracks profile visits and makes detailed visitor information available to Premium subscribers, while refusing to provide the same data free of charge when users submit an access request under Article 15 of the GDPR.

Noyb argues that users have the right to receive their own personal data free of charge under the EU data protection rules. The organisation claims that LinkedIn has cited data protection concerns when refusing access requests, despite making similar information available through its paid subscription service.

The complaint was lodged with the Austrian Data Protection Authority and seeks enforcement action requiring LinkedIn to provide the data requested, as well as potential penalties. Noyb also questions whether LinkedIn’s tracking of profile visits complies with the EU consent requirements.

LinkedIn has reportedly denied the allegations, saying it complies with applicable rules and provides relevant information in accordance with its privacy policies.

The case adds to ongoing scrutiny of how digital platforms handle data access rights in the EU, particularly when information collected about users is also used for paid services.

Why does it matter?

The complaint tests whether platforms can monetise access to information that may also fall under users’ GDPR right of access. If regulators side with noyb, the case could affect how subscription-based platforms structure premium features that involve personal data, especially when the same data is withheld from non-paying users who make formal access requests.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

EESC backs revised Cybersecurity Act with warnings on ENISA and supply chains

The European Economic and Social Committee has backed the EU’s proposed revision of the Cybersecurity Act, supporting reforms to ENISA, the cybersecurity certification framework and ICT supply-chain security, while warning that the next phase of the EU cyber policy must remain workable in practice.

In its opinion, the committee argues that cybersecurity and ICT supply-chain security should not be treated as narrow technical questions. Instead, it presents them as matters of economic security and geopolitical resilience, closely linked to the EU’s competitiveness, legal certainty and broader resilience.

The opinion welcomes the European Commission’s attempt to update the Cybersecurity Act and align related rules under NIS 2, particularly where the package aims to simplify compliance and reduce overlapping obligations. At the same time, the committee says that a stronger ENISA will require stronger backing. If the agency is expected to take on more responsibilities, those tasks should come with adequate resources, specialist staff and a mandatory workforce plan.

The committee also supports a single-entry point for incident reporting. It says parallel reporting requirements under NIS 2, DORA and sector-specific rules should be streamlined so that one comprehensive report can serve all relevant regulatory regimes.

On ICT supply-chain security, the opinion supports a structured EU framework for identifying key assets and addressing high-risk suppliers. However, it warns that restrictions and phase-outs should be transparent, proportionate and supported by realistic transition plans that account for replacement timelines, service continuity, costs, labour-market effects and the risk of shifting compliance burdens onto smaller firms outside the regulation’s scope.

The committee also calls for the cyber debate to address democratic resilience. A proposed amendment would give ENISA a clearer role in supporting election security, democratic resilience and public awareness of cyber threats, disinformation and safe digital behaviour.

Why does it matter?

The opinion supports a more centralised and strategic EU cybersecurity framework, but also highlights the practical risks of expanding cyber regulation faster than institutions and companies can implement it. The debate around ENISA’s mandate, incident reporting and ICT supply-chain restrictions will shape how far the EU can strengthen cyber resilience without creating fragmented obligations or disproportionate burdens for smaller firms.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Singapore Ministry of Health addresses AI-developed drugs and patient data safeguards

Singapore’s Ministry of Health has said that drugs developed with the use of AI will be subject to the same regulatory expectations as conventionally developed medicines, including requirements on quality, safety and efficacy.

The ministry made the statement in response to a parliamentary question on the regulation of AI-developed drugs, clinical trials and safeguards for patient data used in AI-related healthcare innovation.

It said the Health Sciences Authority’s approach is aligned with international regulatory principles on the responsible use of AI in drug development, including those outlined by the US Food and Drug Administration and the European Medicines Agency.

The ministry also said that patient data used for AI development is covered by existing data protection and cybersecurity safeguards, including obligations under Singapore’s Personal Data Protection Act to maintain patient confidentiality and prevent data leakage.

Authorities will continue to monitor developments in AI-related healthcare innovation and strengthen safeguards where necessary.

Why does it matter?

The response signals that Singapore is not creating a separate, lighter pathway for AI-developed medicines, but is applying existing drug safety standards while monitoring how AI changes research, development and clinical use. The issue is relevant for digital health governance because AI in drug development depends not only on regulatory approval of final products, but also on the protection of patient data used to train, test or validate health-related AI systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

French CNIL hosts global privacy talks in Paris

The French Commission Nationale de l’Informatique et des Libertés will host the G7 roundtable of data protection and privacy authorities in June 2026. The meeting aims to strengthen international cooperation amid rapid digital and AI developments.

The roundtable, created in 2021, brings together data protection authorities from G7 countries and the EU. It focuses on sharing legal and technological developments and encouraging coordinated approaches to common challenges.

Key areas of work for 2026 include emerging technologies, enforcement cooperation and the free flow of data. The discussions are expected to address growing concerns about data protection amid expanding AI use.

The CNIL stated that the French presidency will prioritise dialogue and practical cooperation, aiming to support global governance that respects fundamental rights, and that the event will take place in Paris.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

OpenAI found non-compliant in Canadian ChatGPT privacy probe

Canada’s federal and provincial privacy regulators have found that aspects of OpenAI’s collection, use, and disclosure of personal information through ChatGPT did not comply with applicable private-sector privacy laws, particularly in relation to model training on publicly accessible online data and user interactions.

The joint investigation was conducted by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, and the privacy commissioners of British Columbia and Alberta.

It examined OpenAI’s GPT-3.5 and GPT-4 models as used in ChatGPT, focusing on whether the company’s handling of personal information from public internet sources, licensed third-party datasets, and user interactions met legal requirements on appropriate purposes, consent, transparency, accuracy, access, retention, and accountability.

The regulators accepted that OpenAI’s overall purposes for developing and deploying ChatGPT were legitimate and appropriate. However, they found that the company’s initial collection of personal information from publicly accessible websites and licensed third-party sources for model training was overbroad and therefore inappropriate, given the scale, sensitivity, and potential inaccuracy of the data involved, as well as the limits of the mitigation measures in place at the time.

The Offices also found that OpenAI failed to obtain valid consent to collect and use personal information from public internet sources to train its models. They concluded that implied consent was not sufficient because the data could include sensitive personal information and because individuals would not reasonably have expected information about them posted online to be scraped and used for AI model training in this way.

On user interactions with ChatGPT, the regulators accepted that using some chat data for model improvement could serve OpenAI’s legitimate purposes. Still, they found that express consent should have been obtained.

They said OpenAI’s safeguards at the time were not strong enough to ensure that sensitive personal information would not be included in training data, and that many users would not reasonably have understood that their conversations could be used to train models or reviewed by human trainers.

The report also found that OpenAI should have obtained express consent for certain disclosures of personal information through ChatGPT outputs, especially where the information was sensitive or fell outside individuals’ reasonable expectations.

While OpenAI had introduced measures to reduce the risk of sensitive disclosures, the regulators said those measures covered a narrower set of information than the broader categories of personal information protected under the relevant privacy laws.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.