Newsletter #18 - 28 April 2026

Read on website

---

NicFab Newsletter

Issue 18 | 28-04-2026

Privacy, Data Protection, AI and Cybersecurity

---

Welcome to Issue 18 of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you will find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.

---

In this issue

---

ITALIAN DATA PROTECTION AUTHORITY

Prostitution case in Milan: the Italian DPA reminds the media to respect privacy

The Italian Data Protection Authority has called on the media to strictly comply with personal data protection rules in covering the investigation into the “luxury escorts” case in Milan. The Authority emphasized that publishing the names of individuals involved—even those not under investigation—may harm their privacy and dignity.

The reminder centers on the principle of essentiality of information: the dissemination of personal data must be limited to what is strictly indispensable for understanding the news, avoiding excessive or irrelevant references. For those working in the editorial sector—journalists, editors-in-chief, DPOs, and in-house counsel—the case restates an operational principle: balancing the right to report news with privacy protection is not a generic formula. It means selecting only what is genuinely indispensable to understanding the facts and cutting the rest.

Source

Tracking pixel guidelines for emails: new obligations for operators

With Decision No. 284 of 17-04-2026, released through a press notice on 21-04-2026, the Italian DPA adopted Guidelines on the use of tracking pixels in emails—the tiny transparent images that detect message openings and collect data on user behavior. The Authority places their use within the scope of Article 122 of the Italian Privacy Code: in ordinary cases, the use of tracking pixels requires prior, free, specific, and informed consent, with limited exceptions for security purposes, strictly necessary technical needs, or institutional and service communications.

The new rules impose transparency obligations and easy, granular consent withdrawal mechanisms. Affected parties—from email providers to mass mailing platform operators—have six months from publication in the Official Journal to comply. For privacy professionals, compliance officers, marketing managers, and IT leads, the decision requires reviewing email marketing practices and adopting privacy-by-design measures—for instance, unintelligible and non-sequential identifiers, separated from the recipient’s address in an internal layer of the platform—to reduce user identifiability and limit the circulation of personal data.

Source

Poste Italiane and Postepay fined over EUR 12.5 million

With Decision No. 237 of 17-04-2026, communicated on 20-04-2026, the Italian DPA issued sanctions totaling EUR 12,501,000: EUR 6,624,000 against Poste Italiane S.p.A. and EUR 5,877,000 against Postepay S.p.A. for the unlawful processing of personal data of millions of users through the BancoPosta and Postepay apps (subsequently discontinued in 2025 and replaced by Poste Italiane’s new unified app). As a mandatory condition for using the services, the apps required users to authorize the monitoring of various data on mobile devices—including installed and running applications—in order to detect malicious software.

The Authority found that this approach amounted to an excessively invasive intrusion into users’ private sphere, not strictly necessary for fraud prevention purposes. The investigation also revealed shortcomings in the privacy notice, the absence of a DPIA, inadequate security measures and retention policies, and irregularities in the designation of the data processor. Poste Italiane rejected all charges, contesting the decision both on the merits and on procedural grounds, and announced an appeal to the Court of Rome, citing the 02-02-2026 ruling of the Lazio Regional Administrative Court that had annulled a previous Antitrust decision concerning the same anti-fraud mechanism. The operational lesson for those working in financial and payment services is clear: anti-fraud security cannot turn into generalized device surveillance. Even when justified by regulatory compliance needs, measures must pass a proportionality test against the rights of data subjects.

Source

---

EDPB - EUROPEAN DATA PROTECTION BOARD

Stakeholder event on competition and data protection: save the date

The EDPB has announced a stakeholder event dedicated to the intersection between competition law and personal data protection. The initiative is part of the joint work with the European Commission to develop guidelines on this increasingly relevant topic in the digital era.

The event is a meaningful opportunity for privacy professionals, compliance officers, antitrust consultants, and in-house legal teams to contribute to defining a framework that may influence corporate compliance strategies. The convergence between antitrust regulation and privacy is becoming an operational issue, especially for large technology platforms: it is worth monitoring developments and assessing whether your organization could be affected by the upcoming guidelines.

Source

Report on the use of SPE external experts in 2025

The EDPB has published the report on the use of the Support Pool of Experts (SPE) during 2025—a document outlining how the Board has drawn on external expertise to support its technical and regulatory work.

The mechanism represents a meaningful model of cooperation between institutions and the academic-professional community, allowing the EDPB to access specialized expertise on complex topics. For those who closely follow EDPB activity—DPOs, researchers, law firms, and organizations operating in the privacy space—understanding the SPE mechanisms can provide a sharper reading of the Board’s decision-making processes and suggest opportunities for future contributions.

Source

EDPB Letter to the European Commission regarding INGO registration requirements

The EDPB has sent an official letter to the European Commission regarding the registration requirements for international non-governmental organizations (INGOs), highlighting potential implications for personal data protection in this specific context.

The communication signals the Board’s attention to sectors that are often overlooked but central to fundamental rights. INGOs frequently handle sensitive data of vulnerable categories, making a balanced approach between administrative transparency and privacy protection essential. For those working in the third sector—DPOs, compliance officers, and legal teams of humanitarian and advocacy organizations—it is worth monitoring developments in this institutional dialogue.

Source

---

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

EDPB and EDPS support the European Biotech Act, calling for safeguards on health data

The EDPB and EDPS have adopted a joint opinion on the proposed European Biotech Act, expressing support for the initiative while calling for specific safeguards on the processing of health data. The two authorities emphasize the need for a framework that is consistent with the GDPR and the future European Health Data Space, avoiding overlaps or reductions in protections.

For those working in the healthcare and biotech sectors—medical directors, researchers, hospital DPOs, and compliance officers in pharmaceutical and biotech companies—the opinion offers operational guidance on how to balance the need for innovation and research with the protection of fundamental rights. The recurring reference is to the qualification of health data as a special category under Article 9 GDPR, with all that follows in terms of strengthened legal basis and dedicated technical and organizational measures.

Source: EDPS Newsletter No. 119, April 2026 — direct link to be verified

EDPB and EDPS on stronger cybersecurity rules: support with a call for privacy safeguards

The EDPB and EDPS have expressed support for proposals aimed at strengthening cybersecurity rules at the European level, while calling for adequate safeguards for personal data protection. The joint opinion highlights how cybersecurity and data protection are complementary, not alternative, objectives.

The two authorities urge the legislator to avoid generalized surveillance mechanisms and to ensure proportionality in measures for collecting and retaining data for security purposes. The operational principle is clear: every cybersecurity measure requires a clear legal basis and an impact assessment, particularly when it involves the large-scale processing of personal data. A reminder that directly concerns CISOs, security leads, DPOs, and digital governance professionals.

Source: EDPS Newsletter No. 119, April 2026 — direct link to be verified

The EDPS Compass: the new role of the EDPS under the AI Act

The EDPS has published the EDPS Compass, a document outlining the new role of the European Supervisor in implementing the AI Act. The Compass clarifies the competences, scope of intervention, and operational methodologies of the EDPS as the supervisory authority for AI systems used by EU institutions, bodies, offices, and agencies.

For those operating in EU institutional contexts or supplying AI systems to EU institutions—technology vendors, integrators, AI governance consultants, DPOs of EU bodies—the document is a reference map for anticipating the Supervisor’s lines of intervention. The Compass places coordination between the GDPR, EUDPR, and AI Act at the center: privacy compliance remains a necessary, but not sufficient, condition for the use of high-risk AI systems.

Source: EDPS Newsletter No. 119, April 2026 — direct link to be verified

EDPS blog post on early oversight in justice and law enforcement

The EDPS has published a blog post on early oversight in justice and law enforcement contexts, reaffirming the value of preventive control over personal data processing in these particularly sensitive areas. The intervention contributes to the debate on legislative proposals affecting investigative powers and cooperation between judicial authorities.

For DPOs of public bodies, competent authorities, compliance officers, and legal teams in the justice sector, the post offers insights on how to structure internal procedures to ensure timely and substantive control over processing activities, avoiding situations where impact assessments and DPO opinions arrive only after operational decisions have been made. The principle is one of early integration of privacy protection into decision-making processes, in line with privacy-by-design logic and with the specific requirements of Directive 2016/680.

Source: EDPS Newsletter No. 119, April 2026 — direct link to be verified

---

CNIL - FRENCH AUTHORITY

Electronic correspondence voting: CNIL updates its recommendation

With Deliberation No. 2026-045 of 19-03-2026, published on 24-04-2026, the CNIL adopted an updated version of the recommendation on the security of electronic correspondence voting systems—the result of a public consultation conducted in 2025. The document replaces the recommendation of 25-04-2019 and provides a clearer and more operational framework while maintaining high standards of security, confidentiality, and integrity of the vote.

The recommendation is addressed to public and private bodies that implement electronic voting systems, as well as to providers of technological solutions. A transitional regime is in place: ballots already in preparation and scheduled for 2026—including the elections of personnel representatives in the public service—may continue to apply the 2019 version of the recommendation, while the new version applies to all new ballots. The document was developed in cooperation with ANSSI, which has published a complementary technical guide to achieve the security objectives defined by the CNIL.

Source

CNIL webinar: new rules on electoral targeting

The CNIL held a webinar dedicated to the new rules on electoral targeting ahead of the municipal elections, addressing the changes introduced by the regulation on transparency and targeting of political advertising. The event provided clarifications on political prospecting, voter targeting, and consent obligations in electoral campaigns.

The webinar is part of the CNIL’s action plan to protect voters’ data and offers practical guidance to political operators. For DPOs, lawyers, and communication leads of organizations involved in political or trade union activities, these clarifications are operational for ensuring compliance in electoral communications, especially in light of the implications of digital targeting for the fundamental rights of data subjects.

Source

---

EUROPEAN PARLIAMENT

Impact of artificial intelligence on the financial sector

The European Parliament adopted a resolution on the impact of AI in the financial sector, outlining emerging challenges and opportunities. The resolution highlights how the implementation of AI in banking and insurance is transforming decision-making processes, from credit assessment to risk management.

For privacy professionals, compliance officers, risk managers, and legal teams in the banking and insurance sector, the resolution signals the need to ensure transparency in automated decision-making algorithms, especially when they affect the fundamental rights of citizens. Balancing technological innovation and personal data protection becomes an operational activity, requiring robust governance frameworks to prevent algorithmic discrimination and ensure the right to explainability.

Source

Protection of minors online

The Parliament approved a resolution on the protection of minors online, addressing growing concerns about the exposure of children and adolescents to inappropriate content and harmful practices in the digital environment.

The resolution emphasizes the need for more effective age verification mechanisms and advanced parental control systems. For those working with minors’ data—DPOs of digital platforms, edtech, social media, but also lawyers and product leads—the complexity of managing this processing under the GDPR emerges, balancing protection and privacy. Platforms will need to adopt privacy-by-design approaches specific to young users.

The impact on social media and online services will be significant, requiring revisions of privacy policies and consent systems to ensure adequate protection without compromising the digital experience.

Source

---

COUNCIL OF THE EUROPEAN UNION

Council conclusions on teachers in the era of artificial intelligence

The Council of the European Union approved conclusions on the role of teachers in the era of AI, outlining the challenges and opportunities that artificial intelligence brings to the education sector. The document addresses meaningful issues related to the training of teaching staff and the responsible integration of AI technologies into teaching practices.

For those working on digital governance in education—school DPOs, principals, IT leads of schools and universities, and edtech vendors—the development is particularly relevant given the growing use of AI tools in classrooms. The privacy implications are significant: from the processing of students’ personal data through machine learning algorithms to the need to ensure transparency in automated decisions that may influence educational paths. The document underscores the importance of balancing technological innovation and the protection of fundamental rights.

Training teachers on privacy-by-design in AI tools becomes an operational lever for ensuring GDPR compliance in the educational environment of the future.

Source

---

DIGITAL MARKETS & PLATFORM REGULATION

‘Nobody expected them to like it’: DG Comp chief on battling Big Tech

Anthony Whelan, the new Director-General of DG Competition, offered a candid perspective on the regulation of American Big Tech. In an interview with Euractiv, Whelan stressed that technology companies “have the right not to like” the Digital Markets Act, “but they don’t have the right not to comply with it”. The Irishman, formerly von der Leyen’s digital adviser, now finds himself at the center of one of the most politicized battlegrounds in Brussels.

The new DG acknowledges the narrative asymmetry: the world’s most powerful and wealthiest companies naturally have more voice in the American political debate than the EU does. Nevertheless, Whelan points to the first positive signs of the DMA, citing alternative app stores and greater browser choice as indicators of changes in business models. For compliance professionals, tech lawyers, and regulatory officers, this is a meaningful evolution in the enforcement of European digital compliance.

Source

---

INTERNATIONAL DEVELOPMENTS

EU-US Border Security Partnership: Privacy vs Security

The European Parliament is negotiating a framework agreement with the United States to maintain the visa waiver program, which would require American access to European national databases, including biometric ones. The Enhanced Border Security Partnership represents a fundamental challenge for those working on digital governance: balancing security needs with the protection of personal data.

Source

Cyber resilience in the AI era: governance and supply chain

Artificial intelligence is reshaping cybersecurity, offering defensive opportunities while creating new vulnerabilities. The Future of Privacy Forum analysis highlights how supply chain attacks grew from 15% to 30% of breaches in 2025, doubling in just two years. Interconnected digital ecosystems amplify the risks, as demonstrated by the SolarWinds and PyTorch cases.

The development requires a coordinated approach to security governance. Vendor management becomes central: every third party is a potential attack surface. Risk assessment frameworks must consider the entire supply chain, from open source to cloud providers. AI can support automated monitoring, but it requires rigorous governance to avoid becoming itself a risk vector. The operational point for CISOs, DPOs, and supply chain leads: assess third parties not as a contractual formality, but as an active component of your own security posture.

Source

SECURE Data Act: toward a US Federal Standard

The SECURE Data Act is the latest attempt by the US Congress to create a federal privacy law. The proposal takes a conservative approach, drawing on the most restrictive state laws, such as those of Kentucky and Utah. It includes some innovative elements: a federal data broker registry, the classification of data of minors aged 13–16 as sensitive, and a certification process for codes of conduct.

The most significant aspect for those operating in multinational contexts is the recognition of the Global Cross-Border Privacy Rules (CBPR) as an approved standard. However, the bill has significant gaps: a narrow definition of biometric data, the absence of mandatory impact assessments, and the lack of automatic recognition of opt-out signals. American regulatory fragmentation appears set to continue, with growing operational complexities for multinational organizations that must navigate different state standards. The proposal merits monitoring in the next phases of its passage through Congress.

Source

ANTS France breach: 11.7 million records compromised

The French national agency for secure documents (ANTS) confirmed a breach that exposed the data of 11.7 million citizens. The attack, claimed by the ‘breach3d’ group, compromised sensitive information including full names, addresses, dates of birth, and account metadata. The agency manages documents such as driver’s licenses, ID cards, and passports.

The breach draws attention to the vulnerability of critical government infrastructure and to the escalation of attacks against digital public services. ANTS’s rapid response, involving CNIL, ANSSI, and the Paris Prosecutor’s Office, is a model of incident management, even though the scale of the breach raises concrete questions about the preparedness of public institutions. The operational point for DPOs, CISOs, and IT leads in the public sector: portals managing the data of millions of citizens require security controls calibrated to the criticality of the processing, not to the size of the entity.

Source

---

ARTIFICIAL INTELLIGENCE

AI Digital Omnibus: trilogue heading toward a decisive phase, possible postponement of the AI Act

The trilogue negotiations on the AI Digital Omnibus among the Commission, Parliament, and Council enter a decisive phase around 28-04-2026. The simplification package, part of the broader Omnibus strategy launched by the Commission in 2025 to reduce recurrent administrative burdens, has direct implications for the timeline of the AI Act’s application and, consequently, for the development of harmonized standards currently being prepared by CEN-CENELEC JTC 21.

Among the possible amendments under discussion is the postponement of the entry into application of certain provisions: in particular, the obligations relating to high-risk AI systems listed in Annex III, currently scheduled for 02-08-2026, may be deferred. For privacy professionals, compliance officers, AI governance specialists, and IT leads, the picture is evolving rapidly: adjustment plans and implementation roadmaps need to be built with flexibility, considering alternative scenarios for the actual date of application.

Source

Civil society letter against the weakening of the AI Act in the Omnibus

A group of 34 organizations and individuals representing civil society, consumers, doctors, hospitals and healthcare services, conformity assessment bodies, and academia addressed a joint open letter to the European Commission, the Cypriot Presidency of the EU Council, and Members of the European Parliament, expressing concern about current proposals in the AI Omnibus that would reduce the scope and effectiveness of the AI Act.

The letter, also coordinated by BEUC, contributes to the debate on simplification as potential disguised deregulation. For those working in the AI compliance space, the initiative signals the political stakes of the moment: the outcome of the trilogue may affect operational priorities in the coming months, from the classification of high-risk systems to transparency obligations and to fundamental rights impact assessment requirements.

Source

AI can autonomously hack cloud systems with minimal oversight: researchers

Researchers at Palo Alto Networks have developed “Zealot”, an AI system capable of conducting autonomous cyberattacks against cloud infrastructure. The experiment showed that AI can complete entire attack chains—from reconnaissance to data exfiltration—with minimal human intervention, even improvising unprogrammed strategies such as injecting SSH keys to maintain persistent access.

The development signals a meaningful challenge for those working on security and governance: current detection systems, designed to identify human behavioral patterns, may prove inadequate against AI attacks operating at machine speed. Organizations will need to rethink their defense strategies, considering that attackers may soon leverage autonomous AI to conduct large-scale espionage campaigns with unprecedented efficiency.

Source

Germany faces resistance in push to weaken AI rules

Germany is facing strong opposition in its attempt to weaken the EU AI Act restrictions for the manufacturing sector. A group of 10 European countries opposes the German proposal to move devices such as machinery and medical equipment out of the AI Act’s scope into specific sectoral regulations, fearing substantial deregulation disguised as simplification.

The debate reflects the tension between industrial competitiveness and the protection of fundamental rights in the AI era. For those working on AI governance, this regulatory battle is central: fragmenting the regulation into twelve separate compliance logics would make the governance of high-risk AI more complex. The outcome of negotiations, expected in the coming weeks, may affect the practical implementation of the AI Act and its effectiveness in protecting European citizens.

Source

Article 26 AI Act: operational checklist for deployers of high-risk AI systems

The article provides a detailed operational checklist for deployers of high-risk AI systems, translating Article 26 of the AI Act into concrete actions. The guide covers 13 compliance areas, from human oversight to registration in the EU database, identifying responsible organizational functions and required documentation.

The tool is operational for those who must prepare for the 02-08-2026 deadline for Annex III systems. The checklist highlights the interconnection between the AI Act and the GDPR, particularly for the Fundamental Rights Impact Assessment (Art. 27). The systematic approach proposed facilitates the implementation of a robust compliance framework, reducing the risk of non-compliance and supporting responsible and transparent AI governance.

Source

---

CYBERSECURITY

CISA updates the KEV catalog with four new vulnerabilities

CISA added four actively exploited vulnerabilities to its KEV catalog, setting the deadline of 08-05-2026 for federal agencies. The flaws affect SimpleHelp (CVE-2024-57726 and CVE-2024-57728), Samsung MagicINFO 9 Server (CVE-2024-7399), and D-Link DIR-823X routers (CVE-2025-29635).

The SimpleHelp vulnerabilities have been linked to ransomware campaigns, including the DragonForce operation, while the Samsung flaw has been exploited to deploy Mirai botnets. The operational point is straightforward: without an up-to-date system inventory and timely patch management, the risk remains unmanageable—especially for remote access solutions and IoT devices, which are privileged attack vectors.

Source

Itron discloses breach of internal IT network

Utility technology company Itron disclosed to the SEC a breach of internal systems detected on 13-04-2026. The company, which manages 112 million endpoints for 7,700 customers in 100 countries, activated its cybersecurity response plan and contained the attack without significant operational disruptions.

Itron stated that the activity did not extend to customers, but the nature of the company’s business—interconnected with critical infrastructure such as electricity and water networks—amplifies the potential implications. The case confirms how supply chain risk assessment requires specific controls for vendors managing critical infrastructure, even when they do not appear directly involved in the processing of personal data.

Source

ADT confirms data breach after ShinyHunters threats

Home security giant ADT confirmed a data breach on 20-04-2026, after the ShinyHunters group threatened to release 10 million stolen records. According to the attackers, the breach occurred via vishing against an employee, compromising the Okta SSO account and accessing Salesforce data.

The data involved includes names, phone numbers, addresses, and in some cases, dates of birth and the last four digits of Social Security numbers. The breach is the third incident for ADT since 2024, indicating systemic vulnerabilities. The message for CISOs, security leads, and DPOs is clear: advanced anti-phishing controls, robust multi-factor authentication, and continuous SSO access monitoring are no longer optional, given that social engineering attacks remain one of the leading causes of corporate system breaches.

Source

Rituals discloses customer database breach

Dutch cosmetics giant Rituals disclosed a breach of the “My Rituals” database that compromised personal data of an unspecified number of its more than 41 million members. The stolen data includes full names, emails, phone numbers, dates of birth, and addresses, but no passwords or payment information.

The company discovered the incident in early April after being alerted to unauthorized downloads and subsequently blocked the attackers’ access. The lack of details on the nature of the attack and on attribution leaves open questions about the compromise vectors. For those managing customer databases on a comparable scale, the case confirms the value of monitoring systems capable of detecting anomalous activity and of clear communication plans to handle breach notifications in compliance with the GDPR.

Source

UK Biobank: 500,000 health records for sale on Alibaba

UK Minister Ian Murray revealed that UK Biobank suffered a breach that led to the sale of medical data of approximately 500,000 volunteers on Alibaba. The organization, which has close ties to the NHS, suspended access to data and self-reported to the ICO.

This is the second security incident for UK Biobank in two months, after data files were inadvertently published online in March. The organization implemented new security measures, including taking the platform offline for three weeks for security updates. For those working in the healthcare sector—hospital DPOs, research leads, clinical data governance—the case confirms the specific risks in sharing data for research purposes and the value of automated “airlock” systems to prevent unauthorized exfiltration of sensitive data by external researchers.

Source

Russia weaponizes AI for European cyberattacks

Dutch military intelligence (MIVD) confirmed that Russia is using artificial intelligence to automate and accelerate cyberattacks against Europe. The ability to conduct high-speed cyber operations through automation signals a meaningful escalation in hybrid threats.

The weaponization of AI by state actors requires a coordinated response at the European level. For CISOs, DPOs, and security leads, AI is now both a defensive tool and a threat vector: automation enables more sophisticated phishing attacks, convincing deepfakes, and automated vulnerability analysis. Defense strategy will need to evolve toward AI-driven systems for behavioral monitoring and anomaly detection, while always maintaining human oversight in critical decisions.

Source

---

TECH & INNOVATION

Apple fixes the bug that allowed extraction of deleted messages

Apple released an update fixing a vulnerability exploited by law enforcement to extract deleted messages from iPhones. The bug allowed the recovery of contents of cleared notifications up to a month later, including Signal messages theoretically protected by automatic deletion.

The flaw, revealed by 404 Media, showed how the content of notifications was stored in the device’s database even after deletion from the original app. Signal had asked Apple to urgently address the issue, emphasizing the importance of the fix for at-risk users.

The case shows how operating system-level vulnerabilities can compromise the privacy guarantees of applications: a holistic assessment of technological risks in corporate policies is therefore necessary, especially for those managing sensitive data or operating with exposed users.

Source

EU age verification app hacked in two minutes

The European Commission unveiled an online age verification app that promised the highest privacy standards. However, security researchers reportedly compromised the protections in less than two minutes, exploiting vulnerabilities in the open source code.

The reported flaws include modifiable anti-brute force controls, biometric authentication that can be disabled, and sensitive credentials not protected by secure hardware. The Commission downplayed the issue, calling it a “demo version”, while the experts say they tested the most recent code. The story merits monitoring in the coming weeks.

The case sheds light on the inherent risks of age verification systems, which require the linking of real identity to online actions. For those working on compliance and digital governance, it is a reminder of the need for thorough assessments before implementing seemingly secure privacy-by-design solutions.

Source

---

SCIENTIFIC RESEARCH

A selection of the most relevant papers of the week from arXiv on AI, Machine Learning, and Privacy

Privacy and Contextual Integrity in LLMs

Reinforcing privacy reasoning in LLMs via normative simulacra from fiction

The authors propose an innovative approach to align Large Language Models with users’ contextual privacy expectations, based on the Contextual Integrity framework. The research addresses the misalignment between LLMs’ information handling practices and context-specific privacy norms.

arXiv

Separable Expert Architecture: Toward Privacy-Preserving LLM Personalization via Composable Adapters and Deletable User Proxies

A three-tier architecture is presented that decouples personal data from the model’s shared weights, combining a static base model with composable LoRA adapters and deletable user proxies. The approach enables computationally efficient removal of individual data without requiring full retraining.

arXiv

Privacy Attacks and Differential Privacy

Toward Efficient Membership Inference Attacks against Federated Large Language Models: A Projection Residual Approach

The research analyzes the risks of membership inference attacks in Federated Large Language Models, demonstrating how shared gradients can still expose sensitive information despite data localization. More efficient attack techniques are proposed, leveraging the unique properties of FedLLMs.

arXiv

Differentially Private Model Merging

The authors present a methodology for generating models that satisfy different differential privacy requirements without additional training steps. The approach addresses the need to dynamically adapt privacy levels at inference time based on varying policies and regulations.

arXiv

Security and Unlearning

Mitigating Fine-tuning Risks in LLMs via Safety-Aware Probing Optimization

The study addresses the risks of safety compromise during LLM fine-tuning, even with seemingly benign data. A safety-aware probing approach is proposed to maintain safety alignment during model personalization phases.

arXiv

CAP: Controllable Alignment Prompting for Unlearning in LLMs

The research introduces a methodology for selective unlearning that does not require modifications to model parameters, overcoming the computational and weight-accessibility limitations. The approach promises greater control over the boundaries of forgetting for regulatory and ethical compliance.

arXiv

Audit and Security Evaluation

Breaking Bad: Interpretability-Based Safety Audits of State-of-the-Art LLMs

A comprehensive interpretability-based safety audit is presented for eight state-of-the-art open-source LLMs. The research goes beyond black-box probing to systematically uncover vulnerabilities rooted in the model’s internal elements, providing tools for compliance assessments.

arXiv

Cross-Session Threats in AI Agents: Benchmark, Evaluation, and Algorithms

The study identifies a vulnerability in the guardrails of AI agents: the lack of memory across sessions allows distributed attacks to evade detectors. Benchmarks and algorithms are proposed for the detection of cross-session threats.

arXiv

---

AI ACT IN A NUTSHELL - Part 18

Article 22 - Authorized representatives of providers

After exploring in Part 17 how providers must cooperate with competent authorities, today we shift attention to a central figure in the implementation of the AI Act: the authorized representative. Article 22 of the Regulation governs a fundamental mechanism to ensure that even non-EU providers can operate in the European market while fully respecting regulatory obligations.

Who must appoint an authorized representative

The obligation to appoint applies exclusively to providers of high-risk AI systems established outside the European Union but intending to place their products on the EU market under their own name or trademark. This is therefore a provision that directly affects American, Chinese, British, and other third-country technology companies developing AI systems intended for the European market.

The authorized representative must be a natural or legal person established in the European Union and must be designated by written mandate from the non-EU provider. This designation is not a mere formality: the representative becomes the official point of reference for all interactions with European supervisory authorities.

Obligations of the representative

The core of Article 22 lies in defining the specific tasks that the authorized representative must perform. First, the representative must verify that the EU declaration of conformity has been drawn up and that the required technical documentation is available. This means that the representative cannot limit themselves to a passive role but must take action to verify that the provider has actually fulfilled the documentary obligations.

The representative also has the responsibility of keeping the technical documentation and the EU declaration of conformity available to competent authorities for a period of ten years following the placing on the market of the AI system. This is a particularly burdensome retention obligation that requires a structured documentary organization and reliable archiving systems.

A particularly delicate aspect concerns cooperation with competent authorities. The representative must provide them, upon reasoned request, with all the information and documentation necessary to demonstrate the conformity of the AI system. Furthermore, they must cooperate with competent authorities in relation to any corrective action taken to eliminate the risks posed by AI systems falling within their mandate.

Operational implications for organizations

For non-EU companies, the choice of the authorized representative cannot be casual. It is necessary to identify entities with specific expertise in AI and regulatory compliance, equipped with an adequate organization to handle documentary obligations and relations with authorities. This figure will often coincide with specialized law firms or consulting companies with expertise in the technology sector.

A concrete example may be that of a Californian company developing AI systems for facial recognition for the security sector. To operate in the European market, it will necessarily have to appoint an authorized representative established in the EU, who will take charge of verifying the conformity of the technical documentation and interfacing with the competent authorities of the various Member States in case of inspections or requests for information.

Liability and sanctions

It is important to underline that the appointment of the authorized representative does not relieve the non-EU provider of its own responsibilities. The representative acts on behalf of the provider, but the latter remains the principal subject of regulatory obligations. However, the representative may be called to respond directly for non-fulfillment of their own specific obligations, such as failure to retain documentation or non-cooperation with authorities.

In the next installment, we will analyze Article 23, which deals with the obligations of importers and their specific responsibilities in the distribution chain of high-risk AI systems.

---

Integrating AI into compliance: operational strategies and cautions

After exploring case law analysis from the EU Court of Justice, we shift attention to an even more delicate terrain: integrating Legal Prompting into corporate compliance processes without amplifying the risks it is supposed to help manage.

Compliance is by nature an activity of continuous synthesis and evaluation. Here AI can support professional work through three specific functions: regulatory mapping, monitoring of legislative developments, and preliminary compliance assessments. However, every application requires rigorous protocols.

Assisted regulatory mapping: A structured prompt can help identify the rules applicable to a specific scenario. For example: “Identify the European and Italian legislation applicable to a cloud computing service that processes health data on behalf of public hospitals, considering the cloud provider’s role as data processor.” The output provides a starting point, but verification of sources and analysis of regulatory interactions remain the professional’s task.

Legislative monitoring: AI can process official bulletins and identify regulatory changes relevant to specific sectors. Legal Prompting here becomes central to defining precise search parameters and prioritization criteria, avoiding both information overload and the loss of meaningful updates.

Preliminary assessments: Particularly useful for rapid impact assessments or initial gap analyses. A well-crafted prompt can structure the analysis according to consolidated frameworks (privacy by design, risk assessment methodologies), accelerating the preparatory phase of professional work.

As always, we must remember that language models construct plausible outputs without the deductive reasoning typical of legal method. Professional supervision is not optional but constitutive of service quality. Furthermore, the European regulatory framework — AI Act, GDPR, professional codes of conduct — requires a preliminary impact assessment for every implementation of AI in professional processes. Finally, the choice of infrastructure (cloud-based vs local deployment models) becomes a compliance issue when handling information covered by professional secrecy.

Next week we will explore a complementary use case: AI-assisted contract review, exploring how to structure effective prompts for clause analysis and the identification of contractual issues.

Further reading:

Legal Prompting: The New Frontier of AI in the Legal Field

---

PODCAST

In this sixth episode we apply prompting techniques to contract analysis.

Four distinct operations, each with its own prompt:

Three non-negotiable cautions: the model does not negotiate, it does not know the commercial context, and it does not replace the full reading of the contract by the professional.

In the background, a recurring theme: where the model that you use to analyze a client’s contract is actually running. A compliance choice before it is a technical one.

In the next episode: Legal Prompting as a structural component of corporate compliance processes.

---

FROM THE NICFAB BLOG

Self-hosting email: from Proton Mail to Mailcow with MailMate

23-04-2026

A case study on email migration from Proton Mail to self-hosted Mailcow with MailMate as the professional client: architecture, workflow, and maintenance.

Read the full article

22-04-2026

Analysis of the Italian DPA Guidelines of 17-04-2026 on tracking pixels in email communications: regulatory framework under Art. 122 of the Italian Privacy Code, obligations, exemptions, and critical aspects of the consent model and privacy by design.

Read the full article

Article 26 AI Act: operational checklist for deployers of high-risk AI systems

22-04-2026

Operational checklist for deployers of high-risk AI systems under Article 26 of the AI Act (Reg. EU 2024/1689). Each obligation is translated into concrete actions, responsible functions, and required documentation, with GDPR coordination points and implementation timing.

Read the full article

AI Literacy: what businesses must do today

20-04-2026

AI literacy in the AI Act: what businesses must do today. A 30-day plan, a roles-skills matrix, and a compliance checklist.

Read the full article

---

Stakeholder event on competition and data protection: save the date (23-04-2026)

EDPB |

Info

Apply AI sectoral deep dive - electronic communications (30-04-2026)

European Commission |

Info

High-Level Debate: “From Omnibus to Opportunity: Driving Data Protection and Innovation” (08-06-2026)

EDPS |

Info

---

Conclusion

The week of 20-04-2026 to 26-04-2026 marks a step change in the enforcement activity of the Italian Data Protection Authority. Three interventions trace a precise map of regulatory priorities: the EUR 12.5 million sanction against Poste Italiane and Postepay (Decision No. 237 of 17-04-2026, communicated on 20-04-2026) redefines the principle of proportionality—not even security and fraud prevention purposes justify invasive controls on users’ mobile apps; the new Guidelines on tracking pixels (Decision No. 284 of 17-04-2026) turn a practice considered standard into a potential compliance risk, with six months for adjustment and consent as the general rule; the reminder to the media on the Milan case extends data protection well beyond the digital perimeter, into the delicate balance between the right to report news and the dignity of individuals.

On the AI front, the trilogue on the AI Digital Omnibus enters a decisive phase around 28-04-2026, with the concrete possibility of a postponement of the application of obligations on Annex III high-risk systems currently scheduled for 02-08-2026. German pressure to move entire sectors out of the AI Act faces the opposition of ten European countries, while 34 civil society organizations—consumers, healthcare, conformity assessment, academia—signed a joint letter against the weakening of the Regulation. For those working in AI compliance, the message is clear: adjustment plans and implementation roadmaps need to be built with flexibility, considering alternative scenarios for the actual date of application.

Cybersecurity confirms its cross-cutting centrality. The CISA KEV catalog update, the breaches of Itron, ADT, Rituals, and UK Biobank, and the confirmation that Russia is using AI to automate attacks against Europe signal that the window between disclosure and exploit is shrinking. The supply chain—including third-party AI tools—emerges as a systemic vector, while the European age verification app, hacked in two minutes, reminds us that the best legislative intentions clash with often trivial technical vulnerabilities.

The overall reading is one: sanctions no longer target only obvious violations or gross negligence, but assess with growing sophistication the proportionality between means and ends. The Poste case teaches that invoking security is no longer an automatic safe conduct—a rigorous assessment of the impact on the rights of data subjects is required. The open question is whether Europe will be able to maintain this balance between technological innovation, security needs, and protection of the person as geopolitical and technological pressures intensify, or whether it will be forced to choose between operational effectiveness and the protection of rights.

---

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home

Proxied content from gemini://nicfab.eu/en/newsletteren/2026/2026-04-28-issue-18_en.gmi

Gemini request details:

Original URL
gemini://nicfab.eu/en/newsletteren/2026/2026-04-28-issue-18_en.gmi
Status code
Success
Meta
text/gemini;lang=en-US
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.