United Kingdom
UK launches consultation on under-16 social media ban and age verification reforms
- The UK Government has opened a three-month consultation on comprehensive online child safety reforms, including a potential ban on social media use for under-16s, restrictions on livestreaming and location sharing, limits on addictive design features, and tighter controls on AI chatbots and gaming platforms.
- Proposals include raising the digital age of consent for data processing above 13, introducing age checks for VPN use, and applying measures even to services that rely on end-to-end encryption.
- Ministers acknowledge that mandatory age assurance could require large-scale identity or age verification for UK users, potentially expanding the collection and processing of personal data; alternative models under review include age estimation and inference technologies.
UK businesses warned about cybersecurity risks from Iran-linked hackers in Middle East operations
- The National Cyber Security Centre has issued an alert that UK firms operating in the Middle East face an increased risk of indirect cyber threats from Iran-linked hacktivists as tensions escalate in the Middle East.
- Although the direct threat to UK-based systems is assessed as largely unchanged, organisations with regional offices or supply chains are encouraged to enhance monitoring and apply cybersecurity guidance to reduce exposure to spillover or opportunistic attacks.
United States
Anthropic refuses Pentagon’s contract for AI use in surveillance and autonomous weapons
- Anthropic has refused to amend its $200 million July contract with the US Department of Defense to permit “any lawful use” of its AI systems.
- In response, the Pentagon has formally designated Anthropic a “supply chain risk”, the first time a US AI company has received this classification, effectively preventing defence contractors from conducting commercial activity with the firm on military-related work.
- Anthropic’s CEO affirmed that the use of models such as Claude will not be authorised for mass domestic surveillance of Americans or for fully autonomous weapons, and that the government’s designation will be challenged in court.
- The dispute has coincided with a surge in public demand for Claude AI, contributing to temporary service outages, after reports that competitor OpenAI strengthened cooperation with US authorities, which suggests that users are actively factoring government access, surveillance risk and data governance commitments into their choice of AI provider.
TikTok rejects end-to-end encryption over safety concerns
- TikTok has confirmed it will not introduce end-to-end encryption (E2EE) for direct messages, diverging from rivals such as Facebook, Instagram, Messenger and X, arguing that full encryption would prevent safety teams and law enforcement from accessing harmful or illegal content when necessary.
- Messages would remain protected through standard encryption and internal access controls, but maintains that avoiding E2EE allows it to better detect grooming, harassment and child sexual abuse material, which was welcomed by UK child protection groups including the NSPCC and the Internet Watch Foundation.
- Privacy advocates and cybersecurity experts warn that without E2EE, user communications may be more vulnerable to hacking, corporate surveillance or state access, placing TikTok out of step with prevailing global privacy expectations.
- The decision comes as TikTok is undergoing scrutiny of data protection practices and geopolitical sensitivities linked to its Chinese ownership by ByteDance.
Europe
Cyberattack exposes medical data of 15 million people in France
- France’s health ministry confirmed that a cyberattack compromised administrative and medical data relating to more than 15 million individuals, primarily affecting patients linked to around 1,500 medical practices using Cegedim Santé software.
- Most exposed records contain administrative details such as names, phone numbers and postal addresses; but more than 165,000 files also included doctors’ personal medical notes involving sensitive information, such as references to patients’ sexual orientation and HIV/AIDS status.
- Cegedim Santé has filed a criminal complaint and is cooperating with authorities, while the identity of the threat actor has not been disclosed.
Italy’s DPA orders Amazon to stop processing of workers’ sensitive data
- Italian Data Protection Authority (DPA) has ordered Amazon Italia Logistica to immediately stop processing the personal data of more than 1,800 employees at its Passo Corese site due to systematic and unlawful record-keeping practices.
- Amazon was found to have collected and retained special category data throughout employees’ tenure, and for up to ten years after departure via an internal platform linked to attendance tracking systems, accessible to multiple managers.
- Recorded information included detailed medical conditions (e.g. Crohn’s disease, herniated discs, pacemaker implants), trade union participation, strike activity, alleged misuse of leave, and highly personal family matters.
- The Authority also ordered the cessation of data processing from surveillance cameras positioned near bathrooms and break areas and extended the prohibition to other Italian logistics centres using the same platform, following inspections conducted with the National Labour Inspectorate and Italy’s Financial Police; further investigations into additional infringements remain ongoing.
International
New Zealand health data breaches call for strengthened Privacy Act and cybersecurity obligations
- A breach involving the MediMap prescription management system exposed weaknesses in safeguards for sensitive health data, after an unauthorised actor altered patient records, including names, birthdates and care status, with some living patients incorrectly marked as deceased.
- The incident follows the 2025 breach of Manage My Health, reinforcing concerns about systemic cybersecurity and data protection vulnerabilities across New Zealand’s digital health ecosystem.
- The breach has intensified calls to strengthen the Privacy Act 2020, as the government’s Cyber Security Strategy 2026‑2030 considers introducing civil penalties and new offences for the misuse or possession of unlawfully obtained personal data.
For the latest updates on under-16 social media ban UK, cybersecurity risks from Iran-linked hackers in Middle East operations, and global data protection and cybersecurity developments, visit our Data Protection News hub.
