Newsletter #14 - 31 March 2026

Read on website

---

NicFab Newsletter

Issue 14 | 31 March 2026

Privacy, Data Protection, AI, and Cybersecurity

---

Welcome to issue 14 of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you will find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.

---

In this issue

---

ITALIAN DATA PROTECTION AUTHORITY

Significant fines and new recommendations from the Italian DPA

The Garante Privacy’s newsletter of March 26 presents four interventions of particular relevance. The most notable is a fine of over €500,000 imposed on Enel Energia for unlawful telemarketing: the company used customer data for promotional purposes without adequate consent, including through third-party companies during service-related contacts. The Authority highlighted the inadequacy of the technical and organisational measures adopted to prevent unlawful processing in re-contact procedures.

Bakeca was fined for online advertisements published without the data subjects’ consent. At the same time, in the debt recovery sector, the Garante clarified that communicating debt information to the debtor’s family members is unlawful. Finally, the Global Privacy Enforcement Network investigation highlighted persistent risks for minors on websites and apps.

Key takeaways: the importance of double opt-in mechanisms, the need for robust technical and organisational measures, and heightened attention to children’s data protection in the digital environment.

Source

---

EDPB - EUROPEAN DATA PROTECTION BOARD

Case Digest on Legitimate Interest in One-Stop-Shop Procedures

The EDPB has published an analysis of One-Stop-Shop decisions relating to legitimate interest as a legal basis, prepared by external expert Dr. TJ McIntyre. The document examines how supervisory authorities apply the three-step test, offering practical examples of both positive and negative compliance across various contexts.

The publication complements the EDPB Guidelines 1/2024 on Article 6(1)(f) GDPR and includes references to Court of Justice of the EU decisions and national court rulings. It serves as a useful resource for guiding the balancing assessment between the controller’s legitimate interests and data subjects’ rights.

Source

EDPB Conference on Cross-Regulatory Cooperation

The conference on March 17, 2026, addressed the interaction between data protection and other European regulatory frameworks, including competition law, the DMA, and the DSA. Particular attention was given to the joint DMA-GDPR guidelines, an example of collaboration aimed at providing greater legal certainty for operators.

The EDPB Strategy 2024-2027 confirms the commitment to structured cross-regulatory cooperation, requiring privacy professionals to develop cross-cutting competencies to navigate effectively between complementary but distinct regulations.

Source

---

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

Newsletter Digest - Episode 19

The EDPS has published the 19th episode of its “Newsletter Digest” podcast, focusing on three developments: the practical implementation of the AI Act, new legislative proposals impacting fundamental rights, and initiatives to strengthen data protection governance within EU institutions.

The entry into force of the AI Act requires an adaptation of compliance strategies. At the same time, the strengthening of internal governance within European institutions signals ever-higher standards of accountability and transparency in data processing.

Source

---

CNIL - FRENCH AUTHORITY

Rémi STEFANINI appointed Director of Technologies, Innovation and Artificial Intelligence

The CNIL has appointed Rémi STEFANINI as the new Director of Technologies, Innovation and AI, effective April 15, 2026. A graduate of École Polytechnique and Télécom Paris, Stefanini brings experience from CSA/ARCOM, ARCEP, and the digital transition delegation at DGCCRF.

He will oversee strategic areas: the technological expertise service, the digital innovation laboratory (LINC), the economic analysis unit, and the artificial intelligence service.

Source

Children’s privacy: results of the Global Privacy Enforcement Network audit

Twenty-seven international data protection authorities conducted a coordinated audit in November 2025 on nearly 900 websites and apps aimed at children. The results show insufficient progress in protecting children’s privacy online compared to a similar audit in 2015: more services require personal data for access to features, and data sharing with third parties has increased.

Some emerging best practices, such as recommendations not to use real names and to deactivate geolocation, do not offset the overall growing risks, especially regarding age verification.

Source

Agenda of the plenary session of March 26, 2026

The CNIL plenary session agenda for March 26 includes draft decrees on the use of body-worn cameras by OFB environmental inspectors, extension of ENSAP to parliamentary staff, and authorisations for the creation of health data warehouses (CEMKA, Prométhée project).

Significant developments in sensitive sectors such as health and public security require ongoing monitoring of new regulatory provisions.

Source

---

EUROPEAN PARLIAMENT

Online child sexual abuse: voluntary detection extension rejected

The European Parliament rejected, with 311 votes against, 228 in favour, and 92 abstentions, the proposal to extend the temporary derogation from the ePrivacy Directive that allowed online service providers to detect child sexual abuse material in private communications voluntarily. The derogation will expire on April 3, 2026.

Parliament had proposed a shorter extension (until August 2027) with stronger safeguards — including protection of end-to-end encryption and limitation to previously identified material — but negotiations with the Council failed to produce an agreement. The Council considered that the restrictions introduced would have rendered the measure ineffective.

From April 3, platforms will no longer be able to rely on an explicit derogation for voluntary scanning activities. They will need to ground any such processing within the ordinary framework of the GDPR and the ePrivacy Directive, with all consequences in terms of legal basis and proportionality.

Source

Digital Omnibus on AI - Proposed amendments to the AI Act

Parliament is proceeding with the examination of the Digital Omnibus on AI, a package of amendments aimed at resolving implementation issues and reducing regulatory burdens. The IMCO and LIBE committees adopted a joint report on March 18, while the Council has already defined its negotiating mandate.

The amendments are necessary due to delays in the designation of national competent authorities and the publication of harmonised standards. The launch of trilogues will clarify the final impact on compliance requirements for high-risk AI systems.

Source

---

COUNCIL OF THE EUROPEAN UNION

Commission presentation: Digital Services Act

The Council received a presentation from the European Commission on the Digital Services Act, the regulation governing digital services and online platforms in the EU. The DSA introduces obligations on content moderation, algorithmic transparency, and systemic risk management, creating a framework that intersects with the GDPR and requires an integrated compliance approach.

The presentation to the Council signals an active institutional dialogue on the evolution of DSA implementation, relevant for anticipating possible regulatory developments.

Source

---

DIGITAL MARKETS & PLATFORM REGULATION

Commission’s preliminary findings against four pornographic platforms

The European Commission has issued preliminary findings against Pornhub, Stripchat, XNXX, and XVideos for violations of the Digital Services Act in child protection. The platforms rely exclusively on age self-declaration through a simple click, a mechanism deemed ineffective in preventing minors from accessing adult content.

If confirmed, the violations could result in fines of up to 6% of global annual turnover. The Commission is piloting an age-verification wallet in six countries as a potential privacy-preserving standard.

Source

|

Analysis

DSA investigation into Snapchat for grooming and child safety

The Commission has launched an investigation into Snapchat under the DSA, focusing on protecting minors from grooming and the sale of illegal products. Snapchat’s age verification system, based exclusively on self-declaration, has been described by EU officials as one of the weakest on the market.

The investigation also examines default settings that recommend minors to adult users and the handling of sales of prohibited products such as vapes, alcohol, and drugs.

Source

|

Analysis

Dutch court bans Grok from generating fake nude images

An Amsterdam court has ordered the AI chatbot Grok to cease generating non-consensual nude images and child sexual abuse material, with a penalty of €100,000 per day up to a maximum of €10 million. The ban, while applying only in the Netherlands, could have broader implications since Grok cannot determine users’ residence.

The case follows the generation of approximately 3 million images over 11 days before the January restrictions. It highlights the legal risks of generative AI and the need for effective geographic controls to support local compliance.

Source

|

Analysis

---

ARTIFICIAL INTELLIGENCE

AI Act: delayed deadlines and ban on “nudifier” apps

The European Parliament has approved amendments to the AI Act, setting new deadlines for high-risk systems: December 2027 for biometric systems and critical infrastructure, and August 2028 for those subject to sectoral legislation. An explicit ban on “nudifier” systems that generate sexually explicit content without consent has been introduced, along with provisions allowing the processing of personal data to correct AI bias, with appropriate safeguards.

AI Act deadlines: comparison before and after the Digital Omnibus

System category

Original deadline

New deadline (Omnibus)

Biometric systems, critical infrastructure, education and vocational training, justice

August 2, 2026

December 2, 2027

Systems covered by EU sectoral legislation

August 2, 2026

August 2, 2028

Prohibitions (banned practices, Art. 5)

February 2, 2025

Unchanged

Obligations for general-purpose AI models (GPAI)

August 2, 2025

Unchanged

Note: the Art. 5 prohibitions (banned practices) have not been postponed and remain fully applicable since February 2, 2025.

Source

Ban on emotion recognition in the workplace and education

The Future of Privacy Forum’s analysis examines Article 5(1)(f) of the AI Act, which prohibits emotion recognition AI systems in workplaces and educational institutions. The ban is not absolute: uses for medical and safety purposes remain permitted, and systems used in other contexts are classified as high-risk. The distinction between inference of emotions (prohibited) and inference of intentions (apparently excluded from the ban) requires particular attention in impact assessments.

Source

Political deepfakes: exponential growth and new threats

Research from the Governance and Responsible AI Lab documents over 1,000 political deepfakes catalogued since the beginning of 2025, surpassing the combined total over the previous eight years. Particularly concerning is the emergence of entirely fictitious AI avatars used for propaganda and monetisation, posing unprecedented challenges in protecting digital identity and distinguishing between real and synthetic personal data.

Source

---

CYBERSECURITY

FBI confirms hack of Director Patel’s personal email

The Iranian-linked hacking group Handala breached FBI Director Kash Patel’s personal Gmail account, publishing stolen photos and personal documents. The FBI confirmed the incident, stating that the stolen data is historical and does not contain government information. The attack is a retaliatory response to the FBI’s seizure of Handala domains and the $10 million bounty placed on group members.

The case highlights the importance of protecting executives’ personal accounts, which can become indirect attack vectors with significant reputational implications.

Source

European Commission confirms cyberattack on cloud infrastructure

The European Commission confirmed a cyberattack that compromised part of its AWS-hosted cloud infrastructure, affecting the Europa.eu platform. The attackers exfiltrated over 350 GB of data, including multiple databases, without compromising the institution’s internal systems. The incident was rapidly contained.

The case confirms a trend: attacks are targeting cloud administration credentials rather than the providers themselves, underlining the need for robust multi-factor authentication and continuous monitoring of cloud environments.

Source

|

Analysis

Handala intensifies operations: wiper attack against Stryker

The Handala group also struck Stryker’s Microsoft environment, wiping nearly 80,000 devices using custom wiper malware. The group uses compromised VPN credentials for initial access and legitimate encryption tools such as VeraCrypt to complicate data recovery.

The escalation highlights the importance of monitoring VPN access, implementing effective network segmentation, and preparing robust backup strategies against destructive attacks.

Cyber-trend of the week: the common thread across all three incidents is credential compromise, not infrastructure vulnerability itself. Identity and access management (IAM) remains the most exploited weak point.

Source

---

SCIENTIFIC RESEARCH

Selection of the most relevant papers of the week from arXiv on AI, Machine Learning, and Privacy

Privacy and Memorisation in LLMs

Alignment Whack-a-Mole: Finetuning Activates Verbatim Recall of Copyrighted Books in Large Language Models

Finetuning can reactivate verbatim memorisation of copyrighted works, bypassing RLHF alignment measures. Critical implications for assessing data leakage risks in custom models.

arXiv

Estimating near-verbatim extraction risk in language models with decoding-constrained beam search

A new methodology for quantifying near-verbatim extraction risk, overcoming limitations of standard greedy-decoding techniques. More precise tools for assessing sensitive data exposure in models.

arXiv

Differential Privacy and Side-Channels

Amplified Patch-Level Differential Privacy for Free via Random Cropping

Random cropping can probabilistically exclude localised sensitive content (faces, licence plates), providing differential privacy protection at no additional cost. A pragmatic approach for balancing model utility and personal data protection in computer vision.

arXiv

Shape and Substance: Dual-Layer Side-Channel Attacks on Local Vision-Language Models

Side-channel vulnerabilities in local VLMs with dynamic preprocessing: even on-device models do not guarantee absolute privacy, requiring specific assessments in impact analyses.

arXiv

Federated Learning and AI Security

Supercharging Federated Intelligence Retrieval

A federated RAG system combining local retrieval with server-side aggregation in a confidential computing environment. A framework for processing distributed knowledge while maintaining control over sensitive data.

arXiv

AI Security in the Foundation Model Era: A Comprehensive Survey from a Unified Perspective

A comprehensive AI security survey proposing a unified framework for understanding interdependencies between attacks and defences in foundation models. Support for designing comprehensive defences and holistic risk assessment.

arXiv

Mitigating Evasion Attacks in Fog Computing Resource Provisioning Through Proactive Hardening

Proactive hardening against evasion attacks on k-means algorithms for fog computing. Specific vulnerabilities in edge computing require dedicated risk assessments for distributed AI systems.

arXiv

---

AI ACT IN PILLS - Part 14

Article 18 - Documentation keeping

After examining quality management systems in Article 17, we continue our journey through the AI Act by analysing Article 18, which establishes obligations for documentation keeping—a fundamental aspect for ensuring traceability and regulatory compliance over time.

Obligations for providers

Article 18 requires providers of high-risk AI systems to keep the technical documentation and the EU declaration of conformity for a period of ten years from the date the system is placed on the market or put into service. This obligation also extends to importers when they act as providers for systems from third countries.

The documentation subject to retention includes all elements required by Annex IV: the general description of the system, detailed information on development, monitoring, and control, the description of the quality management system, and the post-market evaluation.

Obligations for deployers

A different regime applies to deployers (users) of high-risk systems: they must keep the automatically generated logs for at least six months, unless otherwise provided by applicable Union or national law. This distinction reflects the different levels of responsibility along the AI value chain.

Operational implications

The ten-year retention obligation poses significant organisational and technological challenges. Simple archiving is not sufficient: documentation must remain accessible, readable, and verifiable throughout the entire period, requiring appropriate technology migration and backup strategies.

Organisations will need to develop procedures for document lifecycle management, clearly identifying which documents to retain, who is responsible, and how to ensure their integrity over time. Coordination with GDPR data retention policies is essential, considering that technical documentation may contain personal data.

Sanctions

Failure to comply with documentation-keeping obligations may result in administrative fines. Article 99 of the Regulation provides for fines of up to €15 million or, if higher, up to 3% of the high-risk AI system provider’s total worldwide annual turnover for violations of high-risk AI system provider obligations.

In the next instalment, we will examine Article 19 on automatically generated logs, exploring the obligations relating to automatic logs and their role in the traceability of algorithmic decisions.

---

Advanced prompting techniques for regulatory analysis

After introducing the methodological premises of Legal Prompting, we move into the operational techniques for analysing European regulatory texts.

An effective prompt for regulatory analysis must follow a precise hierarchy: regulatory context, analysis objective, interpretive constraints, and output format. Example:

“Analyse Article 25 of the GDPR on privacy by design. CONTEXT: Implementation in an Italian fintech company. OBJECTIVE: Identify specific obligations for automated processing. CONSTRAINTS: consider only established interpretations from the Garante and the Court of Justice of the EU. OUTPUT: numbered list with regulatory references.”

Three operational principles. First, explicitly require a distinction between established regulatory provisions and open interpretive areas, because language models generate plausible, not necessarily correct, outputs. Second: always specify the limits of automated analysis — human oversight remains a deontological obligation. Third: the choice of infrastructure (local vs cloud) must be consistent with the sensitivity of the documents processed and professional secrecy obligations.

Next instalment: RAG (Retrieval-Augmented Generation) and its risks in the legal context.

For further reading:

Legal Prompting: the new frontier of AI in the legal field

---

PODCAST

The second episode of the NicFab Podcast, dedicated to Legal Prompting, delves into the methodology. Starting from the GDPR transparency obligations (Articles 13 and 14) as a universal practical case, the episode illustrates how to structure effective prompts for regulatory analysis, with references to the positions of several European authorities (Garante, CNIL, ICO, BfDI, EDPB).

Duration: approximately 10 minutes. Available on Apple Podcasts, Spotify, Amazon Music, and all major platforms.

---

FROM THE NICFAB BLOG

Protecting minors online, age verification, and digital identity: the European question remains unresolved

March 28, 2026

The Commission’s action against four major pornographic platforms reopens the European debate on age verification. But the fundamental issue is structural: the most consistent solution with privacy and proportionality requires a European ecosystem of verifiable attributes that is not yet fully operational.

Read the full article

Digital Omnibus on AI: the European Parliament adopts its negotiating position in plenary

March 27, 2026

The European Parliament adopted its position on the Digital Omnibus on AI with 569 votes in favour. Comparison of the positions of the three EU institutions, the nudifier ban, the new deadlines for high-risk AI systems, and the next steps towards trilogues.

Read the full article

AI ethics in classrooms: when principles meet law

March 26, 2026

The European Parliament publishes a briefing on the ethical dimensions of AI in classrooms. We analyse the document through the lens of the jurist, relating ethical principles to the European regulatory framework and digital competence frameworks.

Read the full article

Digital Omnibus on AI: Council and Parliament align mandates, trilogues begin

March 25, 2026

The Council adopted its general approach on March 13, 2026; IMCO and LIBE approved the final joint report on March 18. Comparative analysis of the two negotiating mandates ahead of trilogues: convergences on fixed deadlines and the ban on sexual deepfakes, divergences on the transitional period for marking and the scope of the AI Office.

Read the full article

---

Events and Meetings

EDPB conference on cross-regulatory cooperation: what we learned (March 24, 2026)

EDPB |

Info

CEF-Digital Info Session: 2026 Calls (March 26, 2026)

European Commission |

Info

Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting (April 8, 2026)

European Parliament |

Info

Privacy Symposium (April 20, 2026)

EDPB |

Info

Computers, Privacy and Data Protection - CPDP Brussels (May 19, 2026)

EDPB |

Info

Nordic meeting (May 21, 2026)

EDPB |

Info

Blog post: Advancing into Practice: Third Meeting of the AI Act Correspondents Network

EDPS |

Info

Commission holds first meeting of Special Panel on child safety online

European Commission |

Info

---

Conclusion

Two parallel developments are reshaping the perimeter of European digital protection: the intensification of GDPR enforcement and the emergence of child safety online as the focal point of regulatory action.

The Italian Garante confirms a mature enforcement approach: fines of over €500,000 against Enel Energia for unlawful telemarketing, against Bakeca for advertisements without consent, and against a company for communicating debts to family members. The EDPB case digest on legitimate interest contributes to systematising this evolution, offering a structured reading of the positions that have emerged in European supervisory practice.

At the European level, the DSA is deploying its regulatory force with remarkable speed and breadth. The Commission’s preliminary findings against four pornographic platforms and the opening of proceedings against Snapchat constitute a coordinated action on child protection. The GPEN investigation completes the picture, confirming the problem’s transnational dimension.

The failure of self-declaration mechanisms — in telemarketing as in age verification — appears to be pushing authorities towards stricter accountability standards. The EDPB conference on cross-regulatory cooperation and the joint DMA-GDPR guidelines indicate that the traditional segmentation by regulation is giving way to an integrated approach.

The cybersecurity incidents affecting the FBI Director and the European Commission this week serve as a reminder that data protection cannot be separated from information security: the vulnerability of cloud administration credentials, rather than the providers themselves, emerges as a recurring pattern.

The next frontier will be integrating these various regulatory instruments into a coherent framework. A challenge that will require both technical expertise and the ability to navigate an increasingly layered digital law landscape.

---

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home

Proxied content from gemini://nicfab.eu/en/newsletteren/2026/2026-03-31-issue-14_en.gmi

Gemini request details:

Original URL
gemini://nicfab.eu/en/newsletteren/2026/2026-03-31-issue-14_en.gmi
Status code
Success
Meta
text/gemini;lang=en-US
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.