IAPP RESEARCH

Digital sovereignty through the prism of global law

Global jurisdictions are embarking on their respective paths to achieve digital sovereignty goals. However, the most common approach toward sovereignty is deliberate action through laws, regulations and policies. IAPP Westin Fellow William Simpson, AIGP, CIPP/US, examines how law and policy initiatives provide "a helpful framework for comparing sovereign motivations and projecting future policy efforts to remain competitive and secure." The analysis is accompanied by an infographic depicting how sovereignty appears through various law and policy instruments. (IAPP member exclusive.)
Full story

IAPP NEWS

OpenAI grants European Commission access to new model as EU considers frontier AI cybersecurity risks

Against the backdrop of uncertainty in the EU over gaining access to Anthropic's Claude Mythos AI model, OpenAI has offered the European Commission access to its latest AI model that purports to similarly be able to discover cybersecurity vulnerabilities. During a 6 May hearing before European Parliament's Committee on the Internal Market and Consumer Protection officials from the European Commission, the EU AI Office and the European Union Agency for Cybersecurity discussed the cyber risks posed by frontier AI models, as well as the opportunities to harness them for defensive purposes. IAPP Staff Writer Alex LaCasse reports.
Full story

ENFORCEMENT—EU

Ride-hailing app assessed 100M euro data transfer fine

Data protection authorities from Finland, the Netherlands and Norway fined taxi app Yango 100 million euros for allegedly violating the EU General Data Protection Regulation by transferring user data to Russia. The DPAs alleged Yango did not ensure data transferred to Russia was protected with adequate safeguards. Finnish Information Commissioner Anu Talus said organizations "operating in the EU must ensure strong protection for personal data by complying with EU data protection rules. Personal data cannot be transferred outside the EU if its security cannot be ensured."
Full story

Sponsored Content

Live webinar — Privacy by design in the coding agent era: Detecting risk before it grows

AI coding agents have increased the speed and volume of code changes — meaning more code goes live faster, with less review. For privacy teams, that means more data processing changes going live before anyone reviews them. Join this webinar to learn how privacy risks start in code and how to detect them in your codebase before they go live.

Register now

LAW & REGULATION—U.S.

Colorado General Assembly approves AI Act reforms

According to Troutman Pepper Locke, the Colorado General Assembly advanced amendments to the state's AI Act, which now await enactment by the governor. Senate Bill 189 notably makes provisional changes to shift the previous risk-based framework to one that focuses on disclosure and transparency requirements. The updates removed the duty of care along with risk management and impact assessment requirements. Also, the law's original 30 June effective date was delayed to 1 Jan. 2027.
Full story

CHILDREN'S ONLINE SAFETY—EU

Von der Leyen says EU Digital Fairness Act will address children's social media restrictions

European Commission President Ursula von der ‌Leyen said the upcoming Digital Fairness ​Act will likely include rules to prevent addictive design patterns on social platforms, Reuters reports. The DFA could introduce limitations on features that could impact children's mental health and implement age restrictions for social platforms. Meanwhile, Politico reports von der Leyen and former U.S. Secretary of State Hillary Clinton are expected to support the Youth AI Safety Institute, which aims to assess the safety of AI tools for underage users.
Full story

ENFORCEMENT—SOUTH KOREA

South Korea's PIPC to increase data breach enforcement measures

South Korea's Personal Information Protection Commission announced it will look into the data processing standards of public and high-risk systems in its Plan for Transition to a Prevention-Oriented Personal Information Management System strategic efforts. The plan includes increased fines of up to 10% of company revenue in cases of serious data breaches and repeat offenders and updated incentives for companies to voluntarily increase data security infrastructure spend.
Full story

Sponsored Content

Global AI Law and Policy Tracker

Countries worldwide are designing and implementing AI governance, including comprehensive legislation, focused legislation for specific use cases, national AI strategies or policies and voluntary guidelines and standards. The IAPP Global AI Law and Policy Tracker identifies AI legislative and policy developments in a subset of jurisdictions, with brief commentary on the broader AI context and related developments, while identifying laws or policies in parallel professions like privacy.

Access now

ENFORCEMENT—U.S.

Texas attorney general announces ACR settlement, new Netflix privacy lawsuit

Texas Attorney General Ken Paxton announced a settlement with LG Electronics over the company's alleged use of automated content recognition technology to collect user viewing data without consent. In the settlement, LG agreed to provide a way for users to opt out of data collection and update its transparency standards around how the data is used. Meanwhile, Paxton filed a lawsuit against Netflix for allegedly sharing consumer behavioral data without consent. Paxton claimed Netflix "has built a surveillance program designed to illegally collect and profit from Texans' personal data without their consent, and my office will do everything in our power to stop it." Editor's note: IAPP Staff Writer Lexie White previously reported on the Texas attorney general's ACR lawsuits.
Full story

REGULATORY GUIDANCE—U.S.

FTC urges companies to comply with the TAKE IT DOWN Act

U.S. Federal Trade Commission Chairman Andrew Ferguson sent a letter to Amazon, Alphabet, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok and the social platform X to remind them to comply with the TAKE IT DOWN Act by 19 May. Ferguson said the FTC is ready to begin enforcement of the law, noting "protecting the vulnerable — especially children — from this harmful abuse is a top priority for this agency and this administration." Editor's note: IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, unpacked the TAKE IT DOWN Act's provisions.
Full story

LITIGATION & CASE LAW—U.S.

Lawsuits against OpenAI highlights chatbot legal concerns

Elon Musk's lawsuit against OpenAI included AI chatbot conversations from OpenAI President Greg Brockman, raising concerns that individuals' AI conversations could be used against them, Axios reports. Meanwhile, NBC News reports OpenAI is facing a lawsuit from the family of a victim of a mass shooting at Florida State University after the family claimed OpenAI allegedly helped the shooter plan the attack. The lawsuit claims the chatbot "either defectively failed to connect the dots or else was never properly designed to recognize the threat."
Full story

Sponsored Content

Organizational Digital Governance Report 2025

Digital organizational governance is no longer siloed within the privacy domain. The IAPP "Organizational Digital Governance Report 2025" features insights gleaned from a survey of more than 600 respondents from 45 countries and territories that sought to elicit information on the extent to which organizations are defining, designing and deploying digital governance programs.

Access now

ENFORCEMENT—INDIA

India's MeitY seeks stakeholders for data protection board

India's Ministry of Electronics and Information Technology opened applications for stakeholders to join the Data Protection Board, which aims to ensure organizational compliance with the Digital Personal Data Protection Act, Indian Television reports. MeitY is looking for a chairperson and four members to assess data breaches and ensure companies' data protection standards meet the DPDPA's compliance obligations. Editor's note: Explore the IAPP's top operational impacts of the DPDPA.
Full story

REGULATORY GUIDANCE—GERMANY

Hamburg's DPA releases guidance on the CJEU's Russmedia ruling

The Hamburg Commissioner for Data Protection and Freedom of Information released guidance detailing the Court of Justice of the European Union's recent ruling that found online services are considered controllers under the EU General Data Protection Regulation. The DPA outlined aspects of the ruling and the potential implications for social platforms. The HmbBfDI also noted "appropriate measures must be taken to prevent the further dissemination of this unlawful personal content. This must also apply to clearly identical unlawful publications within the scope of the social media platform's responsibility." Editor's note: Partner Daniel Felz, CIPP/E, detailed the CJEU's decision in the Russmedia case and its potential impact on organizations.
Full story

CYBERSECURITY

Google blocks hackers from using AI tools to exploit security vulnerabilities

Google's Threat Intelligence Group said it stopped a potential cyberattack on its systems after it found hackers were using AI tools to identify and exploit vulnerabilities, Reuters reports. Google said it believes that AI tools were going to be used against the company for a "mass exploitation event" and warned state-backed hacking groups are continuing to use AI tools to advance the potential scale of data breaches.
Full story