Newsletter #19 - 5 May 2026

Read on website

---

NicFab Newsletter

Issue 19 | May 5, 2026

Privacy, Data Protection, AI, and Cybersecurity

---

Welcome to issue 19 of our weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you’ll find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.

---

In this issue

---

ITALIAN DATA PROTECTION AUTHORITY

Stop Retaining Copies of Guests’ ID Documents

The Garante has issued a notice to trade associations in the hospitality sector: hotels, B&Bs, and guesthouses may not retain copies of guests’ ID documents beyond the time necessary for transmission via the Alloggiati Web portal. This stance follows an increase in reports and data breaches in recent months.

The identification obligation under public security legislation does not constitute a legal basis for retaining photocopies or scans. The widespread practice — especially among non-hotel facilities — of photographing documents with a smartphone or having them sent over WhatsApp exposes data subjects to identity theft and unauthorized access. Once transmission is complete, the copies must be deleted or destroyed. The only document that may be retained is the receipt generated by the portal, which must be kept for 5 years as evidence of compliance.

The Garante also highlights the security obligations under Article 32 of the GDPR, staff training, and, in the event of a breach, notification within 72 hours and communication to data subjects in the cases provided for.

Source

The Data Protection Authority at Race for the Cure: Focus on the Right to be Forgotten in Cancer Care

On May 7 and 8 at the Circus Maximus, within the Health Village of Komen Italia’s Race for the Cure, the Authority will host an information booth dedicated to the right to be forgotten in the context of cancer, with guidance on how to exercise this right with banks, insurance companies, employers, and in adoption procedures.

On Saturday, May 9, from 11 a.m. to 12 p.m., in the Conference Area, the Secretary General and officials of the Authority will hold the session “Data Protection, Cancer-Related Right to be Forgotten, and Screening,” aimed at healthcare professionals, with an explanation of the Screening Guidelines.

Source

## GDPR 10th Anniversary: The Data Protection Authority releases the seventh episode of the podcast “About Privacy”

To mark the 10th anniversary of the GDPR, the Data Protection Authority has released the seventh episode of the podcast “About Privacy,” titled “Rights, Transparency, Accountability: 10 Years of the GDPR.” The initiative complements the EDPB’s communication of April 27, 2026, and, from the Italian perspective, takes stock of the Regulation ten years after its adoption, focusing on the evolution of data subjects’ rights, accountability dynamics, and the Authority’s work in communicating with the general public.

The podcast is available on the Data Protection Authority’s official website, as well as on Spotify and YouTube.

Source

The Board’s agenda through May 6, 2026

The schedule of institutional events in which the Board members will participate through May 6, 2026, has been updated.

Source

---

EDPB - EUROPEAN DATA PROTECTION BOARD

Ten Years of GDPR: The EDPB Celebrates the Anniversary

On April 27, 2026, the EDPB marked the tenth anniversary of the adoption of the GDPR, the first comprehensive data protection framework on a continental scale. The Regulation led to the establishment of the EDPB on May 25, 2018, replacing the Article 29 Working Party, and transformed the work of supervisory authorities by shifting the focus from national complaints to the structured handling of cross-border cases and strengthening enforcement powers.

The 31 DPAs that make up the Board have worked over the years to ensure consistent application of the Regulation. The EDPB now places the GDPR within a broader regulatory framework that includes the DSA, DMA, and AI Act, and highlights the Regulation’s ripple effect on numerous non-EU jurisdictions that have adopted similar frameworks. The communication is accompanied by a video featuring testimonials from national authorities on the evolution of the landscape before and after 2018.

Source

Coordinated action on children under 15 processed by Europol

On April 30, 2026, the EDPB published a coordinated supervisory action regarding Europol’s processing of children under 15 as suspects or potential offenders. The initiative falls under the Coordinated Supervisory Committee and concerns a category of data subjects who combine two factors of vulnerability: minority and investigative status.

Source

Opinion 9/2026 on the Jacobs Douwe Egberts Group’s Controller BCRs

On April 27, 2026, the EDPB adopted, pursuant to Article 64 of the GDPR, an opinion on the draft decision of the Dutch Data Protection Authority regarding the Jacobs Douwe Egberts Group’s Controller Binding Corporate Rules. [Source] (

https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-92026-draft-decision-dutch-supervisory_en

)

Opinion 10/2026 on the SLB Group’s Controller BCRs

Also on April 27, 2026, the EDPB adopted an opinion on the draft decision of the Dutch Authority (Autoriteit Persoonsgegevens) regarding the SLB Group’s Controller BCRs, as part of the coordinated approval procedure under Article 64 of the GDPR.

Source

Opinion 12/2026 on the Santander Group’s Controller BCRs

On the same date, an opinion pursuant to Article 64 of the GDPR was issued on the AEPD’s draft decision regarding the Santander Group’s Controller BCRs. Three BCR opinions issued on the same day signal the continued flow of coordinated approvals, with the Dutch DPA and the Spanish AEPD playing their usual lead roles. [Source]

(

https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-122026-draft-decision-spanish-supervisory_en

)

---

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

Newsletter Digest, Episode 20: AI in Public Administration, Cybersecurity Package, Biotech Act

On May 1, 2026, the EDPS published the twentieth episode of the Newsletter Digest, hosted by Miriam Cakurdova and John McLean. Three key topics were discussed: a policy paper on the supervision of AI in European public administrations, a joint opinion on the European cybersecurity package, and a second joint opinion on the proposed European Biotech Act, with a focus on the implications for health data.

The strategic document is the most significant piece: it defines the EDPS’s approach to the role it will be called upon to play as the supervisory Authority for AI systems used by EU institutions. In this area, the AI Act and Regulation 2018/1725 intersect. The two joint opinions (presumably with the EDPB) delve into the specifics of sector-specific regulatory frameworks: cybersecurity on one hand, and the reuse and processing of health data in the biotech context on the other, where the interface with the EHDS and GDPR will be the real crux of the matter.

Two dates are on the agenda: the EU Open Day on May 9, 2026, and the debate “From Omnibus to Opportunity: Driving Data Protection and Innovation” on June 8, 2026.

The EDPS also previewed the episode in its News Feed on April 30, 2026, without adding any substantial details beyond the podcast’s content.

Source

— [EDPS News Feed] (

https://www.edps.europa.eu/press-publications/press-news/news/2026/new-episode-newsletter-digest-out

)

---

EUROPEAN COMMISSION

Quantum Europe Strategy: the EESC’s opinion

The European Economic and Social Committee has published its opinion on the Commission Communication to the European Parliament and the Council, “Quantum Europe Strategy: Quantum Europe in a Changing World” (COM(2025) 363 final). The document is part of the EU’s strategy on quantum technologies. This field directly intersects with cybersecurity, post-quantum cryptography, and the long-term sustainability of technical measures required by the GDPR and sector-specific security regulations.

The opinion is available on EUR

-Lex under two parallel references, OJ C_202601958 and CELEX 52025AE2334, both dated April 27, 2026. The dual publication reflects EUR-Lex’s indexing practice (Official Journal number and CELEX code) and refers to the same act.

For those involved in compliance, the key point to monitor is not the opinion itself—an advisory act—but the direction the Commission will take with its quantum strategy: from migration deadlines for post-quantum algorithms to the characterization of “harvest now, decrypt later” risks in impact assessments.

Source

CELEX Source

---

CNIL - FRENCH AUTHORITY

DPO Activity Report: CNIL Publishes a Template

On April 27, 2026, the CNIL reiterated its recommendation to prepare a periodic DPO activity report and provided a downloadable template to facilitate its preparation.

The report is not mandatory but is part of the DPO’s responsibilities. The CNIL describes it as a tool for managing compliance and reporting to the organization’s leadership, with quarterly, semiannual, or annual reporting, depending on the activity. The expected content is concrete—assessments of processing operations and high-risk projects based on the register, DPIA, audits, breaches, and complaints; evaluation of legal, financial, and reputational risks; documentation of compliance actions (revision of privacy notices, contractual clauses, technical and organizational measures, staff awareness, procedures for data breaches, and data subjects’ rights); identification of obstacles and measures to enhance the organization’s maturity.

The report also serves as a historical record of actions taken, useful in the event of an audit or dispute. The CNIL template can be adapted for both internal and external communications related to compliance.

Source

Retail: Alliance du Commerce Code of Conduct Approved

On April 28, 2026, the CNIL approved the code of conduct submitted by the Alliance du Commerce for the French apparel and footwear sector.

It is the first nationwide code approved by the CNIL and the third sector-specific code following CISPE (2021, cloud computing) and EUCROF (2024, clinical trials). It joins the fifteen or so codes already adopted in Europe since the GDPR came into force. Retail chains and stores with decision-making centers in France, or the French branches of international groups, may act as data controllers for in-store and online retail sales and distribution activities. Relationships with suppliers and employees are excluded.

The code is designed as a “turnkey” operational tool focused on marketing activities and identifies the key control points for demonstrating compliance. Adherence is binding: participants are subject to monitoring by a third-party body, separate from the CNIL, regarding the application of the code (Art. 41 GDPR).

Source

CNIL-AFCDP Webinar: Kit to Raise Awareness Among Working Parents About Their Children’s Digital Habits

The CNIL has made available the recording of the March 10, 2026, webinar dedicated to the digital parenting awareness kit, developed in collaboration with the Association Française des Correspondants à la protection des Données à caractère Personnel (AFCDP).

The kit is designed for DPOs who wish to organize workplace awareness sessions for employees who are also parents of elementary school-aged children. Topics include: protecting minors’ personal data online, balancing child protection with respect for their privacy, and guidance on the use of social media and AI. The educational resources are freely available at no cost. Speaker: Carina Chatain.

[Source](https://

www.cnil.fr/fr/revoir-le-webinaire-numerique-enfants-sensibilisation-parents-salaries

)

---

EUROPEAN PARLIAMENT

Cyberbullying: Parliament calls for a harmonized definition and strict enforcement of the DSA

On April 30, 2026, the plenary adopted by a show of hands a resolution calling on the Commission to assess a harmonized definition of cyberbullying at the EU level and its possible inclusion among cross-border crimes under Article 83 TFEU, as well as the addition of hate crimes to the same list.

Regarding platforms, MEPs call for strict enforcement of Article 28 of the DSA on the protection of minors, urge the Commission to close pending cases, and reject any reopening of the Regulation. Explicit criticism is directed at business models that incentivize hateful content and at hyper-personalized recommendation systems that amplify hate speech while penalizing less divisive content. On AI, there is a call for the labeling requirements under the AI Act for deepfakes and non-consensual intimate content, and a request for a ban on so-called “nudifier apps,” currently under negotiation between the co-legislators. Parliament also laments the absence of a legal framework for detecting CSAM online and calls for voluntary reporting mechanisms in the interim.

Source

EU Age Verification App: Parliament calls for suspension of deployment due to critical vulnerabilities

Among the most relevant passages for DPO/compliance professionals, motion B10‑0208/2026—incorporated into the resolution on cyberbullying—notes that the European age verification app, launched by the Commission on April 15, 2026, was found to be vulnerable to critical security flaws “within hours of its release.” The Parliament calls on the Commission to suspend its deployment until the highest standards of security and privacy are met, including through privacy-preserving techniques such as zero-knowledge proofs, and to await the conclusions of the expert panel convened by the Commission President before taking further decisions regarding age verification and age restrictions on social media.

This point is part of the broader debate on the architecture of the EUDI Wallet and the selective disclosure of attributes: an area that directly intersects the tension between child protection objectives and the principles of data minimization and proportionality of processing.

Source

Revision of the Europol Regulation: data protection issues ahead of the Q2 2026 proposal

An EPRS briefing dated April 29, 2026, anticipates the revision of the Europol Regulation scheduled in the Commission’s 2026 work program, with a proposal expected in the second quarter, accompanied by an evaluation of the 2016 Regulation and a “back-to-back.”

The critical issue remains the legacy of Regulation (EU) 2022/991, which expanded the agency’s powers regarding the processing of large and complex datasets, the receipt of personal data from private entities, exchanges with third countries, and use for research and innovation. The EDPS has challenged its compatibility with the EU data protection framework and has filed an appeal pending before the CJEU. The evaluation report published by the Commission in December 2025 confirms Member States’ support for the new processing tasks but highlights inefficiencies in governance and the data protection framework. Against this backdrop, von der Leyen’s July 2024 policy direction to transform Europol into “a truly operational police agency” suggests a further expansion of its powers, to be balanced by oversight from the Parliament and the EDPS.

Source

EES fully operational: 52 million crossings recorded

An EPRS At a Glance report dated April 28, 2026, takes stock of the Entry/Exit System managed by eu-LISA, which was fully deployed in April 2026. The system, which replaces passport stamps by recording entries, exits, and refusals of entry for third-country nationals using biometric data, has already processed over 52 million border crossings and enabled the identification of potential security risks.

Staff shortages, technical issues, and limited use of pre-registration tools have delayed implementation. Oversight consists of periodic audits, detailed statistical reporting, and evaluations by EU-LISA and the Commission, including those on the impact on fundamental rights.

Source

---

COUNCIL OF THE EUROPEAN UNION

Review of the Digital Markets Act: documents submitted to the Council

On April 29, 2026, the Commission submitted to the European Parliament, the Council, and the EESC the Report on the review of Regulation (EU) 2022/1925

(Article 53 DMA), accompanied by the relevant Staff Working Document. That is the first formal review since the Regulation entered into force. The Council document references are ST-8778-2026-INIT (Report) and ST-8778-2026-ADD-1 (SWD). For political and enforcement analysis, please refer to the section DIGITAL MARKETS & PLATFORM REGULATION.

Report ST-8778-2026-INIT

SWD ST-8778-2026-ADD-1

Biocides: Parliament’s first reading on the extension of data protection periods

Between April 27 and 30, 2026, during its plenary session in Strasbourg, the European Parliament concluded its first reading of the proposal for a Regulation amending Regulation (EU) No. 528/2012 regarding the extension of certain data protection periods. The outcome is now forwarded to the Council under the ordinary legislative procedure. The amendment affects the duration of data protection for active substances and biocides, a key factor in balancing registrants’ investment costs with market access.

Source

Biocidal Products Regulation: Text Adopted on Data Protection Periods

On April 28, 2026, the text of the Regulation of the European Parliament and of the Council amending Regulation (EU) No. 528/2012 on the extension of certain data protection periods was adopted. That is the version that formalizes the changes to the data protection regime within the biocides framework, distinct from personal data protection under the GDPR but relevant for those managing regulatory dossiers and market access strategies in the sector.

Source

---

DIGITAL MARKETS & PLATFORM REGULATION

European Parliament Calls for Strict Enforcement of the DMA Against External Pressure

On April 30, 2026, the European Parliament adopted by a show of hands a non-binding resolution calling on the Commission to ensure the timely and consistent enforcement of the Digital Markets Act, warning against political pressure from third countries aimed at weakening the Regulation. The message is clear: external interference must not compromise the EU’s regulatory sovereignty.

MEPs express regret over the “modest” fines imposed on Meta and Apple and call for effective and proportionate fines to ensure deterrence. Ongoing non-compliance proceedings must be concluded without undue delay.

The resolution lists specific practices under scrutiny: Google’s self-preferencing, TikTok’s consent screens based on behavioral techniques, Microsoft’s changes to default settings and access to competing services, and Booking.com’s price parity clauses. There is also concern about restricted access to audiovisual services on smart TVs, with fears of replicating the dynamics already seen on Android smartphones.

Regarding the scope of application, the Parliament is pushing to extend scrutiny to search tools based on generative AI—explicitly citing Google’s AI overview—and to cloud computing services, classified as strategically important. The indicated enforcement priorities are interoperability, data access, anti-steering, and a ban on self-preferencing, assessed based on concrete market outcomes.

Source

EN version

The Commission Publishes the DMA Review under Article 53

On April 28–29, 2026, the Commission published the Report to the European Parliament, the Council, and the EESC on the review of Regulation (EU) 2022/1925, as required by Article 53 of the DMA, accompanied by the relevant Staff Working Document. That is the first formal review of the Regulation on contestable and fair markets in the digital sector, approximately two years after the full applicability of the obligations for designated gatekeepers began.

The full texts of the documents are not available here; the references are COM(2026) 178 final for the report and SWD(2026) 123 for the staff working document. The timing explains the tone of the parliamentary resolution adopted a few days later: the review comes as non-compliance proceedings are pending and as the institutional debate focuses on extending the scope to generative AI and the cloud.

[Source COM/Report] (

https://eur-lex.europa.eu/legal-content/AUTO?uri=COM%3A2026%3A178%3AFIN

) —

CELEX Report

Staff Working Document

---

EUROPEAN STANDARDIZATION

EN 18235-1:2026 — first European standard on “trusted data transactions”

CEN and CENELEC, through the Joint Technical Committee CEN-CLC/JTC 25

“Data management, Dataspaces, Cloud and Edge,” has published the standard EN 18235-1:2026 “Trusted data transactions – Part 1: Terminology, concepts and mechanisms.” It is the first deliverable of the technical committee, established in September 2024, and defines the shared terminology, key concepts, and mechanisms underlying trusted data transactions in the European space.

The relevance for those working in data protection is twofold. From a regulatory perspective, the standard is part of the “European Trusted Data Framework”. It supports the implementation of Article 33 of the Data Act (Regulation (EU) 2023/2854). It provides a common language for the Data Governance Act and the architectures of European data spaces (Health, Mobility, Manufacturing, etc.). From an operational standpoint, alignment with a harmonized standard facilitates demonstrating compliance with data-sharing and exchange solutions and supports contractual qualification of relationships among providers, intermediaries, and users. A second part of the series (prEN 18235-2 on “trustworthiness requirements”) is currently under development.

For DPOs and compliance officers, the key point is that this family of standards can become a relevant technical reference for demonstrating compliance in data-sharing architectures. Any “presumption of conformity” effect will depend, as always, on the standard’s citation in the Official Journal of the European Union in relation to the applicable legislation.

Source

Annual Union Work Programme 2026 for European Standardization

The Commission has published the Annual Union Work Programme 2026 (AUWP 2026) for European standardization, structured around five key priorities and forty-three actions in support of EU competitiveness policies. CEN and CENELEC welcomed the publication, emphasizing the role of standardization as a tool for the technical implementation of the AI Act, cybersecurity regulations, the data spaces regime, and sectoral regulations.

In parallel, CEN and CENELEC have released their own Work Programme 2026, which focuses on Artificial Intelligence, Cybersecurity, and the Digital Product Passport as technologies that will shape the next phase of Europe’s digital transition.

For the DPO/compliance community, the two documents—the Commission’s program and the CEN/CENELEC program—serve as a guide to the areas where requests for harmonized standardization can be expected, which will impact technically demonstrable compliance requirements in the coming months.

Source: CEN/CENELEC Work Programme 2026

CEN/CENELEC page on dataspaces

---

INTERNATIONAL DEVELOPMENTS

FPF at the 2026 IAPP Global Summit: AI governance takes center stage

From March 31 to April 2, the Future of Privacy Forum participated in the IAPP Global Summit in Washington, D.C., complementing its internal convenings with public panels and meetings with regulators. Among the notable presentations, Senior Fellow Tanya Richardson spoke on the panel “In AI We Trust? Governing High-Stakes AI Before Regulators Step In” alongside Hope Anderson (White & Case), Taylor Galusha (Chime), and Marisha Pareek (DoorDash), proposing an operational framework for organizations operating within a rapidly evolving regulatory landscape.

The highlight was the PEN lunch with Mike Macko, Deputy Director of Enforcement at the California Privacy Protection Agency, who outlined the agency’s 2026 enforcement priorities: the role of internal privacy teams in managing organizational risk and the CPPA’s interpretation of the data minimization principle during investigations. At the Global PEN breakfast, led by Jules Polonetsky and Gabriela Zanfir-Fortuna, the topics included global anonymization frameworks, synthetic data, digital sovereignty, and tools for scaling AI governance.

Source

The New Architecture of Health Data in the Age of LLMs

Jordan Wrigley (FPF) analyzes a paradigm shift in the circulation of health data in the United States: patients, exercising their rights to mandatory access, transfer medical records outside of HIPAA-covered environments to upload them to general-purpose LLM-based tools or customized consumer health tools. Once outside the scope of healthcare providers and health plans, that data loses its status as Protected Health Information and mixes with consumer health information, lacking equivalent federal protection.

The critical point is that the new architecture is not merely technical but policy-driven: it combines mandatory patient access, product features, and voluntary privacy commitments by platforms, generating patient-consumer expectations calibrated to a framework — HIPAA — that no longer applies at that point. Wrigley identifies four open issues: regulatory applicability when the record falls outside the scope of HIPAA; processing inferred health information for non-users; AI tools’ ability to handle clinical nuances and medical judgment; and the measurability of the effectiveness of voluntary privacy safeguards.

The issue also has European implications: data that in the EU would constitute special categories under Article 9 of the GDPR is processed in the U.S. in a legal limbo where the patient’s consent to the transfer overrides sector-specific protections.

Source

The privacy profession is repositioning itself: from a “lone voice” to a hub of governance

Doug Miller (FPF Senior Fellow) proposes a reinterpretation of the role of privacy teams in light of the proliferation of issues that until recently were defined as “privacy-adjacent”: AI governance, youth online safety, age assurance, cybersecurity, trust and safety, content moderation, GRC, and the role of GenAI in advertising. Miller reclassifies these as “data governance gateways”: issues that the organization prioritizes for its own reasons but which always relate to data and thus to the scope of privacy.

The operational thesis is twofold. First, building internal alliances—particularly with the CISO, who often has budgets not accessible to the privacy team—transforms apparent dilution into a lever of real influence. Second, overseeing AI governance should be seen as an opportunity to gain access to the C-suite rather than an overload for the team. Miller distinguishes between formal influence on the organizational chart and substantive influence, based on communication, cross-functional leadership, and the quality of interactions with diverse stakeholders.

Source

---

ARTIFICIAL INTELLIGENCE

Minnesota Bans “Nudification” Apps

Minnesota is the first U.S. state to ban apps that generate nude images from photos of real people. The state Senate unanimously approved the bill (65-0) following the House’s approval, and Governor Tim Walz is expected to sign it shortly, with the law set to take effect in August.

The law targets developers of websites, apps, software, or services that “nudify” images: the attorney general can impose fines of up to $500,000 per reported image, in addition to punitive damages at the victims’ request and a ban on the products within the state. The funds raised will finance services for victims of sexual violence, crime, domestic violence, and child abuse.

A key technical point: the law excludes products that require “the technical skill of a user to nudify an image or video,” to avoid targeting general-purpose tools like Photoshop. The scope is therefore limited to one-click applications. Senator Erin Maye Quade introduced the bill after the emergence of a case involving a man who had “nudified” images of over 80 women in his social circle. During the drafting process, RAINN consulted with tech companies to limit potential legal challenges.

[Source](

https://arstechnica.com/tech-policy/2026/05/minnesota

-set-to-be-first-state-to-ban-nudification-apps)

Shadow AI and Governance: Airia–SecurityWeek Webinar

On April 28, Airia and SecurityWeek organized a webinar dedicated to AI governance in the enterprise, focusing on the phenomenon of Shadow AI: the adoption of generative and agentic tools by employees without IT supervision.

The stated approach is operational: overcoming the “block or allow” dichotomy, mapping unauthorized entry points, building approval workflows and sandboxes, distinguishing governance requirements for different archetypes (LLM chat vs. autonomous agents), and establishing a cross-functional AI Council involving IT, Legal, and business.

Source

EESC Opinion on the Apply AI Strategy

The European Economic and Social Committee has adopted an opinion on the Commission Communication to the European Parliament and the Council on the Apply AI Strategy (COM(2025) 723 final), published in the Official Journal of the EU. The document accompanies the package through which the Commission intends to drive the applied adoption of AI in European industrial sectors and public services.

Source

CELEX

AI Act: Negotiations on Postponing High-Risk Rules Hit a Snag

Overnight between Tuesday and Wednesday, the trilogue between the European Parliament and the Council broke down without an agreement on the package that was supposed to postpone the application of the rules on high-risk systems under the AI Act and introduce a ban on nudification apps. In the absence of an agreement, the obligations regarding high-risk AI systems remain set to apply from August 2, 2026, and the failure to meet the informal deadline at the end of April raises concerns about legal certainty.

The political sticking point is industrial AI. The EPP, backed by Chancellor Friedrich Merz’s Germany, is calling for machinery and medical devices to be excluded from the AI Act’s scope and brought under sector-specific regulations, eliminating what it calls “double regulation”—a position that favors companies like Siemens and Bosch. German Liberal Svenja Hahn criticized the Cypriot Council presidency for its lack of compromise. On the other side, several member states and the S&D reject the exemption; Dutch Green Kim van Sparrentak spoke of a “German EPP coup.” Rapporteur Arba Kokalari (ECR, Sweden) requested more time. Executive Vice President Henna Virkkunen urged a swift conclusion to the dossier. No date has been set for the resumption of negotiations.

Source

---

CYBERSECURITY

CopyFail (CVE-2026-31431): Local privilege escalation in the Linux kernel, publicly exploitable

CISA added CVE-2026-31431 to the KEV catalog on May 2, 2026, confirming active exploitation. The vulnerability, renamed CopyFail (or Copy Fail) by researchers at Theori and Xint, is a local privilege escalation in the Linux kernel’s cryptographic authentication template (CVSS 7.8). It stems from three separate and individually harmless changes introduced in 2011, 2015, and 2017, and affects distributions released from 2017 onward. Patches are available for kernels 6.18.22, 6.19.12, and 7.0.

The exploit corrupts the page cache in memory for readable files—including setuid binaries such as /usr/bin/su—by injecting code that runs with elevated privileges without touching the disk. The risk is particularly significant in containerized environments: Docker, LXC, and Kubernetes may expose the AF_ALG subsystem to processes within containers when the algif_aead module is loaded on the host, potentially enabling isolation bypass. Detection is difficult because the exploit uses only legitimate system calls.

The realistic attack chain, synthesized by Jorijn Schrijvershof, is a low-privilege RCE followed by escalation: a vulnerability in a WordPress plugin yields a shell as www-data, then CopyFail breaks down the tenant boundary on the same kernel — shared Kubernetes nodes, multi-tenant hosting, CI/CD runners executing untrusted pull requests, WSL2 instances, containerized AI agents.

Source: CISA/KEV

Ars Technica Analysis

cPanel: CVE-2026-41940 Massively Exploited for “Sorry” Ransomware

At least 44,000 IP addresses running cPanel have been compromised, according to Shadowserver, following the emergency patch released this week for a critical authentication bypass in WHM/cPanel. Exploitation attempts date back to late February: it was a zero-day. Since Thursday, attackers have been distributing a Linux encryptor written in Go that encrypts files with ChaCha20, protects the key with RSA-2048, and appends the .sorry extension. Hundreds of compromised sites are already indexed on Google. The ransom is negotiated via Tox. Rivitna confirms that without the RSA-2048 private key, decryption is impossible. The campaign has no connection to the 2018 campaign based on HiddenTear, which used the same extension. [Source](

https://www.bleepingcomputer.com/news/security/critrical-cpanel

-flaw-mass-exploited-in-sorry-ransomware-attacks)

Telegram Mini Apps as a Fraud Platform: Operation FEMITBOT

CTM360 has mapped a fraudulent infrastructure — dubbed FEMITBOT after a recurring string in API responses (“Welcome to join the FEMITBOT platform”) — that abuses Telegram Mini Apps for crypto scams, fake financial platforms, bogus AI tools, and streaming sites. The bots load phishing pages directly into Telegram’s WebView, displaying dashboards with fictitious balances and countdown timers; when attempting a withdrawal, the user is directed to deposits or referral tasks (a classic advance-fee scheme). Impersonated brands include Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, and YouKu. The backend is shared across different domains, and the infrastructure integrates Meta and TikTok tracking pixels to measure conversions. Some Mini Apps distribute Android APKs mimicking BBC, NVIDIA, CineTV, Coreweave, and Claro, also distributed via progressive web apps. [Source](

https://www.bleepingcomputer.com/news/

security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery)

ANTS: 15-Year-Old Arrested for Selling French Agency Data

The Paris Prosecutor’s Office announced the arrest of a 15-year-old suspected of selling data exfiltrated from France Titres (ANTS)—the agency that manages French administrative documents. ANTS had detected suspicious activity on April 13 and notified the authorities on April 16. The minor, operating under the moniker “breach3d”, reportedly offered between 12 and 18 million records; the agency estimated that 11.7 million accounts were actually affected, with full names, email addresses, dates of birth, mailing addresses, and phone numbers exposed. ANTS maintains that the stolen data does not allow for unauthorized access. The charges—unauthorized access, persistence, and exfiltration from a state-run automated personal data processing system, as well as possession of software to commit the crimes—are punishable by up to seven years in prison and a fine of 300,000 euros. The Prosecutor’s Office has requested that the suspect be placed under judicial supervision pending the investigating judge’s decision. [Source] (

https://www.bleepingcomputer.com/news/security/15-year-old-detained-over-french-govt-agency-data-breach

)

---

SCIENTIFIC RESEARCH

Selection of the week’s most relevant papers from arXiv on AI, Machine Learning, and Privacy

Privacy-preserving ML in healthcare

Fidelity, Diversity, and Privacy: A Multi-Dimensional LLM Evaluation for Clinical Data Augmentation

The authors evaluate the use of LLMs to generate annotated synthetic data in the mental health field, where the scarcity of high-quality datasets clashes with constraints on data sharing. The proposal is a multi-dimensional evaluation framework that simultaneously measures the fidelity, diversity, and privacy resilience of the synthetic data—three axes that, taken individually, provide a misleading picture of the quality of the generated dataset.

arXiv

Privacy-Preserving Federated Learning via Differential Privacy and Homomorphic Encryption for Cardiovascular Disease Risk Modeling

A combination of DP and homomorphic encryption for cardiovascular risk in a federated setting, avoiding the centralization of anonymized clinical records with a single data controller. The stacked PET approach is interesting because it distributes the risk of re-identification across two independent layers (noise + encryption), reducing the exposure surface typical of “vanilla” FL architectures.

arXiv

Differential Privacy and Synthetic Datasets

DP-CDA: An Algorithm for Enhanced Privacy Preservation in Dataset Synthesis Through Randomized Mixing

Dataset synthesis algorithm based on class-aware randomized mixing with DP guarantees. The authors start from the observation—now well-established in the literature—that classical anonymization does not withstand re-identification attacks, and propose a mechanism that operates directly during the generation phase. Relevant for those evaluating synthetic data as a minimization measure under GDPR Article 5(1)(c): the DP guarantee is justifiable, whereas “by mixing” anonymization without a budget is not.

arXiv

Meta-Learning and Targeted Differential Privacy to Improve the Accuracy-Privacy Trade-off in Recommendations

The paper applies DP only to the most “stereotypical” user data—those most likely to reveal sensitive attributes such as gender or age—thereby avoiding disruption of the entire dataset. Combined with meta-learning, the targeted approach reduces the accuracy degradation typical of uniform DP. The logic of “noise where needed” is consistent with the principle of proportionality in data processing. [arXiv] (

https://arxiv.org/abs/2604.26390

)

Machine Unlearning and the Right to Erasure

Machine Unlearning for Class Removal through SISA-based Deep Neural Network Architectures

SISA architecture (Sharded, Isolated, Sliced, Aggregated) is applied to remove entire classes from pre-trained DNNs in response to erasure requests that affect models already influenced by the data. Direct link to Article 17 of the GDPR, which requires erasure of model parameters when erasure must extend to the training set: simply deleting the upstream data is not enough if the model retains a trace of it.

arXiv

Attacks and Leakage in LLMs and Inference Serving

Quantamination: Dynamic Quantization Leaks Your Data Across the Batch

The authors demonstrate that dynamic quantization—used for efficiency during serving—leaks information between inputs within the same batch, because quantization parameters are computed at runtime on the actual tensors. A “victim” input can therefore be influenced (and partially reconstructed) via co-batched inputs controlled by the attacker. A new attack vector for multi-tenant inference-as-a-service, to be considered in threat models for production ML pipelines. [arXiv](

https://arxiv.org/abs/2604

. 26505)

Decomposed Trust: Privacy, Adversarial Robustness, Ethics, and Fairness in Low-Rank LLMs

A systematic analysis of how low-rank compression of LLMs impacts four dimensions of trustworthiness: privacy, adversarial robustness, ethics, and fairness. The implicit message is that compression is not a risk-neutral operation and must be evaluated beyond mere accuracy preservation. Useful for those producing technical documentation on models in accordance with the transparency requirements of the AI Act.

arXiv

## Software supply chain security

eDySec: A Deep Learning-based Explainable Dynamic Analysis Framework for Detecting Malicious Packages in the PyPI Ecosystem

An explainable dynamic analysis framework for detecting malicious packages on PyPI, with a focus on multi-stage attacks, remote access activation, and dynamically generated payloads—categories that evade static analysis. The explainability component is the key point: in an NIS2 context, being able to justify why a package was classified as malicious is an integral part of incident management, not just a nice -to-have.

arXiv

---

AI ACT IN A NUTSHELL - Part 19

Article 23 – Obligations of Importers

After examining the role of the authorized representative in the previous installment—the mechanism through which non-EU suppliers can operate in the European market—we continue our journey along the AI systems value chain by analyzing another crucial actor: the importer. Article 23 of the AI Act sets out specific obligations for those who place high-risk AI systems from third countries on the Union market.

Who is the importer, and why do they play a central role

Under the Regulation, the importer is the natural or legal person established in the Union who places an AI system bearing the name or trademark of an entity established outside the EU on the market.

That is a strategic role, as the importer serves as the system’s first point of contact with the European market and, in effect, the first “filter” for substantive compliance following production outside the EU.

The European legislator, drawing on the approach already established in product safety legislation (such as the Machinery Regulation or the Medical Devices Regulation), assigns importers a preventive verification function. Before placing a high-risk AI system on the market, they must ensure that the supplier has effectively fulfilled its obligations.

Preventive Verification Obligations

Article 23 requires the importer to verify, before placing the product on the market, that the supplier has completed the conformity assessment procedure provided for in Article 43, has drawn up the technical documentation referred to in Article 11 and Annex IV, and that the system bears the CE marking and is accompanied by the EU declaration of conformity and the instructions for use. Furthermore, the importer must verify that the supplier has appointed an authorized representative in accordance with Article 22.

That is a documentary and formal check, but one with substantial effects: if the importer believes, or has reason to believe, that the system is non-compliant, they may not place it on the market until it has been brought into compliance. And if the system presents a risk within the meaning of Article 79(1), the importer must inform the supplier, the authorized representatives, and the market surveillance authorities.

Traceability and Cooperation

A second set of obligations concerns traceability. Importers must indicate on the high-risk AI system—or, where this is not possible, on the packaging or in the accompanying documentation—their name, registered trade name, and the address at which they can be contacted. They must also ensure that, while the system is under their responsibility, storage or transport conditions do not compromise its conformity.

For ten years after the system is placed on the market, the importer must keep a copy of the certificate issued by the notified body, the instructions for use, and the EU declaration of conformity, and make them available to the competent authorities upon a reasoned request, including in an easily understandable language.

Practical implications for organizations

For European companies importing high-risk AI systems—such as an Italian distributor of personnel selection software developed in the United States, or a company importing biometric devices manufactured in Asia—Article 23 requires the establishment of internal due diligence processes. Relying on the supplier’s declarations is not sufficient: it is necessary to actively verify the presence and consistency of technical documentation, establish systems for ten-year archiving, and define communication protocols with authorities and suppliers in the event of non-compliance.

The penalties referred to in Article 99 can reach up to 15 million euros or 3% of an operator’s annual global turnover for violations of its obligations, highlighting the critical importance of a robust compliance framework.

---

In Part 20, we will address Article 24 – Distributors’ Obligations, thereby completing the picture of responsibilities along the commercial supply chain for high-risk AI systems.

---

AI-Assisted Contract Review: Prompts for Clauses and DPAs

After seeing last week how to integrate Legal Prompting into compliance processes without creating additional risks, we now enter a highly sought-after operational area: contract review, with particular reference to Data Processing Agreements and sensitive clauses regarding data processing, confidentiality, and liability.

The temptation to “feed” a contract to the model and ask for a generic opinion is strong, but it produces misleading results. Let’s remember that language models do not reason like lawyers: they generate statistically plausible outputs and tend to reinforce the structure of the text they receive, even when it is legally weak. For this reason, human supervision remains an ethical obligation, not an option.

An effective prompt for reviewing a DPA should be structured in multiple layers. First layer: definition of the role and the regulatory framework. Example: *“Act as a lawyer specializing in data protection. Analyze the following clause in light of Article 28 of the GDPR and EDPB Guidelines 07/2020. Do not provide assessments if the clause is ambiguous: flag the ambiguity.” * Second level: structured request. Ask to identify (a) the mandatory minimum elements present, (b) those missing, (c) clauses that are potentially unbalanced to the detriment of the data controller, and (d) references to external documents not attached. Third level: prudence requirement. Always add an instruction such as " If a point requires discretionary assessments or commercial judgment, refrain from commenting and mark it as ’to be verified with the client’."

The same approach applies to liability limitation clauses, SCCs, provisions regarding sub-processors, and transfers outside the EU. It is useful to ask the model to generate a comparison table between the received clause and the standard wording, highlighting any discrepancies. This approach reduces the risk of “interpretative errors” and makes the work traceable.

The infrastructure issue remains central: uploading contract drafts to general-purpose cloud services, especially if they contain client or counterparty data, may constitute breaches of professional secrecy and confidentiality obligations, as well as issues under the GDPR and Law 132/2025. For contract review, the use of local models or enterprise solutions with adequate contractual safeguards is not a technical preference but a compliance choice. The AI Act, moreover, reinforces the need for traceability and governance, even for internal professional use.

A final best practice: keep the prompt used along with the final review as part of the case file. It documents the process, demonstrates human oversight, and protects the professional in the event of disputes.

Next week, we’ll tackle the very issue of professional secrecy and infrastructure: which models are compatible with ethical obligations, when on-premises solutions are essential, and how to evaluate cloud providers.

For further reading:

Legal Prompting: The New Frontier of AI in the Legal Field

.

---

PODCAST

In this sixth episode, we apply prompting techniques to contract analysis.

Three distinct operations, each with its own prompt:

---

Marking 10 years of the GDPR: the evolution of the European data protection landscape (news from April 27, 2026)

EDPB |

Info

Apply AI sectoral deep dive - electronic communications (event on April 30, 2026)

European Commission |

Info

High-Level Debate: “From Omnibus to Opportunity: Driving Data Protection and Innovation” (event on June 8, 2026)

EDPS |

Info

---

Conclusion

Ten years of the GDPR, and the impression, reading this week’s papers, is that the Regulation has become the uninvited guest of a regulatory ecosystem that has surpassed it in ambition but not in practical maturity. The EDPB celebrates the anniversary by highlighting a positive evolution toward the DSA, the DMA, and the AI Act; the Italian Data Protection Authority marks the 10th anniversary with a dedicated episode of its podcast, continuing its outreach efforts, which remain one of the Authority’s hallmarks. The real picture, however, is less straightforward: the Parliament is clamoring for stricter enforcement of the DMA “against external pressures,” a sign that the enforcement front is exposed to political attrition that seemed unthinkable in 2018.

The thread running through the news of recent days is the growing tension between public safety objectives and the principle of data minimization. The Italian Data Protection Authority’s reminder to hoteliers of their obligation to destroy copies of documents after notifying public safety authorities is not a niche intervention: it is a reaffirmation of a principle that many operators, aided by WhatsApp and digital habits, have come to regard as no longer binding. At the European level, the same logic plays out on a different scale: the Entry/Exit System is coming into full effect with biometric data from third-country nationals, the revision of the Europol Regulation is proceeding, and coordinated action regarding minors under the age of fifteen treated as suspects or potential criminals raises questions that the system, until yesterday, preferred not to ask. The story of the EU Age Verification App—launched on April 15 and found to be vulnerable to critical security flaws within hours—is a prime example of a good intention (protecting minors online) translated into a technical architecture that the Parliament itself is now calling for suspension: without selective disclosure and privacy by design, even the most virtuous of objectives becomes a risk vector.

There is an asymmetry that should be clearly acknowledged: we demand that individual hoteliers rigorously delete data once its purpose has been fulfilled, and at the same time, we build public surveillance architectures whose proportionality is contested by the very Authority that is supposed to oversee them. That is not regulatory hypocrisy; it is a sign that the GDPR works better horizontally, within the private sector, than vertically, within public authorities. Ten years on, this is the most serious vulnerability.

On the AI and dataspaces front, two concrete developments from this week. Minnesota’s ban on pornographic deepfakes with fines of up to $500,000 points in a direction that Europe, with the AI Act, has chosen not to pursue with the same clarity, preferring general categories to surgical bans; we will soon see whether the systemic approach holds up impact of concrete cases or if we will end up, in effect, importing ad hoc solutions from legal systems with fewer taxonomic scruples. On the data spaces front, the publication of EN 18235-1:2026 on “trusted data transactions” finally brings the basic vocabulary of data exchange mechanisms into a harmonized regulatory framework: a technical building block that, if accompanied by the subsequent parts of the series, could give operational form to the “European Trusted Data Framework,” which until yesterday existed only in work programs.

---

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home

Proxied content from gemini://nicfab.eu/en/newsletteren/2026/2026-05-05-issue-19_en.gmi

Gemini request details:

Original URL
gemini://nicfab.eu/en/newsletteren/2026/2026-05-05-issue-19_en.gmi
Status code
Success
Meta
text/gemini;lang=en-US
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.