Whistleblower Sarah Wynn-Williams sues Meta over attempts to ‘silence’ her

Former Meta executive Sarah Wynn-Williams has filed a federal lawsuit in California alleging the company used an arbitration ruling to unlawfully suppress her memoir and subjected her to coercive surveillance, constituting a First Amendment violation.

Why this matters: The case raises pointed questions about corporations leveraging private arbitration to silence dissent and whether surveillance of a former employee can be weaponized to chill whistleblowing — tools with implications well beyond any single workplace dispute.

Who should care: Lawyers · Privacy officers · Compliance · Cybersecurity · General readers · Policy

U.S. Loosens Restrictions on Anthropic’s Mythos A.I. Model

The move de-escalates a clash between the Trump administration and the company over its cutting-edge artificial intelligence systems.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

Three things to watch amid Anthropic’s latest feud with the government

Anthropic has become embroiled in a dispute with the US government following the April reveal of an AI model called Mythos, raising questions about the relationship between frontier AI developers and federal authorities.

Why this matters: Tensions between a major AI lab and government actors highlight emerging questions about who controls advanced AI systems, on what terms, and whether oversight mechanisms adequately protect individuals caught between corporate and state interests.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy · Privacy officers

After a Wegmans disclosure, Erie County, New York, bans businesses from using facial recognition

After a Wegmans disclosure, Erie County, New York, bans businesses from using facial recognition  prismreports.org

Who should care: Privacy officers · Cybersecurity · General readers · Policy

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles  CNIL

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

CREATE AI Act Passes House Committee

CREATE AI Act Passes House Committee  Americans for Responsible Innovation

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

House kids’ safety deal complicates AI talks

Keeping kids safe online has become the linchpin to getting an artificial intelligence bill done in Washington. The House and Senate can’t seem to agree on either.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit

Bradford Health Services and Bradford Health Partners have reached a settlement in litigation stemming from a December 2023 cybersecurity incident that compromised patient data held by the Alabama-based behavioral health provider network.

Why this matters: Breaches at behavioral health organizations carry heightened sensitivity, as exposed records can include mental health, substance use, and treatment details — information whose disclosure may carry lasting personal, professional, or legal consequences for affected individuals.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance · Healthcare professionals

Why Amazon Dropped Its OpenAI Movie, Data Center Workers Fight Back, and Meta Leaks Employee Data

The decision by Amazon-owned MGM Studios to drop the OpenAI movie is just part of AI and film industries becoming increasingly intertwined. On Uncanny Valley, we look at where this is all headed.

Who should care: Cybersecurity · Privacy officers · Administrators · General readers · AI governance · Policy

Hillcrest Convalescent Center Settles Class Action Data Breach Litigation

Hillcrest Convalescent Center, a skilled nursing and rehabilitation facility in Durham, North Carolina, has reached a settlement in a class action lawsuit stemming from a data breach affecting patient information.

Why this matters: Healthcare facilities hold among the most sensitive personal data — medical histories, diagnoses, and financial details — making breaches particularly consequential for vulnerable patients who had little choice but to share that information to receive care.

Who should care: Cybersecurity · Privacy officers · Administrators · Healthcare professionals · Compliance

Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit

Okanogan Behavioral Healthcare, a Washington-based mental and behavioral health provider, has reached a class action settlement following a data breach that exposed patient information. The settlement resolves claims brought by affected individuals whose personal and health data was compromised.

Why this matters: Breaches at behavioral health providers are particularly sensitive, as exposed data can include mental health diagnoses, treatment histories, and substance use records — information that carries stigma and potential consequences for employment, custody, or insurance if disclosed.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance · Healthcare professionals

New commentary urges patient-centered AI regulation in healthcare systems

New commentary urges patient-centered AI regulation in healthcare systems  News-Medical

Who should care: Lawyers · Compliance · General readers · AI governance · Policy

Clean GitHub repo tricks AI coding agents into running malware

An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers. [...]

Who should care: General readers · AI governance · Policy

Tech industry grapples with Trump’s AI about-faces

Silicon Valley billionaires backed Trump due to fears that Democrats would overregulate AI. Now the White House is restricting the release of new AI models — and tech lobbyists are cautiously searching for answers.

Who should care: General readers · AI governance · Policy

Trump administration partially lifts export ban on Anthropic's most advanced AI model

The U.S. government is asserting a new level of influence over AI, controlling which companies can access Anthropic's new models. OpenAI agreed to let the administration screen users of its new model.

Who should care: General readers · AI governance · Policy

Trump Administration Allows Anthropic to Release Mythos to Select US Organizations

After weeks of negotiations, the White House permitted Anthropic to grant access to its most advanced AI model to a select group of US companies and government agencies.

Who should care: General readers · AI governance · Policy

OpenAI staggers AI model release after Trump administration request

Sam Altman announces limited preview of GPT 5.6 in move that echoes launch of Anthropic’s Mythos Business live – latest updates OpenAI is staggering the release of its latest AI model after a request from the US government, in a move echoing the launch of Anthropic’s Mythos product. The company behind ChatGPT signalled its dissatisfaction with the move, saying that doing so keeps the best AI tools from “users, developers, enterprises, cyber defenders, and global partners who need them”. Continue reading...

Who should care: General readers · AI governance · Policy

‘The Daily’ and ‘The Opinions’: How A.I. Is Changing Loneliness and Taste

The story of a woman who let a robot into her home. Plus, a discussion about why Silicon Valley has taken such an interest in taste.

Who should care: General readers · AI governance · Policy

AI and Liability

Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s summaries are reflections of the company and “above all an expression of Google’s business activities.” This is the latest skirmish in a decades-old battle over internet publishing. Historically, there were two different types of information distributors: carriers and publis…

Who should care: General readers · AI governance · Policy

Newsletter Digest - news from the EDPS

The European Data Protection Supervisor has released a newsletter covering four priority areas: the European Commission's Digital Omnibus legislative debate, cross-border health data protection, privacy safeguards for the EU Visa Application Platform's chatbot, and transparency in EU funding.

Why this matters: The topics signal active regulatory scrutiny over sensitive data flows — health records, visa applications, and public spending — areas where individuals' personal information intersects directly with government systems and cross-border institutional access.

Who should care: Healthcare professionals · Privacy officers · Compliance · Lawyers · AI governance · General readers · Policy

Designing transparency for government AI: Insights from the UK’s Algorithmic Transparency Recording Standard initiative

The UK's Algorithmic Transparency Recording Standard (ATRS) requires government bodies to publicly document how algorithmic tools are used in public-sector decision-making, aiming to improve accountability and build public trust in state AI deployments.

Why this matters: Mandatory disclosure of how government algorithms operate gives individuals meaningful insight into automated decisions that may affect their benefits, policing, or services — a baseline safeguard against opaque state power that civil liberties advocates have long sought.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy · Privacy officers

Dynamic pay on platforms such as Uber should be banned, says TUC

The UK's Trades Union Congress is calling for a ban on algorithm-driven dynamic pay on gig platforms like Uber, arguing the practice severs the link between effort and earnings, leaving workers with unpredictable income determined by opaque automated systems.

Why this matters: When consequential decisions about people's livelihoods are delegated to undisclosed algorithms, workers lose meaningful insight into — or recourse against — the logic controlling them, raising broader questions about algorithmic transparency and individuals' right to understand systems that govern their daily lives.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy · Privacy officers

Three things to watch amid Anthropic’s latest feud with the government

Anthropic has become embroiled in a dispute with the US government following the April reveal of an AI model called Mythos, raising questions about the relationship between frontier AI developers and federal authorities.

Why this matters: Tensions between a major AI lab and government actors highlight emerging questions about who controls advanced AI systems, on what terms, and whether oversight mechanisms adequately protect individuals caught between corporate and state interests.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy · Privacy officers

Advancing data protection and AI governance in the Southern Mediterranean region

The Council of Europe is working to strengthen data protection frameworks and AI governance across Southern Mediterranean countries, signaling a push to extend rights-based digital standards beyond Europe's immediate borders.

Why this matters: Expanding robust data protection norms to regions with nascent privacy frameworks could meaningfully shield individuals from surveillance and unchecked data collection — though implementation quality and enforcement will determine whether protections are substantive or largely symbolic.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy · Privacy officers

When AI governance lands on privacy's desk

When AI governance lands on privacy's desk  IAPP

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

Remarks by the Privacy Commissioner of Canada to the Venice Privacy Symposium – Intervention on AI governance

Remarks by the Privacy Commissioner of Canada to the Venice Privacy Symposium – Intervention on AI governance

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

House kids’ safety deal complicates AI talks

Keeping kids safe online has become the linchpin to getting an artificial intelligence bill done in Washington. The House and Senate can’t seem to agree on either.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

U.S. Loosens Restrictions on Anthropic’s Mythos A.I. Model

The move de-escalates a clash between the Trump administration and the company over its cutting-edge artificial intelligence systems.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

Automated decisions can streamline the hiring process – with the right safeguards in place

Automated decisions can streamline the hiring process – with the right safeguards in place  Information Commissioner's Office

Who should care: AI governance · Lawyers · Administrators · General readers · Privacy officers · Policy

Patch Tuesday, May 2026 Edition

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers -- including Apple, Google, Microsoft, Mozilla and Oracle -- fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

The OECD AI Policy Toolkit: Better AI policies for better lives

OECD AI Policy Toolkit helps governments turn AI principles into action with practical guidance, policy examples and global insights. The post The OECD AI Policy Toolkit: Better AI policies for better lives appeared first on OECD.AI.

Who should care: AI governance · Lawyers · Administrators · Compliance · General readers · Policy

‘You can’t make billions without hurting people’: Cory Doctorow on Elon Musk, the AI bubble and bosses’ cruel fantasies

Author Cory Doctorow, known for coining 'enshittification,' argues in his new book that AI will fail to deliver on its core promises while simultaneously serving as a tool for managerial control over workers — a dynamic he calls the 'reverse centaur,' where humans are subordinated to algorithmic systems rather than empowered by them.

Why this matters: When algorithms set the terms of human labor — dictating pace, monitoring output, and penalizing deviation — workers surrender autonomy with little recourse. This structural shift raises broader questions about dignity, surveillance in the workplace, and who ultimately bears the costs of automated oversight.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy · Privacy officers

Newsletter Digest - news from the EDPS

The European Data Protection Supervisor has released a newsletter covering four priority areas: the European Commission's Digital Omnibus legislative debate, cross-border health data protection, privacy safeguards for the EU Visa Application Platform's chatbot, and transparency in EU funding.

Why this matters: The topics signal active regulatory scrutiny over sensitive data flows — health records, visa applications, and public spending — areas where individuals' personal information intersects directly with government systems and cross-border institutional access.

Who should care: Healthcare professionals · Privacy officers · Compliance · Lawyers · AI governance · General readers · Policy

Balancing openness and control: Cross-border health data and AI governance in China

The Atlantic Council has examined how China is navigating the tension between enabling cross-border health data flows and maintaining state control over that data, within the context of its broader AI governance framework.

Why this matters: How China structures health data export rules shapes what personal medical information leaves its borders and under what conditions — raising questions about individual consent, data sovereignty, and whether governance frameworks prioritize state interests over personal privacy rights.

Who should care: Healthcare professionals · Privacy officers · Compliance · AI governance · Lawyers · Administrators · General readers · Policy

The form asked my permission to share my health data. Then it wouldn’t let me say no.

Dark patterns force patients to share their data with big healthcare networks, even when the privacy form they’re signing explicitly says they can opt-out.

Who should care: Healthcare professionals · Privacy officers · Compliance · General readers · Policy

Palantir’s access to identifiable NHS England patient data is ‘dangerous’, MPs say

Health service has given US tech firm ‘unlimited access’ to certain data to build integrated platform, according to reports UK politics live – latest updates MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is “dangerous” and will fuel public fears that data privacy is not being prioritised. NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, the Finan…

Who should care: Healthcare professionals · Privacy officers · Compliance · General readers · AI governance · Policy

Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness

Cybersecurity risk is growing, and healthcare organizations are struggling to defend a rapidly increasing attack surface. AI tools are being […] The post Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness appeared first on The HIPAA Journal.

Who should care: Healthcare professionals · Privacy officers · Compliance · General readers · AI governance · Policy

Curiosity is not an excuse: protecting patient data in healthcare

Curiosity is not an excuse: protecting patient data in healthcare  Information Commissioner's Office

Who should care: Healthcare professionals · Privacy officers · Compliance

UK: Boy’s medical records may have been accessed inappropriately after crocodile attack at zoo

They could have — and should have — anticipated great curiosity about this particular patient’s medical records. Did they control access well enough? Emily Stevens reports: The medical records of a young boy who was attacked by a crocodile at a Cambridgeshire zoo were accessed by up to 40 members of staff. The incident took... Source

Who should care: Healthcare professionals · Privacy officers · Compliance

Business Groups, Advocates Spar Over NY Health Data Privacy Bill

Business Groups, Advocates Spar Over NY Health Data Privacy Bill  Bloomberg Government News

Who should care: Healthcare professionals · Privacy officers · Compliance

Shared NHS patient records could cut 20,000 A&E visits a year, ministers claim

Modernisation bill would require GPs and hospitals in England to share data, reducing errors and duplication Sharing access to patients’ health data across NHS providers in England could result in 20,000 fewer A&E visits a year and save £20m annually, the government has claimed, before the second reading of the NHS modernisation bill on Monday. The bill, which would also abolish NHS England, sets out measures including single patient records (SPR) for every person receiving health and social care in England, requiring GPs and hospitals to securely share data as part of the government’s 10…

Who should care: Healthcare professionals · Privacy officers · Compliance

Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant

A small practice owner who cannot define a Security Risk Analysis, has never read the HIPAA Security Rule, and does […] The post Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant appeared first on The HIPAA Journal.

Who should care: Healthcare professionals · Privacy officers · Compliance · Lawyers

What is the UK Biobank project and what are the privacy concerns around it?

Volunteers’ data has enabled medical breakthroughs, but there are questions over how that data is protected With the revelation that the confidential health records of half a million British volunteers have been put up for sale on a Chinese website, we take a look at what the UK Biobank project has achieved – and why concerns have been raised. Continue reading...

Who should care: Healthcare professionals · Privacy officers · Compliance

HIPAA Security Rule Training for Business Associates

HIPAA Business Associates that create, receive, maintain, or transmit electronic Protected Health Information on behalf of HIPAA-covered entities are directly […] The post HIPAA Security Rule Training for Business Associates appeared first on The HIPAA Journal.

Who should care: Healthcare professionals · Privacy officers · Compliance · Lawyers

Hired by an algorithm: Data protection and AI regulation in modern HR practices

The European Data Protection Board is hosting a July conference examining the growing use of AI tools in hiring and recruitment, with a focus on the data protection implications these systems raise for job applicants and employers alike.

Why this matters: Algorithmic hiring systems can collect and process extensive personal data with limited transparency, leaving candidates with little visibility into how automated decisions affect them — raising real concerns about profiling, bias, and meaningful consent in high-stakes employment contexts.

Who should care: Lawyers · Privacy officers · AI governance · Administrators · Compliance · General readers · Policy

A view from Brussels: A sneak peek into upcoming guidelines on GDPR, AI Act interplay

European regulators are preparing guidance aimed at clarifying how the GDPR and the EU AI Act interact, offering a preview of the framework that will govern personal data use within AI systems across the bloc.

Why this matters: How these two regimes are reconciled will determine the practical strength of individuals' data rights when their information is processed by AI — gaps or ambiguities in the guidance could quietly erode GDPR protections in high-stakes automated contexts.

Who should care: Lawyers · Privacy officers · AI governance · Administrators · General readers · Policy

Rethinking AI data: From scraping to sustainable and ethical data sharing

The OECD's VIADUCT initiative examines growing tensions in AI training data acquisition, questioning the sustainability of web scraping and exploring alternatives centered on ethical data-sharing frameworks that account for copyright, GDPR compliance, and equitable access.

Why this matters: A shift away from indiscriminate scraping toward consent-based data-sharing models could strengthen individuals' control over how their personal content and information fuels AI systems — a meaningful development for data rights under frameworks like GDPR.

Who should care: Lawyers · Privacy officers · AI governance · Administrators · General readers · Policy

EDPB gets a new look: discover the new website and brand identity

Brussels, 22 June - Since its establishment in 2018, the core mission of the EDPB has been to uphold and safeguard the right to data protection. Over the years, the EDPB has played a key role in ensuring the consistent application of the GDPR across Europe, by providing guidance on key GDPR concepts and the interaction of the GDPR with other digital laws, as well as through the adoption of consistency opinions and binding decisions. The EDPB is also committed to making GDPR compliance easier for organisations and enhancing its dialogue with stakeholders. The EDPB is glad to announce today the…

Who should care: Lawyers · Privacy officers · AI governance · Compliance · General readers · Policy

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles  CNIL

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

ICO statement on the Government’s new advisory AI Growth Lab

ICO statement on the Government’s new advisory AI Growth Lab  Information Commissioner's Office

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

Potential Avenues for Redress for AI-related Harms under the GDPR: A Visual Explanation

Potential Avenues for Redress for AI-related Harms under the GDPR: A Visual Explanation  - Center for Democracy and Technology

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

UK: ICO statement on ‘Edtech examined’ report

The UK Information Commissioner’s Office (ICO) has released a report titled “EdTech examined — Key Findings from Our Audits.” The ICO issued the following statement to accompany the report’s release: Today, the ICO has published ‘Edtech examined’, a new report which outlines how we have worked directly with edtech providers to review and improve data protection practices... Source

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

Latest EDPS Newsletter out now

The European Data Protection Supervisor has released its latest newsletter, covering highlights from its 2025 Annual Report, guidance issued on an EU visa platform chatbot, contributions to the Digital Omnibus legislative debate, and an upcoming conference examining AI use in recruitment.

Why this matters: The EDPS's focus on AI in hiring and a visa-system chatbot signals active regulatory scrutiny of automated decision-making in high-stakes contexts — areas where individuals' rights, due process, and freedom of movement can be directly affected by opaque algorithmic systems.

Who should care: Lawyers · Privacy officers · AI governance · Administrators · General readers · Policy

When withdrawal cannot be effectively exercised: Rethinking consent validity under the GDPR

When withdrawal cannot be effectively exercised: Rethinking consent validity under the GDPR  IAPP

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

One-Stop-Shop case digest on right to object and right to erasure updated

Brussels, 25 June - The EDPB has published an update of the One-Stop-Shop (OSS) case digest on right to object and right to erasure. This project has been developed in the framework of the of the Support Pool of Experts programme, which aims to support cooperation among Data Protection Authorities (DPAs). Thematic one-stop-shop case digests are drafted on the basis of one-stop-shop decisions taken from the EDPB’s public register (based on Art.60 GDPR). Such case digests complement the EDPB's public register by selecting and presenting the most important decisions on a given theme and providin…

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

ICO response to government on safe AI-powered innovation

ICO response to government on safe AI-powered innovation  Information Commissioner's Office

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit

Okanogan Behavioral Healthcare, a Washington-based mental and behavioral health provider, has reached a class action settlement following a data breach that exposed patient information. The settlement resolves claims brought by affected individuals whose personal and health data was compromised.

Why this matters: Breaches at behavioral health providers are particularly sensitive, as exposed data can include mental health diagnoses, treatment histories, and substance use records — information that carries stigma and potential consequences for employment, custody, or insurance if disclosed.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance · Healthcare professionals

MSG Data Breach Lawsuit Puts Dolan’s Facial Recognition/Data Fight in Spotlight

A lawsuit targeting Madison Square Garden over a data breach has drawn renewed attention to owner James Dolan's broader use of facial recognition technology and the data practices surrounding it, raising questions about how biometric information collected at venues is stored and secured.

Why this matters: The case highlights the risks individuals face when venues collect biometric data without robust safeguards — a breach doesn't just expose names or emails, but potentially immutable physical identifiers that cannot be changed if compromised.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance · General readers · Policy

Italian prosecutors confirm journalist was hacked with Paragon spyware

Italian prosecutors have confirmed that two journalists were targeted with Paragon spyware, advancing a broader national investigation into the tool's use. The identity of those who authorized or carried out the surveillance remains unknown.

Why this matters: Spyware deployed against journalists threatens press freedom and source confidentiality, creating a chilling effect on newsgathering. The unresolved question of who ordered the surveillance leaves open the possibility of state or powerful private actors targeting critical reporting with impunity.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template

The European Data Protection Board held its latest plenary session, meeting with EU Commissioner Michael McGrath to discuss shared priorities including the Digital Omnibus package, while also formally adopting a standardized template for data breach notifications across member states.

Why this matters: A unified breach notification template streamlines how individuals learn when their personal data has been compromised, potentially strengthening timely transparency. The EDPB's cautionary signal on the Digital Omnibus suggests concern that proposed regulatory changes could dilute existing data protection standards.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · AI governance · Compliance

Why data mining is functionally required after a HIPAA breach

Following a HIPAA breach, covered entities are effectively compelled to conduct extensive data mining to identify which records were exposed, assess the scope of harm, and meet regulatory notification obligations — making deep internal data analysis a practical necessity rather than an optional step.

Why this matters: The requirement to mine patient data post-breach, while protective in intent, means sensitive health information is subjected to broad internal scrutiny. How organizations scope, log, and retain that analysis introduces secondary privacy risks that HIPAA's breach framework does not fully address.

Who should care: Cybersecurity · Privacy officers · Administrators · Healthcare professionals · Compliance

UK Biobank has my data, but I’m not worried. I know the benefits are too great to consider pulling out | Polly Toynbee

A dataset from UK Biobank — a large longitudinal health research repository — reportedly appeared for sale on Alibaba's platform in China, prompting concern among researchers and a warning from UK Science Minister Patrick Vallance that further such attempts are anticipated. Columnist Polly Toynbee argues the research value of such studies outweighs the risks.

Why this matters: The incident illustrates that even well-governed research databases carrying sensitive, long-term health records are vulnerable to unauthorized distribution, raising questions about whether participants' informed consent extends to scenarios where their data surfaces on foreign commercial platforms beyond any regulator's reach.

Who should care: Cybersecurity · Privacy officers · Administrators · Healthcare professionals · Compliance

FTC Gives Final Approval to Order Against Illuminate Settling Allegations It Failed to Secure Students’ Personal Data

The FTC has finalized a settlement with Illuminate Education over a data breach that exposed millions of students' personal information. The order mandates a formal security program, restrictions on how much student data the company may collect and retain, and deletion of data deemed unnecessary.

Why this matters: Students have little say in whether their schools share their data with third-party vendors, making robust regulatory enforcement a primary safeguard. The order's data minimization and deletion requirements acknowledge that limiting collection in the first place reduces exposure when security measures inevitably fall short.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance

Fine of nearly £1m issued against South Staffordshire Plc and South Staffordshire Water Plc following major cyber attack and data breach

The UK's Information Commissioner's Office has levied a fine of approximately £1 million against South Staffordshire Plc and its water utility subsidiary following a significant cyberattack that resulted in a personal data breach affecting customers.

Why this matters: When critical infrastructure operators fail to secure personal data, ordinary people bear the consequences of exposed information with little recourse. Regulatory penalties signal that custodians of sensitive data face accountability, reinforcing individuals' right to expect adequate protection.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template  CNIL

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · AI governance

Why Amazon Dropped Its OpenAI Movie, Data Center Workers Fight Back, and Meta Leaks Employee Data

The decision by Amazon-owned MGM Studios to drop the OpenAI movie is just part of AI and film industries becoming increasingly intertwined. On Uncanny Valley, we look at where this is all headed.

Who should care: Cybersecurity · Privacy officers · Administrators · General readers · AI governance · Policy

Managing Shadow AI’s Hidden Data Breach Risk

Managing Shadow AI’s Hidden Data Breach Risk francesco Mon, 06/15/2026 - 09:25 Mon, 06/15/2026 - 12:00 The use of unauthorised AI tools that can expose personal data, create regulatory blind spots, and open security vulnerabilities. 1 Read blogpost by Wojciech Wiewiórowski

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance · General readers · AI governance · Policy

Online safety coalition urges House to reject KIDS Act compromise

Children’s online safety groups are pressing House lawmakers to oppose the bipartisan measure, arguing that it weakens safeguards.

Who should care: Cybersecurity · Privacy officers · Administrators

UK information commissioner steps back amid workplace investigation

UK Information Commissioner John Edwards has temporarily stepped aside while the ICO conducts an independent internal investigation into undisclosed workplace conduct. Edwards, who heads the country's primary data protection and information rights authority, announced his cooperation via LinkedIn.

Why this matters: The voluntary recusal of the UK's chief privacy regulator creates a leadership vacuum at the body responsible for enforcing data protection rights — raising questions about continuity of oversight at a moment when both AI governance and public-sector surveillance are under active scrutiny.

Who should care: Lawyers · Privacy officers · Compliance · AI governance · General readers · Policy

Fort Myers man sues Jax Beach police, JSO after AI facial recognition leads to wrongful arrest, lawsuit says

A Fort Myers man has filed a lawsuit against Jacksonville Beach police and the Jacksonville Sheriff's Office, alleging he was wrongfully arrested after AI-powered facial recognition technology misidentified him as a suspect.

Why this matters: The case highlights how facial recognition errors can strip individuals of liberty without reliable evidence — raising urgent Fourth Amendment and due-process concerns about law enforcement's growing reliance on algorithmic identification tools that carry documented misidentification risks.

Who should care: Lawyers · Privacy officers · Compliance · Cybersecurity · General readers · AI governance · Policy

News release: Privacy Commissioner of Canada investigation into the Grok chatbot and sexualized deepfakes finds companies violated privacy law

Canada's Privacy Commissioner concluded an investigation finding that companies behind the Grok chatbot violated Canadian privacy law in connection with the generation of sexualized deepfakes, marking a significant regulatory enforcement action in the AI-generated content space.

Why this matters: The ruling signals that AI systems producing non-consensual intimate imagery have concrete legal accountability under privacy frameworks — an important protection for individuals whose likenesses can be weaponized without their knowledge or consent.

Who should care: Lawyers · Privacy officers · Compliance · General readers · AI governance · Policy

Health data: fine of 5 million euros against IQVIA

France's data protection authority CNIL has imposed a €5 million fine on IQVIA, a healthcare data and analytics company, for violations related to the handling of health data.

Why this matters: Health data ranks among the most sensitive personal information, and this enforcement action signals that regulators are willing to impose meaningful financial penalties on commercial data brokers who profit from processing it without adequate legal safeguards.

Who should care: Lawyers · Privacy officers · Compliance · Healthcare professionals

Supporting GDPR consistency: EDPB launches dedicated form

Brussels, 24 June – The EDPB has launched a dedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe. This initiative reflects the commitments set out in the EDPB Helsinki Statement on enhanced clarity, support and engagement, aimed at strengthening the dialogue with stakeholders and ensuring consistent GDPR enforcement across Europe. The new tool enables stakeholders to report alleged divergences between national positions, as well as between national positions and those of the EDPB. The EDPB will not respond to individual submis…

Who should care: Lawyers · Privacy officers · Compliance · AI governance

ICO statement - conclusion of criminal investigation

ICO statement - conclusion of criminal investigation  Swyddfa’r Comisiynydd Gwybodaeth

Who should care: Lawyers · Privacy officers · Compliance · AI governance

The state of enforcement: Part I — Consumer privacy rights

The state of enforcement: Part I — Consumer privacy rights  IAPP

Who should care: Lawyers · Privacy officers · Compliance · General readers · Policy

It’s easier for Californians to escape data brokers following a Markup investigation

The Markup and CalMatters showed how website code could make it harder for Californians to exercise their right to remove personal data. Now much of that code has disappeared.

Who should care: Lawyers · Privacy officers · Compliance · General readers · Policy

Fines

Fines  Data Protection Commission

Who should care: Lawyers · Privacy officers · Compliance · General readers · Policy

British Police Built a Sprawling Crime-Prediction Machine. Some Results Couldn’t Be Trusted

As UK police embrace the AI revolution, a WIRED investigation reveals the messy inside story of one region’s experiment with predictive analytics.

Who should care: Lawyers · Privacy officers · Compliance · General readers · AI governance · Policy

FTC Begins Enforcing the TAKE IT DOWN Act

The Federal Trade Commission today began enforcing the TAKE IT DOWN Act (TIDA), a law requiring platforms, at the request of victims, to remove intimate photos or videos shared online without victims’ consent. As part of its enforcement role, the FTC has launched TakeItDown.ftc.gov, a website allowing victims and survivors to submit complaints about platforms that have failed to act on valid requests for the removal of nonconsensual intimate images. The website also accepts complaints about platforms that have failed to create a process for people to request removal of these images. “Thanks t…

Who should care: Lawyers · Privacy officers · Compliance · General readers · Policy

Apple fixes bug that cops used to extract deleted chat messages from iPhones

The iPhone and iPad bug allowed law enforcement using forensic tools to read messages that had long been deleted by the Signal app.

Who should care: Lawyers · Privacy officers · Compliance

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles  CNIL

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

The state of enforcement: Part I — Consumer privacy rights

The state of enforcement: Part I — Consumer privacy rights  IAPP

Who should care: Lawyers · Privacy officers · Compliance · General readers · Policy

News release: Privacy Commissioner of Canada strengthens international cooperation at the 2026 G7 Data Protection and Privacy Authorities Roundtable

News release

Who should care: General readers · Privacy officers · Policy

Newsletter Digest - news from the EDPS

The European Data Protection Supervisor has released a newsletter covering four priority areas: the European Commission's Digital Omnibus legislative debate, cross-border health data protection, privacy safeguards for the EU Visa Application Platform's chatbot, and transparency in EU funding.

Why this matters: The topics signal active regulatory scrutiny over sensitive data flows — health records, visa applications, and public spending — areas where individuals' personal information intersects directly with government systems and cross-border institutional access.

Who should care: Healthcare professionals · Privacy officers · Compliance · Lawyers · AI governance · General readers · Policy

One-Stop-Shop case digest on right to object and right to erasure updated

Brussels, 25 June - The EDPB has published an update of the One-Stop-Shop (OSS) case digest on right to object and right to erasure. This project has been developed in the framework of the of the Support Pool of Experts programme, which aims to support cooperation among Data Protection Authorities (DPAs). Thematic one-stop-shop case digests are drafted on the basis of one-stop-shop decisions taken from the EDPB’s public register (based on Art.60 GDPR). Such case digests complement the EDPB's public register by selecting and presenting the most important decisions on a given theme and providin…

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

Your medical provider might be recording your mental health care visits

Mental health providers are increasingly using AI technology to record conversations, raising privacy concerns among patients and practitioners.

Who should care: General readers · AI governance · Policy

Data Protection Commission announces final decision into Midlands Regional Hospital Tullamore inquiry

Data Protection Commission announces final decision into Midlands Regional Hospital Tullamore inquiry  Data Protection Commission

Who should care: General readers · Privacy officers · Policy

AI for inclusive and resilient agri-food systems: Potential ways forward

AI can strengthen food security, resilience and sustainability in agriculture. Explore key challenges and opportunities for agri-food systems. The post AI for inclusive and resilient agri-food systems: Potential ways forward appeared first on OECD.AI.

Who should care: AI governance · Lawyers · Administrators · General readers · Policy

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template  CNIL

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · AI governance

Notes from the IAPP Canada: Digital policy wave in Canada gathers force

Notes from the IAPP Canada: Digital policy wave in Canada gathers force  IAPP

Statement by the Privacy Commissioner of Canada on Bill C-36, the Protecting Privacy and Consumer Data Act

Statement by the Privacy Commissioner of Canada on Bill C-36, the Protecting Privacy and Consumer Data Act

Espresso with the EDPS: AI Literacy

Espresso with the EDPS: AI Literacy miriam Tue, 06/23/2026 - 13:31 Tue, 06/23/2026 - 12:00 What does it mean to be AI literate? And why does it matter for all of us? The first episode of our new video series "Espresso with the EDPS" by Secretary General, is now live! 1 Watch it

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy