AI & Law

🇬🇧UK ICO Highlights Rights in AI-Driven Hiring The UK Information Commissioner’s Office (ICO) outlined how automated decision-making is shaping employment opportunities, noting that over 70% of organizations plan to use AI systems in hiring. The regulator emphasized that job seekers should understand their data protection rights when interacting with such technologies. According to the ICO, employers must inform applicants when AI is used in recruitment and provide the option to request human review of decisions. The authority also expects organizations to regularly test AI systems for bias and implement measures to mitigate discrimination risks. #AIRegulation#DataProtection#HiringAI#AlgorithmicBias#UKlaw

🇺🇸California Moves to Tighten AI Standards in State Procurement California Governor Gavin Newsom signed an executive order to strengthen requirements for AI companies seeking to work with the state. The order directs the development of stricter procurement standards, requiring vendors to demonstrate responsible AI policies and meet privacy and security benchmarks to prevent misuse of their technologies. The initiative contrasts with recent federal actions rolling back AI-related protections. It also expands the state’s use of generative AI in public services, including tools designed to help residents navigate government programs and benefits based on life events such as employment or starting a business. #AIRegulation#USpolicy#AIethics#PublicSectorAI#DataProtection

🇪🇺EDPS Defines Role Under the EU AI Act The European Data Protection Supervisor (EDPS) published a report outlining its responsibilities as the AI Act market authority for AI systems used by EU institutions. The document sets out priority areas for the next two years as the EDPS assumes its new supervisory role. The report details the EDPS’s tasks under the AI Act mandate, the operational context for exercising its authority, and four strategic pillars that will guide its work as a market authority. #AIRegulation#EUAIAct#DataProtection#AIgovernance#EDPS

🇭🇰Hong Kong Regulator Flags Privacy Risks in Agentic AI Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) issued an alert highlighting privacy concerns related to agentic AI tools. The regulator pointed to risks arising from these systems’ ability to access files and process personal data as part of their autonomous operations. The PCPD advises users to continuously assess risks and closely monitor any requests by agentic AI to perform high-risk actions. Where decisions may significantly affect individuals, the authority recommends adopting a human-in-the-loop approach to retain final control over decision-making. #AIRegulation#Privacy#DataProtection#AIethics#HongKong

📖The Confidentiality Gap in Consumer AI A new academic study, “You Trust Your Chatbot With Everything. Should You?”, compares five major consumer chatbots (ChatGPT, Gemini, Claude, Grok and DeepSeek) and maps the gap between the confidentiality users expect and what platforms actually provide. The findings are structural rather than scandalous: consumer chats are typically used for model training by default, can be reviewed by human annotators, may feed advertising personalization, and often flow through a complex operational supply chain. As chatbots evolve into persistent assistants with memory and long-term personalization, conversations increasingly contain detailed narratives about health, finances, relationships, and legal concerns — disclosures far deeper than typical search queries. The study argues that current safeguards rely primarily on policy promises and interface warnings rather than architectural guarantees. Its central proposal is “Sealed Mode” — a privacy-by-design pathway for sensitive topics such as health or wellbeing, where conversations would not be used for training, would avoid advertising and cross-service sharing, would limit human access, and would follow strict retention rules. T #AIgovernance#AIprivacy#AIlaw#DataProtection#ResponsibleAI

🇫🇷France Pilots AI Auditing Tool for GDPR Compliance French digital agencies are recruiting participants for the pilot of an AI auditing tool designed to support compliance with the EU General Data Protection Regulation. The initiative, known as the PANAME project, was announced in June 2025 to enable efficient and cost-effective technical tests that extract information from AI training data—capabilities organizations may need to assess an AI model’s status under GDPR requirements. The pilot is open to both public and private entities, with registration closing on 28 March. By operationalizing technical scrutiny of training datasets, the project moves GDPR enforcement from abstract obligations toward verifiable testing mechanisms embedded in the AI lifecycle. This effort signals a shift in regulatory practice: compliance is being engineered into tooling rather than left solely to documentation and legal interpretation. Auditable evidence about training data may become a central currency in demonstrating lawful AI deployment. #AIRegulation#GDPR#DataProtection#AIGovernance#ResponsibleAI

🌐Global Privacy Regulators Unite Against Nonconsensual AI Deepfakes Sixty-one data protection authorities worldwide have issued a joint statement raising concerns over the rapid spread of nonconsensual AI-generated explicit deepfakes. The coordinated action signals that privacy regulators are treating this phenomenon not as an edge case of content moderation, but as a cross-border data protection and fundamental rights issue requiring aligned oversight. The authorities committed to closer cooperation and stronger enforcement, calling on platforms to engage proactively with regulators and to implement safeguards from the outset. Their expectation is explicit: technological advancement must not come at the expense of privacy, dignity, safety, or other fundamental rights. #AIRegulation#Deepfakes#DataProtection#Privacy#AIGovernance

🇳🇱Dutch Regulator Flags Open-Source AI Agents as Security Threat The Autoriteit Persoonsgegevens, the Netherlands’ data protection authority, has warned organizations against using popular open-source AI agents such as OpenClaw due to serious security risks. According to the regulator, many plug-ins built for these agents contain malware capable of triggering data breaches and enabling account takeovers. Cybersecurity professionals characterize these agents as a “Trojan horse”: once granted device access, they can extract login credentials and gain entry to cryptocurrency accounts. The warning reframes open-source AI not as a transparency advantage by default, but as a potential vector for systemic compromise when governance over extensions and permissions is weak. #AIRegulation#DataProtection#Cybersecurity

🇦🇪DIFC to Enforce AI-Specific Obligations Under Regulation 10 Starting January 2026, the Dubai International Financial Centre (DIFC) will actively enforce Regulation 10, which governs the use of autonomous and semi-autonomous systems processing personal data. The framework applies not only to AI providers, but critically to deployers, including organisations using third-party AI systems, shifting regulatory focus to those who benefit from and control AI-driven decisions. Regulation 10 applies to systems that autonomously process personal data, generate outputs, and operate with limited or no human intervention. Its scope is technology-neutral: rule-based systems may qualify alongside machine-learning models. Where such systems are used for “high-risk processing”, including large-scale data processing, special category data, employee monitoring, or automated decisions with significant effects, deployers must appoint an Autonomous Systems Officer and obtain certification for the specific system. Certification is mandatory for commercial high-risk use. Unlike traditional data protection rules, Regulation 10 focuses on decision-making processes across the AI lifecycle. It imposes detailed obligations on deployers and operators, including enhanced transparency about system logic, registers of autonomous processing activities, evidence of design standards, and mechanisms enabling data subject rights. Organisations that delay preparation ahead of the 1 January 2026 compliance deadline face material operational and compliance risks. #AIRegulation#DIFC#AICompliance#DataProtection

🇪🇺EDPS Launches Podcast Series on Emerging AI Trends The European Data Protection Supervisor has launched a new podcast series examining key AI trends identified in its TechSonar 2025–26 report. The six-part series focuses on how emerging AI technologies intersect with data protection, security, and fundamental rights. The first episode discusses agentic AI, with EDPS officials addressing risks for personal data protection and potential impacts on individuals’ decision-making autonomy. Upcoming episodes will cover AI companions, automated proctoring, AI-driven personalized learning, coding assistants, and confidential computing. #AIRegulation#DataProtection#EDPS#AITrends#ResponsibleAI

🇭🇰Hong Kong Issues Deepfake Protection Toolkit for Schools Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) has published guidance on the use of an AI deepfake protection toolkit aimed at schools and parents. The guidance explains common types of deepfakes and typical scenarios involving abusive deepfakes in school settings, focusing on risks faced by students. The toolkit provides practical measures for prevention and incident response, outlining the roles of schools, parents, and students. Recommended school-level safeguards include data minimization, restricting access to personal data, and implementing general data security measures to reduce exposure to deepfake misuse. The initiative frames deepfake risks as a data protection and child safety issue, reinforcing the role of privacy governance and preventive controls in educational environments as generative AI tools become more accessible. #AIandLaw#Deepfakes#DataProtection#ChildrenRights#PrivacyLaw#AIRegulation

🇨🇳China Moves to Regulate AI Companions for Emotional Interaction China’s Cyberspace Administration has released draft rules titled Interim Measures for the Administration of Humanized Interactive Services Based on Artificial Intelligence, targeting AI systems designed for emotional companionship. The proposal explicitly prohibits using AI companions to simulate relatives or personal relationships for elderly users and bars positioning such systems as substitutes for human social interaction. Providers must also ensure users are regularly reminded, at least every two hours, that they are interacting with AI, not a human. The draft introduces specific obligations for interactions with older adults, including mandatory emergency contact settings and duties to notify contacts if an elderly user faces risks to life, health, or property. Broader requirements include data encryption, fraud prevention, parental controls, protection of minors’ data, advance notice of service outages, and safeguards around mental health, emotional boundaries, and addiction risks. The use of interaction data for model training is prohibited. The proposal frames emotional AI as a category requiring heightened governance, combining safety, data protection, and value-based constraints. Public consultation on the draft rules is open until January 25. #China#AIEthics#DataProtection