This briefing condenses April 2026 policy and risk developments across the EU, UK, and US, including the EDPB’s common DPIA template and Europrivacy certification, the EU age‑verification app, CNIL guidance on email tracking pixels, Latvia’s PNR retention rules, HHS/OCR HIPAA Security guidance, and PCLOB’s Section 702 report. It also underscores growing AI risks flagged by Stanford HAI and the UK government—highlighting foundation model privacy gaps and rapidly advancing offensive capabilities exemplified by Anthropic’s Mythos model—while pointing to practical compliance steps for controllers, processors, and covered entities. #EDPB #Europrivacy #AnthropicMythos #CNIL
Keypoints
- The EDPB adopted a standardized DPIA template (public consultation open until 9 June 2026) to harmonize high‑risk processing assessments and require documented action plans and DPO input.
- Europrivacy certification is approved for global use and as an Article 46 transfer mechanism, allowing third‑country importers to rely on certification plus binding commitments and a Transfer Impact Assessment.
- The EU age verification app is technically ready, privacy‑preserving, open‑source, and expected to integrate with national digital identity wallets to enable age checks without broader identity disclosure.
- CNIL issued clear rules that most marketing and profiling uses of email tracking pixels require prior consent, with strict expectations on consent capture, withdrawal mechanisms, and recordkeeping.
- Regulatory and research bodies warn of AI and surveillance risks: Stanford HAI highlights foundation model privacy gaps; the UK flags rapid AI‑driven cyber threats (e.g., Anthropic Mythos); and HHS/OCR updated HIPAA Security guidance emphasizing recognized security practices.
Read More: https://keplernewsletter.substack.com/p/privacy-and-cybersecurity-67