Newsletter #17 - 21 April 2026

Read on website

---

NicFab Newsletter

Issue 17 | 21 April 2026

Privacy, Data Protection, AI, and Cybersecurity

---

Welcome to issue 17 of the weekly newsletter on privacy, data protection, artificial intelligence, cybersecurity, and ethics. Each Tuesday, you will find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.

---

In this issue

---

ITALIAN DATA PROTECTION AUTHORITY (GARANTE)

Newsletter No. 546 of 15 April 2026: five topics at the heart of the Garante’s activity

The Garante’s Newsletter No. 546, published on 15 April 2026, brings together five particularly significant interventions for DPOs and compliance officers: FAQs on remote exams and courses, the €96,000 fine on Eni, the decision on the right of access to corporate email after the end of the employment relationship, the finding of unlawfulness regarding the “FaceBoarding” system at Milan Linate airport, and the opinion on the MIM’s “Ascoltami” digital service. In the paragraphs that follow, an operational summary of each strand is provided.

Source

Remote exams and courses: Garante publishes the FAQs

The FAQs clarify that universities, training bodies, and public or private entities may conduct remote exams and courses, but only within the sector’s regulatory framework and solely for the orderly conduct of the test or, of course, attendance. Collections of non-pertinent data, such as candidates’ geolocation or biometric data, are excluded; automated analysis of participants’ behavior to identify alleged irregularities is expressly excluded.

When a proctoring system is used, responsibility remains with universities and training bodies as data controllers, even where third parties provide the technical solutions. For DPOs in the education sector, it becomes crucial to verify the proportionality of measures, assess, on a case-by-case basis, the need for audio-video recordings, and define retention periods consistent with the purposes. The FAQs are an operational tool for navigating a constantly evolving area.

Source

Eni fined €96,000: online publication of a writ of summons containing personal data

By decision No. 207 of 26 March 2026 (doc. web 10238270), the Garante declared unlawful the processing carried out by Eni S.p.A. in connection with the publication, on its institutional website, of a writ of summons containing the personal data of twelve signatories to a judicial matter linked to Greenpeace. The Authority found the necessity of the processing not proven and ruled out the possibility of basing it on legitimate interest under Article 6(1)(f) GDPR, observing that the same defensive purpose could have been achieved by less intrusive means, for example, by redacting the plaintiffs’ data.

The case is particularly instructive for DPOs because it addresses a classic tension between the right of defense, transparency toward public opinion, and the protection of data subjects. The decision reaffirms that the necessity test cannot be satisfied where reasonably effective, less intrusive alternatives exist, and confirms the Authority’s obligation to impose full publication on its website as an ancillary sanction.

Source

Access to company email after the end of employment: Garante says yes

The Garante upheld the complaint of a former employee of an insurance company who had requested a copy of the messages from their corporate email account and of the documents stored on their work computer. The company had previously selected the content, providing only messages it deemed “strictly personal” and excluding those of a work-related nature.

According to the Authority, the right of access under Article 15 GDPR extends to all the personal data of the data subject, including communications conducted through a named corporate account. The controller cannot, therefore, unilaterally decide what to provide based on the distinction between personal and professional spheres. Critical issues were also identified regarding the transparency of privacy notices and retention periods. For DPOs, the decision provides a clear indication: corporate email policies must provide for disclosure procedures that do not pre-filter content based on the controller’s assessments.

Source

“FaceBoarding” at Milan Linate: biometric processing declared unlawful

By decision No. 164 of 12 March 2026 (doc. web 10238246), the Garante declared unlawful the processing of passengers’ biometric data at Milan Linate airport through the “FaceBoarding” facial recognition system operated by SEA. The system, operational since May 2024 for ITA Airways and Scandinavian Airlines flights, allowed access to the sterile area and gate boarding following registration and association of the face with the identity document and boarding pass.

The investigation found the system to be in breach of the GDPR and of the EDPB opinion on the use of facial recognition at airports. The decision is significant in a context where other European jurisdictions are instead accelerating the adoption of biometric technologies for airport security. For DPOs in the transport sector, the decision calls for reflection on the limits of legitimate interest and on the need for a strengthened legal basis for biometric data under Article 9 of the GDPR.

Source

Favorable Garante opinion on the MIM’s “Ascoltami” digital service

By opinion of 26 March 2026 (doc. web 10238220), the Garante ruled on the draft decree of the Ministry of Education and Merit (MIM) regulating the “Ascoltami” digital service, dedicated to psychological support for students. The opinion is favorable insofar as the text takes into account the Authority’s observations to ensure compliance with the privacy framework.

The service’s architecture provides that the MIM serves as the controller for the procedures used to recognize the contribution. In contrast, the psychologist provides the student with a separate privacy notice at the first meeting. The mechanism for situations of vulnerability involving minor students is particularly delicate: the psychologist may report to those exercising parental or legal responsibility and, with their consent, inform the school. The case is relevant for DPOs in the education sector as a model for balancing the protection of the minor, professional secrecy, and information flows with families.

Source

Amendments to Regulation No. 1/2019: delegation of reprimand powers to directors

By decision of 26 March 2026 (doc. web 10239146), the Garante amended its internal Regulation No. 1/2019 to delegate to the directors of the competent organizational units the direct adoption of corrective reprimand measures under Article 58(2)(b) GDPR. The delegation operates exclusively in cases where the contested conduct is long-standing, has ceased, or has already been remedied by the controller.

Cases of greater systemic impact remain reserved for the Board: journalistic processing, political and trade union rights, controllers with turnover above €500,000, and processing carried out by Ministries, Regions, Autonomous Provinces, local health authorities (ASL), and Municipalities with populations above 50,000 inhabitants. The stated objective is to lighten the Board’s decision-making load and focus collegial rulings on strategic matters. For DPOs and organizations, the change may translate into faster closure of less complex proceedings, especially for SMEs and entities that have already adjusted their processing.

Source

Scientific research: EDPB Guidelines in consultation with the Garante’s contribution

On 17 April 2026, the Garante issued a press release on the EDPB’s adoption of the Guidelines on the processing of personal data for scientific research purposes, to whose drafting the Italian Authority also contributed. The document clarifies the notion of “scientific research”. It specifies that personal data may be reused for such activities, even if initially collected for different purposes, provided that an adequate legal basis is in place.

The Guidelines further define the limits on the exercise of data subjects’ rights, in particular erasure and objection, where such exercise may compromise research objectives, and they recall the need to adopt appropriate technical and organizational measures, including anonymization and pseudonymization. Vice-President Ginevra Cerrina Feroni and Riccardo Acciai, head of International Relations and EU Affairs, attended the Brussels Plenary of 15-16 April. The public consultation is open until 25 June 2026.

Source

---

EDPB - EUROPEAN DATA PROTECTION BOARD

Guidelines for scientific research: six criteria to qualify the activity

With the adoption of Guidelines 1/2026, the EDPB has introduced six key factors to identify when an activity effectively constitutes scientific research within the meaning of the GDPR: methodical approach, adherence to ethical standards, verifiability, autonomy, research objectives, and contribution to scientific knowledge. The document further clarifies that subsequent processing for scientific research is presumed compatible with the initial purpose, simplifying the compatibility analysis under Article 6(4) of the GDPR.

For DPOs, a point of particular attention is the applicability of “broad consent” when the research purposes are not fully defined at the time of collection. The document also provides practical guidance on the allocation of responsibilities among controllers, joint controllers, and processors, which can be complex in multi-center research projects. The public consultation, open until 25 June 2026, offers a concrete opportunity for DPOs and organizations to contribute to the definition of operational rules.

Source

Standardized DPIA template: the harmonized European model open for consultation

The EDPB has adopted a harmonized template for Data Protection Impact Assessments, accompanied by an explanatory document clarifying the key concepts. The initiative is part of the Helsinki Strategy to simplify GDPR compliance and strengthen consistency across Member States.

Although not mandatory, the template offers predefined fields that guide organizations through the process step by step, reducing errors and completion times. For DPOs, it is a useful tool for standardizing their methodologies and ensuring completeness in risk analysis. The public consultation is open until 9 June 2026: existing national tools remain fully valid, and no mandatory migration is foreseen.

Source

First European Data Protection Seal: Europrivacy criteria approved for transfers

The EDPB has approved the first Europrivacy certification criteria as the European Data Protection Seal, with a specific version for international transfers under Articles 42 and 46 of the GDPR. That is a significant step in implementing the European certification system: these seals offer concrete tools to demonstrate compliance and facilitate transfers to third countries.

For DPOs operating in multinational contexts, Europrivacy certification provides a standardized mechanism to validate data protection practices and simplify demonstrating the adequacy of safeguards for extra-EU transfers. It is a piece that adds to the panorama of transfer tools provided for in Chapter V of the GDPR, particularly useful in the absence of specific adequacy decisions for the destination country.

Source

Sprint team on anonymization guidelines: plenary acceleration

At the same plenary of 15-16 April, the EDPB announced the establishment of a “sprint team” dedicated to accelerating the finalization of the guidelines on anonymization. The choice responds to a request repeatedly made by stakeholders: in a context where de-identification techniques clash with increasingly sophisticated re-identification analytical capabilities, practical indications from the Board have long been awaited.

For DPOs, the news is particularly relevant because anonymization is the pivot of numerous processing activities currently at the center of the debate: scientific research, AI training, dataset sharing between commercial partners, and open data of public administration. A harmonized interpretative framework from the EDPB can reduce uncertainty about the threshold between pseudonymized data, anonymized data, and personal data — a legally decisive framework, especially in light of the Digital Omnibus.

Source

---

EUROPEAN COMMISSION

European age verification app: technical availability announced

On 15 April 2026, Commission President Ursula von der Leyen, together with Executive Vice-President for Technological Sovereignty Henna Virkkunen, announced that the European age verification app is technically ready and will soon be available to citizens. The solution is built on the EU Digital Identity Wallet framework. It aims to provide a consistent, secure, and privacy-preserving age verification experience that can be integrated into a wide range of European digital services.

The app enables users to prove they have exceeded an age threshold without sharing other personal information: according to the Commission, users register an age proof via an identity document or passport; the solution is completely anonymous, open source, and works on any device. Seven Member States (France, Spain, Italy, Greece, Cyprus, Denmark, and Ireland) have already announced their intention to integrate the app into their national digital identity wallets.

The initiative is consistent with the enforcement of the Digital Services Act: platforms required to limit access to minors are not obliged to adopt this specific app. Still, they must demonstrate that their alternative tools are at least equally effective, under penalty of sanctions. For DPOs and compliance officers, the topic is entering the operational agenda: if and to the extent that the app is widely adopted, updates may be required to onboarding flows, dedicated DPIAs, and assessments of the processing chain.

Source

|

Source

Special Panel on child online safety: second meeting in Brussels

On 16 April 2026, the second meeting of the Special Panel on child online safety was held, a body that supports the Commission President in defining European policies on the subject. The panel is tasked with preparing a set of recommendations for all Member States by the summer, with a harmonized approach that integrates age verification, non-addictive design of platforms, and the fight against grooming.

For DPOs in the media and social network sector, the meeting signals an acceleration of European policies on online protection of minors, with cascading effects on DPIA obligations, information notices to minors, and default service configurations. The convergence among the age verification app, the DSA, and the guidelines under Article 28 of the DSA is shaping an increasingly tight regulatory framework.

Source

---

CNIL - FRENCH DATA PROTECTION AUTHORITY

Email tracking pixels: final recommendations published

On 14 April, the CNIL published its final recommendations on email tracking pixels, a technology that enables monitoring of opening time, device, approximate location, and other metrics. These invisible pixels raise significant privacy concerns when used in a personal space, such as the email inbox.

DPOs must pay particular attention to information and consent, distinguishing between legitimate purposes (such as improving deliverability) and commercial uses. The recommendations integrate the EDPB guidelines on trackers and the CNIL’s recommendations on cookies, adapting them to the technical specifics of email marketing. For controllers, it is essential to assess on a case-by-case basis their own role and that of service providers (controller vs processor), a determining factor in correctly defining compliance obligations and data protection measures.

Source

|

Source

---

INTERNATIONAL DEVELOPMENTS

Alabama passes the Personal Data Protection Act: the US mosaic expands

Alabama has become the 21st US state to pass a comprehensive privacy law. Governor Ivey signed the Alabama Personal Data Protection Act (APDPA) on 16 April 2026; it will enter into force on 1 May 2027. The Washington Privacy Act framework inspires the text but presents some significant differences.

The most notable feature of the APDPA is its particularly low applicability thresholds: the law applies to businesses that control or process data of more than 25,000 consumers, or that derive more than 25% of their revenue from the sale of personal data. These thresholds are appreciably lower than other state laws, which generally require at least 100,000 consumers to be affected.

For DPOs of groups that also operate in the US, the signal is clear: the US regulatory mosaic continues to expand. It requires greater attention to each state’s applicability thresholds, which are becoming increasingly inclusive.

Source

---

ARTIFICIAL INTELLIGENCE

ECB opinion on simplification of the AI Act

The European Central Bank has published an opinion on the proposed regulation to simplify the implementation of harmonized rules on artificial intelligence. The document represents a significant contribution to the evolution of the European AI regulatory framework, suggesting amendments to make the application of the AI Act more practicable, especially in the financial sector.

The ECB’s intervention underlines the importance of coordination between financial supervisory authorities and AI regulation, a particularly relevant issue for institutions operating with artificial intelligence systems in the banking and insurance sectors. The initiative may signal a more pragmatic approach to implementing AI regulation, aimed at balancing the protection of rights and innovation in the European market.

Source

Policy-Invisible Violations in LLM agents: the PhantomPolicy benchmark

Recent research identifies a new type of vulnerability in LLM-based agents: “policy-invisible violations.” These are cases in which the agent performs technically valid and user-authorized actions but violates organizational policies because the information necessary for correct judgment is not visible in the agent’s context.

The PhantomPolicy benchmark presents eight categories of violations, while the Sentinel framework introduces an approach based on counterfactual simulation of knowledge graphs. The system treats each action as a proposed mutation of the organizational world state, achieving 93% accuracy compared to 68.8% for traditional systems. The research has direct implications for those designing enterprise agents: policy-relevant world state must be made accessible to enforcement systems, and formal user authorization should not be assumed to cover all organizational risks.

Source

LASA: multilingual semantic alignment for LLM safety

Research presents LASA (Language-Agnostic Semantic Alignment), a solution to the problem of LLM security vulnerabilities in low-resource languages. The authors identify a “semantic bottleneck” in the models, an intermediate layer where representations are governed by semantic content rather than linguistic identity.

LASA directly anchors safety alignment to these semantic bottlenecks, reducing attack success rates from 24.7% to 2.8% on LLaMA-3.1-8B-Instruct. Results remain consistent on Qwen2.5 and Qwen3 Instruct models. The approach proposes a relevant paradigm shift for organizations deploying LLMs in multilingual contexts: instead of anchoring safety to surface text, it focuses on the language-agnostic semantic space of the model, improving global robustness.

Source

GF-Score: certified robustness with fairness guarantees across classes

GF-Score introduces a framework for evaluating adversarial robustness by decomposing aggregate scores into per-class profiles, revealing how robustness is unevenly distributed across different categories. The system quantifies disparities through four metrics derived from welfare economics.

An evaluation of 22 RobustBench models reveals consistent vulnerability patterns: for example, the “cat” class is the weakest in 76% of the CIFAR-10 models. Paradoxically, more robust models tend to show greater cross-class disparities. The framework eliminates the dependence on adversarial attacks through a self-calibration procedure, offering a practical pipeline for auditing certified robustness. For DPOs who must attest to the accuracy and non-discrimination of high-risk models under the AI Act, the method provides a concrete verification tool.

Source

---

CYBERSECURITY

Apache ActiveMQ: critical vulnerability under attack, urgent patching by 30 April

CISA has added CVE-2026-34197 to the catalog of actively exploited vulnerabilities, requiring patches to be applied by 30 April. The Apache ActiveMQ Classic flaw (CVSS 8.8) allows arbitrary code execution via the Jolokia API, exploiting default credentials that are often left unchanged.

Particularly concerning is the fact that the vulnerability had been latent for 13 years and that, in versions 6.0.0-6.1.1, it can be exploited without authentication. Telemetry from Fortinet FortiGuard Labs records a peak of exploitation attempts on 14 April, confirming that exploitation times after disclosure continue to shrink. The fix versions are 5.19.4 and 6.2.3. For DPOs, the case underscores the importance of up-to-date inventories of exposed systems and of emergency patching procedures, all the more so since ActiveMQ is often used in critical data pipelines, and an immediate impact assessment on personal data processing is essential.

Source

April Patch Tuesday 2026: critical SAP flaw (CVSS 9.9) and massive updates

On 15 April 2026, the April Patch Tuesday was published, with fixes for critical vulnerabilities in Adobe, Fortinet, Microsoft, and SAP products. Topping the list is an SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse (CVE-2026-27681, CVSS 9.9) that can lead to arbitrary query execution on the database.

In the same window, CISA added six vulnerabilities to the KEV catalog, including CVE-2026-21643 (FortiClient EMS, CVSS 9.1), with a remediation deadline for federal agencies set at 27 April and, for the FortiClient flaw, brought forward to 16 April. For DPOs and security managers, the April Patch Tuesday requires an extraordinary review of the patching plan, especially when SAP or FortiClient EMS manages flows involving structured personal data.

Source

Cisco patches four critical flaws in Identity Services and Webex

On 16 April 2026, Cisco released patches for four critical vulnerabilities in Identity Services and Webex that allow arbitrary code execution and user impersonation. Among the most serious is CVE-2026-20184 (CVSS 9.8), an improper certificate validation in the SSO integration.

The potential impact is significant: identity systems and video conferencing platforms are typically at the center of the corporate authentication chain, and a compromise can quickly propagate to all connected services. For DPOs, the event is a reminder of the centrality of timely updates on identity and collaboration systems, which are never “just” IT tools but critical components of privacy governance.

Source

Vercel: breach via OAuth of a third-party AI tool

Cloud platform Vercel has suffered a breach affecting a limited number of customers, and attackers subsequently offered the stolen data on the dark web. The incident originated from the compromise of an OAuth application for a third-party AI tool (Context.ai), which enabled access to a Google Workspace account belonging to a Vercel employee.

The attackers then escalated privileges by accessing environment variables not marked as sensitive and therefore not encrypted at rest. Vercel confirmed that the main services and open-source projects remain secure. Still, the incident highlights the fragility of the OAuth supply chain and of AI tools integrated into corporate workflows. For DPOs, the case is useful for reviewing contractual clauses with cloud providers, especially regarding timely breach notification and the management of variables containing personal data in development pipelines.

Source

Weekly roundup: satellite regulations, W3LL dismantled, AWS RES escalation

The US Senate advances the Satellite Cybersecurity Act to protect commercial satellite communications, while the FBI dismantles the infrastructure of the W3LL phishing kit responsible for over $20 million in attempted fraud. Meta makes professional tools available to security researchers through its bug bounty program.

Critical vulnerabilities were discovered in AWS RES, allowing privilege escalation, while the GlassWorm malware spreads through malicious IDE extensions. The ShinyHunters group threatens to release Rockstar Games data. The overall picture confirms the rapid evolution of the threat landscape, from satellite infrastructure to attack vectors in development environments. For DPOs, emerging trends must be incorporated into risk assessments and updates to organizational security measures.

Source

---

TECH & INNOVATION

Verifiable Gradient Inversion Attacks in Federated Learning

A new study reveals previously underestimated vulnerabilities in federated learning systems, particularly for tabular data. Researchers present VGIA (Verifiable Gradient Inversion Attack), which provides an explicit certificate of correctness for reconstructed samples, overcoming the limitations of existing attacks that cannot verify the success of their reconstructions.

The approach leverages a geometric view of ReLU activations, where activation boundaries define hyperplanes in the input space. VGIA introduces an algebraic verification test that detects when a region contains exactly one record, enabling precise analytical reconstruction. The research challenges the perception that tabular data is less vulnerable to privacy attacks. It highlights the need for more robust protection mechanisms in federated learning, especially in sectors that handle sensitive structured data, such as healthcare and finance.

Source

Differentially private linear regression: the extended “free lunch”

A new study extends the concept of the “free lunch” in differential privacy, demonstrating that relevant statistics can be privately estimated without additional costs to the privacy budget. The authors develop multidimensional simplex transformations that improve estimates of sufficient statistics for private least-squares linear regression.

The work builds on the results of Kulesza et al. and Fitzsimons et al., who had shown that dataset size can be estimated “for free” through simplex transformations of bounded variables. The new extension applies the principle to variables and functions bounded in [0,1], with general applicability to differentially private polynomial regression. For organizations, the analytical and numerical results provide more effective tools for implementing privacy-preserving statistical analysis without significantly compromising accuracy.

Source

Differentially Private Conformal Prediction: end-to-end uncertainty and privacy

Researchers introduce Differentially Private Conformal Prediction (DPCP), a framework that combines the robustness of conformal prediction with differential privacy guarantees. Conformal prediction is gaining attention as a flexible method for uncertainty quantification through prediction sets, but its application in privacy-sensitive contexts requires dedicated solutions.

The proposed framework avoids efficiency losses from data splitting by using a “differential CP” procedure that leverages the stability properties of DP mechanisms. DPCP combines DP model training with a private quantile mechanism for calibration, establishing end-to-end privacy guarantees. Experiments show that DPCP produces tighter prediction sets than existing split conformal approaches at the same privacy budget, a relevant advance for applications that require both uncertainty quantification and privacy protection (such as healthcare triage or credit scoring).

Source

PrivEraserVerify: efficient, private, and verifiable federated unlearning

PrivEraserVerify (PEV) is the first framework that simultaneously integrates efficiency, privacy, and verifiability in federated unlearning, addressing the requirements of the “right to be forgotten.” While existing solutions only partially address these challenges, PEV proposes a unified approach articulated in three components.

The system uses adaptive checkpointing to maintain critical historical updates, differentially private layer-adaptive calibration to selectively remove client influence, and fingerprint-based verification for decentralized confirmations. Experiments show unlearning 2-3 times faster than full retraining, with formal indistinguishability guarantees. For organizations operating in regulated contexts, PEV offers a practical solution for implementing federated learning in compliance with the GDPR, balancing operational efficiency and legal data protection requirements.

Source

---

SCIENTIFIC RESEARCH

A selection of the most relevant papers of the week from arXiv on AI, Machine Learning, and Privacy

Security and Robustness of AI Models

MLDAS: Machine Learning Dynamic Algorithm Selection for Software-Defined Networking Security

A new framework for the dynamic integration of ML algorithms with SDN controllers to improve network security through adaptive decision-making mechanisms. The approach promises greater protection of personal data during navigation, which is relevant for DPOs in evaluating appropriate technical measures under Article 32 of the GDPR.

arXiv

Anomaly Detection in IEC-61850 GOOSE Networks

Approach for real-time intrusion detection on critical industrial protocols with sub-4ms latency constraints. The research highlights vulnerabilities in the processing of personal data by critical infrastructure, requiring specific DPIAs for the energy and industrial sectors.

arXiv

AI Agent Vulnerabilities and Attacks

LLMs Gaming Verifiers: RLVR can Lead to Reward Hacking

Study on how LLMs can bypass verification systems during RLVR training, systematically abandoning the induction of logical rules. Reward hacking compromises the reliability of AI systems, with direct impacts on compliance with regulatory accuracy and transparency requirements.

arXiv

Context Over Content: Exposing Evaluation Faking in Automated Judges

Research that exposes how automated AI judges can be influenced by context rather than by actual semantic content. It challenges the assumption of objectivity in automated evaluation systems, a crucial issue for compliance in automated decisions that impact data subjects.

arXiv

Fairness and Content Moderation

When Fairness Metrics Disagree: Evaluating the Reliability of Demographic Fairness Assessment

Analysis of the consistency between different fairness metrics in critical applications such as biometric recognition and automated risk assessment. Inconsistency in metrics complicates demonstrating non-discrimination, a central element of compliance in automated processing.

arXiv

---

AI ACT ESSENTIALS - Part 17

Article 21 - Cooperation with competent authorities

Having examined in Part 16 the corrective actions and the duty to inform that providers must fulfill when they detect non-conformities in their AI systems, today we continue with Article 21, which defines the framework for mandatory cooperation with competent authorities.

Article 21 establishes a fundamental principle: providers of high-risk AI systems must actively cooperate with competent national authorities during their supervisory and control activities. This provision is an essential pillar of the AI Act’s enforcement system, providing a direct, structured channel between the private sector and public authorities.

Scope and subjects involved

The obligation to cooperate applies primarily to providers of high-risk AI systems. Still, the regulation extends this duty also to operators and third parties along the supply chain when so requested by the authorities. The competent authorities include both those designated at the national level by each Member State and the European Commission in its supervisory functions.

Content of cooperation obligations

Cooperation must be immediate, complete, and transparent. Providers are required to supply competent authorities with all the information and documentation necessary to assess the conformity of the AI system. This includes access to technical documentation, automated logs, data used for training and validation, and any other information relevant to risk assessment.

A particularly significant aspect concerns the obligation to grant authorities access to AI systems through application programming interfaces (APIs) or other appropriate technical means. The provision enables authorities to conduct direct verifications of the systems’ functioning, representing an important evolution over traditional documentary controls.

Practical modalities of cooperation

The regulation requires cooperation to take place within reasonable times, typically defined on a case-by-case basis in the Authority’s request, depending on the complexity of the subject matter and the level of risk. Providers must designate specific points of contact to manage communications with authorities and ensure timely responses.

Particular attention is paid to protecting commercially sensitive information and trade secrets. Authorities are required to treat the information received in confidence. At the same time, providers cannot invoke trade secret protection to evade cooperation obligations where doing so would compromise the assessment of safety risks.

Operational implications for organizations

For compliance teams, this article requires the development of structured internal procedures to handle authority requests. It is essential to establish a classification and archiving system for technical documentation that enables rapid retrieval of requested information. Furthermore, organizations must train their technical staff on the protocols for interacting with authorities, balancing transparency with the protection of sensitive information.

From a technological standpoint, it may be necessary to implement dedicated interfaces that allow authorities to access systems in a controlled manner, without compromising normal operations or information security.

Consequences of failure to cooperate

The article does not merely establish obligations; it also provides specific consequences for failure to cooperate. Refusal to cooperate or the provision of incomplete or inaccurate information may result in administrative fines of up to 1% of the total worldwide annual turnover of the previous financial year, as well as possible precautionary measures affecting AI systems.

In the next installment, we will examine Article 22, which concerns authorized representatives of providers, exploring when their appointment is mandatory and the responsibilities they assume in ensuring compliance with the AI Act on behalf of providers established outside the European Union.

---

Prompts for Court of Justice of the EU judgments

After exploring the analysis of supervisory authority decisions, we shift our attention to the apex of the European case-law hierarchy: the judgments of the Court of Justice of the EU. Here, Legal Prompting must contend with texts of extreme complexity, rich in regulatory references, precedents, and articulated reasoning.

The main challenge is to build prompts that guide the model through the peculiar structure of CJEU decisions, respecting the logic of legal reasoning. An effective prompt must distinguish between procedure, preliminary questions, ratio decidendi, and obiter dicta, avoiding a model that produces superficial summaries or improper connections.

Prompt structure for analysis:

Human oversight becomes even more crucial here: language models tend to produce plausible outputs but may misinterpret decisive interpretive subtleties. Professional deontology requires always verifying the citations and jurisprudential connections suggested by the AI.

On the compliance side, analyzing judgments raises delicate issues. The GDPR and the forthcoming Italian Law 132/2025 require particular attention when processing documents that, although public, may contain references to identifiable subjects. The choice of infrastructure — local vs cloud — becomes strategic when handling case files containing sensitive data linked to the cases analyzed.

A practical example: when analyzing the Schrems II judgment, the prompt must guide the model to distinguish between the invalidation of the Privacy Shield (a consolidated aspect) and the principles governing extra-EU transfers (an interpretive scope), avoiding generalizations that could lead to erroneous assessments in individual cases.

Next week, we will address how to integrate these competencies into corporate compliance processes, transforming jurisprudential analysis into an operational tool for DPOs and compliance officers.

Further reading:

Legal Prompting: the new frontier of AI in the legal domain

---

PODCAST

Two techniques change the way the model approaches a legal problem: chain-of-thought — the explicit request to lay out logical steps before the conclusion — and few-shot prompting — providing two or three well-chosen examples to orient the response’s format and method.

In this episode, we see:

Chain-of-thought and few-shot are not tricks: they are the way we translate our legal method into instructions the model can understand.

In the next episode, we will apply these techniques to the analysis of contracts and clauses.

---

FROM THE NICFAB BLOG

16 April 2026

AI agents and personal data: legal basis, automated decisions under Article 22, and the proposal for Article 88c of the Digital Omnibus.

Read the full article

The EDPB adopts a harmonized DPIA template: what changes for professionals

14 April 2026

The EDPB has published a harmonized DPIA template open for public consultation. Analysis of the structure, the distinction between design risk and incident risk, and the implications for professionals.

Read the full article

AI Agents: when the deployer becomes a provider

13 April 2026

When does a deployer become a provider under the AI Act? Analysis of Article 25 and the factors of requalification: customization, integration, and rebranding of AI agents.

Read the full article

---

Upcoming events

Privacy Symposium (20 April 2026)

International conference on privacy and data protection.

EDPB |

Info and programme

Computers, Privacy and Data Protection - CPDP Brussels (19 May 2026)

Interdisciplinary conference on data protection, technology, and law.

EDPB |

Info and programme

Nordic meeting (21 May 2026)

Meeting of the Nordic data protection authorities.

EDPB |

Info and programme

High-Level Debate: “From Omnibus to Opportunity: Driving Data Protection and Innovation” (8 June 2026)

High-level debate on the Omnibus proposals and their implications for the GDPR.

EDPS |

Info and program

---

Conclusion

The week from 13 to 19 April 2026 delivers three converging signals for anyone working in data protection, AI, and digital compliance.

The first is a phase shift in post-Omnibus Europe: institutions choose to operationalize the existing model rather than reopen the debate. The Commission’s announcement of the European age verification app built on the EU Digital Identity Wallet framework, the EDPB plenary with three coordinated deliverables — scientific research guidelines, DPIA template, and the first European Data Protection Seal via Europrivacy —, and the sprint team’s outline of anonymization guidelines all outline a strategy for translating principles into practical tools. Those expecting further regulatory openings find consolidation and tools instead.

The second is the renewed centrality of the Italian Garante. Newsletter No. 546 brings together five operational strands in a single window: proctoring FAQs, the Eni sanction on the necessity test for legitimate interest, the affirmation of access to the company mailbox after the end of employment, the unlawfulness of “FaceBoarding” at Milan Linate, and the delegation of reprimand powers to directors for less complex cases. The Authority moves between decisive enforcement and procedural rationalization, and the combined effect is a concrete incentive for proactive compliance for Italian organizations.

The third is the time compression in cybersecurity. April Patch Tuesday with a SAP flaw at CVSS 9.9, Cisco patches on Identity Services and Webex, Apache ActiveMQ under active exploit, and the Vercel breach via OAuth of a third-party AI tool: the window between disclosure and exploit is shrinking, and the OAuth/AI supply chain is emerging as a systemic vector. For DPOs, integrating threat intelligence and processing governance is no longer a plus but an operational prerequisite.

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home

Proxied content from gemini://nicfab.eu/en/newsletteren/2026/2026-04-21-issue-17_en.gmi

Gemini request details:

Original URL
gemini://nicfab.eu/en/newsletteren/2026/2026-04-21-issue-17_en.gmi
Status code
Success
Meta
text/gemini;lang=en-US
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.