United Kingdom
ICO confirms that charities are given new flexibility to contact supporters under DUAA change
- The UK ICO has issued final guidance on the new charitable purposes soft opt-in, allowing charities to send emails, texts and social media direct messages without prior consent where individuals have shown interest in or support for the charity’s purpose.
- The change, introduced under Data (Use and Access) Act 2025 and effective from February 2026, creates a new lawful marketing route, but only where strict safeguards are met, including transparency and the ability for recipients to opt out.
- Updated ICO guidance clarifies how the rules apply in practice, including face-to-face collections, third-party involvement and supporter engagement, aiming to help charities use personal data lawfully while expanding fundraising opportunities.
- The ICO also reminded all organisations, including charities, that by 19 June 2026 they must have a formal process for handling data protection complaints.
UK Government survey reveals education sector under constant cyber attacks
- The UK government’s cyber security breaches survey 2025/26 found that cyber incidents are near-universal in higher education (98%), and widespread in further education colleges (88%) and secondary schools (73%, up from 60% the previous year), with all tiers outpacing the business sector (43%).
- Significant vulnerabilities persist in the education sector, notably with 49% of universities and 27% of further education colleges holding personal staff and student data that is neither anonymised nor encrypted.
- Supply chain security remains the sector’s most critical gap, with fewer than half of all schools adequately monitoring third-party cyber risks, while AI adoption, already at 82% in further education and 63% in universities, is outpacing the development of formal AI-specific risk management processes.
- Resource constraints are undermining resilience, even as the threat landscape intensifies, with AI-powered phishing and impersonation attacks cited by staff as a growing and particularly difficult-to-counter risk.
United States
Anthropic launches AI code security tool for enterprises through Claude
- Anthropic has opened public beta access to Claude Security for Claude Enterprise customers, offering AI-powered vulnerability scanning directly inside production codebases without custom integrations or additional tooling.
- Powered by Claude Opus 4.7, the platform identifies security flaws, validates findings to reduce false positives, and suggests patches for developer review before deployment.
- New enterprise features include scheduled scans, directory-specific reviews, real-time webhook alerts, exportable reports and persistent dismissal of resolved issues to reduce alert fatigue.
- This highlights a growing demand for AI-driven cybersecurity tools that can strengthen software security, automate code review and improve breach prevention.
US Supreme Court to weigh on smartphone location privacy case
- The US Supreme Court is considering whether police use of geofence warrants, which demand location data for all phones near a crime scene, breaches constitutional privacy protections in Chatrie v. United States.
- Privacy advocates argue the practice amounts to mass surveillance, collecting innocent people’s sensitive location data simply because they were nearby or their device was detected in the area.
- The case focuses on Google-held location history data, highlighting wider concerns over how tech firms collect, store and disclose detailed user movements to law enforcement.
- A soon-expected ruling against geofence warrants could strengthen digital privacy rights in the US, while approval may expand police access to location data from apps, cloud services and mobile providers.
Europe
EU accuses Meta of failing to protect children online
- The European Commission has preliminarily found that Meta may have breached the Digital Services Act by failing to properly enforce its own minimum age rules across its platforms, with roughly 10-12% of children under 13 are using Instagram and Facebook.
- Investigators said children under 13 could reportedly create accounts using false birth dates, while Meta’s tools for reporting underage users were considered overly complex and ineffective.
- This highlights growing regulatory pressure on platforms to implement stronger age assurance measures, notably with a recommendation from the Commission to roll out an EU-wide age verification app by the end of 2026, to balance child safety with data protection and privacy rights.
- If the findings are confirmed, Meta could face significant EU fines, as Europe continues favouring regulation and age-verification systems over blanket social media bans.
Noyb privacy complaint targets inaction over facial recognition firm
- The privacy group Noyb has filed a complaint against Hamburg’s data protection authority, as it allegedly failed to act over facial recognition search engine PimEyes despite concerns the company may be breaching GDPR rules.
- PimEyes allows users to upload photos to identify people online and reportedly builds image databases by scraping pictures from the internet, raising concerns over biometric surveillance and non-consensual processing of facial data.
- Under EU law, facial biometric data is classed as special category data and generally requires explicit consent, even where the company operating the service is based outside the EU.
- Noyb argues regulators must enforce GDPR’s extraterritorial reach rather than halt investigations because PimEyes is now based in Dubai, warning of a gap in accountability for offshore tech firms.
International
India accelerates AI governance and platform accountability
- India’s Ministry of Electronics and IT has created two new national bodies: the AI Governance and Economic Group and the Technology and Policy Expert Committee, to coordinate AI policy, assess labour and economic impacts, and develop future compliance and deployment frameworks.
- Proposed amendments to Information Technology Rules 2021 would require continuous labelling of AI-generated content, upfront disclosures for audio, and embedded metadata to identify the originating system, with a goal to strengthen traceability and spot misinformation and harmful synthetic media.
- Indian courts are increasingly using existing legal frameworks to address AI harms, with the Bombay High Court and Delhi High Court ordering removal of deepfakes, voice clones and unauthorised AI-generated content that infringed celebrity personality rights.
For the latest updates on ICO charity marketing guidance 2026, including new soft opt-in rules under the Data (Use and Access) Act, UK education cyber attack trends, AI security tools, US privacy cases and EU action on Meta, visit our Data Protection News hub.
