Privacy
Canada's Privacy Bill, AMD's Silent Kill, and G7 Action
Canada unveils major privacy reform, AMD quietly disables Ryzen memory encryption, UK regulator faces legal challenge, and G7 DPAs meet in Paris.
Canada Unveils Long-Awaited Privacy Overhaul, Targets Children’s Data and Surveillance Pricing
The Liberal government introduced Bill C-36, the Protecting Privacy and Consumer Data Act, on June 15, 2026, aiming to replace Canada’s outdated PIPEDA law from 1998. Artificial Intelligence Minister Evan Solomon said the bill would recognize privacy as a fundamental right, set higher standards for managing children’s data (classified as sensitive), and give Canadians the right to request deletion of personal information including deepfakes. It also takes aim at surveillance pricing—the use of browsing history, location, or purchase behaviour to set individualized prices—though the ban is not outright; the bill does not mention surveillance pricing directly, and Solomon will ask a new regulator to draft guidance once operational.
Ottawa introduces privacy bill covering children’s data and the right to request deletion →
AMD Silently Disables Memory Encryption on Consumer Ryzen CPUs
AMD quietly disabled Transparent Secure Memory Encryption (TSME) on consumer Ryzen processors via a firmware update, without any release note or advisory. TSME encrypts all RAM data with a hardware-generated key that changes on each boot, protecting against cold boot attacks and physical memory theft. The change was discovered in April by Linux user Ben Kilpatrick on a Ryzen 7 9700X. Investigation by MSI’s BIOS engineers revealed that an internal AGESA flag forces the feature off on consumer chips, even though the silicon is identical to Pro chips where TSME remains enabled. AMD’s engineers initially confirmed the feature worked on consumer Ryzen in past discussions, but now refuse to explain the removal, stating only that TSME ‘is a security feature only applied to PRO CPUs.’ Users who relied on TSME for physical security—including journalists and activists—lost protection without warning. The BIOS setting still appears but does nothing, leaving unanswered whether this is a bug or a deliberate business decision.
Your Ryzen CPU used to encrypt your RAM. A firmware update silently turned that off. →
UK Data Regulator Faces Legal Threat Over Dismissal of Complaints
The Good Law Project and Open Rights Group have threatened the UK Information Commissioner’s Office (ICO) with legal action, accusing it of ignoring thousands of data protection complaints. Under UK GDPR, the ICO received nearly 40,000 complaints in 2025 but issued only a handful of fines; over six years, it averaged fewer than seven fines per year from more than 220,000 complaints. A new complaint handling framework published on February 5, 2026, triages complaints by harm level, automatically shelving low- or moderate-harm cases without investigation. The groups argue this makes UK GDPR an ‘optional extra’ and forces individuals to pursue expensive private legal action. The ICO defends the framework as a strategic allocation of limited resources to the greatest risk of harm, stating that preliminary screening counts as an investigation. The pre-action correspondence cites inconsistencies with UK GDPR, and the Good Law Project has committed to taking legal action if the ICO continues to use the system to ignore valid complaints.
UK data regulator slammed over lack of action on complaints | Computer Weekly →
G7 Privacy Regulators Gather in Paris to Forge Cross-Border AI Enforcement Framework
On June 23, 2026, data protection authorities from all seven G7 nations will meet in Paris for a four-day roundtable chaired by France’s CNIL. The summit aims to finalize a cross-border case-sharing format that would enable DPAs to identify the same company, share evidence-gathering techniques, and align enforcement outcomes—ending regulatory arbitrage under GDPR where companies route data through lighter-touch jurisdictions. The meeting comes 48 days before the EU AI Act’s full enforcement obligations for high-risk AI systems take effect on August 2. Coordinated action would create compliance pressure that no major technology company could absorb as a simple cost of business. The working groups are finalizing the enforcement format that will determine how the next major cross-border data incident is handled. The summit also includes Privacy Research Day on June 24, highlighting the role of academic research as a regulatory tool. Political constraints from the Évian G7 leaders’ summit may limit ambitious coordination, but if Paris produces a joint statement aligning DPAs on the legal basis for AI training data, it would reshape enforcement across jurisdictions covering most of the world’s AI development.
G7 Privacy Regulators Head to Paris With AI Enforcement Deadline 48 Days Out →