UK device scanning, Meta AI shift, and a record GDPR fine

Signal Condemns UK Device-Scanning Proposal as Mass Surveillance

Signal has issued a strong warning against the UK government’s plan to mandate device-level scanning for nude images, calling it a mass surveillance system that endangers everyone. The proposal, announced by Prime Minister Keir Starmer at London Tech Week, would require companies like Apple and Google to activate built-in detection tools across entire devices, including cameras, third-party apps, search functions, and messaging services. The government argues it aims to prevent grooming, sextortion, and children’s access to pornography, citing that 91% of online child sexual abuse reports in 2024 involved self-generated content and the average child views pornography by age 13. Apple already offers a similar on-device Communication Safety feature, but the UK plan goes further by making it mandatory and extending it beyond Apple’s ecosystem. Adults would still be able to access nude content after passing age verification, and if tech firms do not comply within three months, the government threatens legislation with fines and possible criminal liability for executives. Signal’s statement, titled “Surveillance Is Not Safety,” argues that forcing age verification or content scanning simply to communicate normalizes the inspection of private content. Critics warn that client-side scanning systems, once established for one category of material, can be expanded to whatever governments deem harmful, creating a dangerous precedent for mass surveillance and censorship capabilities.

Signal attacks UK plan to scan devices for nude images as “mass surveillance” →

California Launches First-of-Its-Kind Data Deletion Platform, DROP

California has launched the Delete Request and Opt-out Platform (DROP), a pioneering tool that lets residents submit a single request to have their personal information removed from hundreds of registered data brokers. The platform, part of the state’s broader DELETE Act, marks a significant step in giving consumers more control over data collection, sale, and sharing amid rising concerns about online privacy. While the tool currently only applies to California residents, privacy advocates see it as part of a national trend. Connecticut recently expanded its own privacy protections; Governor Ned Lamont signed legislation that strengthens the state’s consumer data privacy law, granting residents additional rights and imposing new restrictions on corporate data practices. Although Connecticut’s law does not create a centralized deletion system like California’s DROP, it reflects a growing movement among states to hold companies more accountable and empower consumers over their digital footprints. The broader context highlights that personal information is collected on a massive scale, even for individuals who never post their details online themselves.

California Made It Easier to Delete Your Data — Why Everyone Should Pay Attention →

Meta to Use External Activity Data to Personalize Feeds and AI Chats

Meta has announced it will start using data from users’ activity on third-party apps and websites to personalize home feeds and interactions with its AI chatbot, Meta AI. Previously, this data was only used for ad targeting, but the change expands its application to content personalization and AI responses. The company is also simplifying its data management settings: the two existing options — “Your activity off Meta technologies” and “Activity from other businesses” — will be merged into a single setting called “Activity from other businesses.” Users can disable personalization, but Meta clarifies that doing so will not stop it from collecting their data; businesses can still share data with Meta, which the company will use to improve its services, including AI training. The change, rolling out next month in the US and several other countries, also raises concerns about future ad integration within AI chats. Meta already shows targeted ads based on AI interactions, and this move could pave the way for sponsored recommendations within Meta AI conversations. Users in the UK can already pay to remove ads from Facebook and WhatsApp, but it remains unclear if that option will expand to the US.

Meta now wants to use your activity from other websites to personalize its AI →

Norwegian Authority Fines Elkjop NOK 20 Million for Loyalty Program GDPR Violations

Norway’s data protection authority, Datatilsynet, has imposed a NOK 20 million fine on Elkjop Nordic AS and Elkjop Norge AS after a multi-year investigation into the electronics retailer’s customer loyalty program. The decision, dated June 1, 2026, found four distinct violations of the GDPR affecting more than six million club members across the Nordic region. The central violation involved the consent mechanism: customers were required to accept all data processing at once — including newsletters, text messages, profiling, and analytics — without any option to pick and choose. Datatilsynet ruled that the consent was not specific, not freely given, and not informed. The company internally described the approach as “all or nothing” and as a “package.” Moreover, information provided at store checkouts varied depending on which employee served the customer, creating inconsistent disclosure. Elkjop had internally discussed the consent design in February 2022 and acknowledged the risk of invalidity, yet kept the mechanism in place. The fine is one of the most detailed public rulings on how loyalty programs must handle consent, purpose limitation, and data subject rights under European data protection law.

Elkjop hit with NOK 20m GDPR fine over loyalty club consent failures →

Thirteen Australian Government Agencies Exposed by VIQ Solutions Data Scandal

An expanding data breach scandal involving transcription company VIQ Solutions now implicates 13 Australian government agencies, raising national security concerns and prompting calls for an urgent audit. VIQ Solutions breached its Commonwealth contract with the Federal Court by allowing highly sensitive court files to be accessed offshore in India. The company is being wound down and was removed from AusTender as an approved supplier by ASIC on March 19. Despite this, the Office of the Special Investigator (OSI), which investigates war crimes in Afghanistan, signed a new contract with VIQ on April 2 for commencement on April 8 — though the OSI states it made no payments and received no services. Other agencies that have used VIQ since 2019 include the Department of Defence, Services Australia, the ATO, and the Attorney-General’s Department. Former New South Wales Court of Appeals judge Anthony Whealy KC said the situation demonstrates a weakness in processes and protocols, emphasizing the need for full transparency and accountability. Last week, federal courts told Senate estimates that litigants in at least 146 court matters were potentially caught up in the breach, and documents show thousands of court files were accessed.

Thirteen government agencies used embattled transcription company VIQ Solutions raising concerns over nation’s data →