How did the second half of June go? An imminent question, I know. Here to answer it, yours truly.
Berry Picks
👩⚖️ The CJEU’s Grand Chamber ruled that Member States cannot impose broad, abstract obligations on online services established in other EU countries to prevent minors from accessing pornographic content. Instead, under the E-Commerce Directive’s country-of-origin principle, cross-border restrictions must target specific services and comply with the Directive’s procedural safeguards, including notifying the provider’s home Member State and the European Commission. At the same time, the Court confirmed that Member States may require individual providers to implement age-verification systems where necessary to protect children, provided the conditions for derogating from the country-of-origin principle are satisfied. The judgment balances the free movement of information society services with the protection of human dignity and children’s rights under the Charter.
The Court also clarified the limits of the E-Commerce Directive’s hosting safe harbour. Where a platform’s algorithms determine, in the operator’s own interest, under what conditions, how and in what order stored information is distributed, the operator exercises control over that information and can no longer be regarded as a neutral hosting provider. The judgment is likely to reignite debate over the legal consequences of algorithmic curation, particularly as recommendation systems become an increasingly central feature of online platforms.
☢️ A coalition of digital rights organisations led by Access Now called on the World Food Programme (WFP) to suspend its digital self-registration platform for Gaza following a cyberattack that exposed the personal data of around 600,000 Palestinian households. According to the organisations, the compromised information included names, identification numbers and location data collected through WFP’s aid registration system, which is used to distribute food and cash assistance. The coalition criticised the delay in notifying affected users, questioned whether adequate cybersecurity and data protection risk assessments had been carried out before deploying the platform, and argued that humanitarian organisations should adopt stricter data minimisation practices, shorter retention periods, independent security audits and context-specific impact assessments before collecting sensitive personal data in conflict zones. The incident serves as a stark reminder that, in humanitarian settings, cybersecurity failures can quickly become physical protection risks, raising difficult questions about the proportionality of large-scale data collection where access to essential aid depends on digital registration.
⚖️ Three judges of the International Criminal Court have filed suit in the U.S. District Court for the Southern District of New York after being designated under President Trump’s sanctions regime targeting ICC officials. The sanctions freeze any U.S.-based assets, prohibit U.S. persons from providing funds or services to the designated individuals, and, according to the complaint, have resulted in frozen bank accounts, cancelled payment cards, disrupted travel and restricted access to online platforms and financial services well beyond the United States. Two of the judges were sanctioned for participating in the Appeals Chamber decision allowing the ICC’s investigation into alleged war crimes and crimes against humanity in Afghanistan, including allegations involving U.S. personnel, while the third was sanctioned after sitting on the panel that authorised arrest warrants for Israeli Prime Minister Benjamin Netanyahu and former Defence Minister Yoav Gallant, for crimes against humanity and war crimes. The judges argue that the measures unlawfully punish them for judicial decisions taken in the exercise of their office, exceed the authority granted under the International Emergency Economic Powers Act (IEEPA), violate due process and undermine judicial independence. The case marks the first lawsuit brought by sanctioned ICC judges themselves and is likely to become a significant test of whether economic sanctions can lawfully be used against members of an international court for carrying out their judicial functions.
🦾 Garfield AI, the AI-powered law firm authorised by the Solicitors Regulation Authority (SRA), has reportedly secured what it believes is the first courtroom victory achieved by a regulated law firm built primarily around artificial intelligence. Acting for a freelancer seeking to recover around £7,000 in unpaid invoices, Garfield’s platform prepared the pre-action correspondence, pleadings and other litigation documents, while a human barrister represented the claimant before Wandsworth County Court. The claimant succeeded in full, and the defendant’s counterclaim was dismissed.
The significance of the case lies less in the value of the dispute than in what it signals for the future of legal services. Garfield is part of a new generation of AI-first firms seeking to make low-value claims economically viable by automating routine legal work that would often cost more than the debt itself. England’s regulatory framework, which permits alternative business structures and non-lawyer ownership of law firms, has allowed this model to develop within the regulated legal profession rather than outside it.

Berry Picks ft. The Algorithm
A little disclaimer: please bear in mind that the news items below have been summarised by AI, a pinch of salt and all.
🤖 Artificial Intelligence
The European Parliament approved amendments to the EU AI Act introducing a complete prohibition on artificial intelligence systems designed to generate child sexual abuse material (CSAM) or non-consensual “nudifier” images. The amendments also postpone certain obligations relating to high-risk AI systems and watermarking requirements in order to provide greater legal certainty during implementation. The prohibition represents one of the first explicit AI-specific bans aimed directly at protecting children from AI-generated sexual exploitation. — European Parliament | Tech Policy Press
The U.S. government’s interventions in Anthropic’s Fable 5/Mythos 5 models and OpenAI’s GPT-5.6 preview suggest an emerging de facto approval regime for frontier AI deployment. The episode has intensified concerns around export controls, national security, cybersecurity, AI sovereignty and international access to advanced models, while prompting calls for a clearer statutory framework rather than ad hoc executive intervention. Tech Policy Press | Reuters | Wired | TechCrunch | Euroactiv
The EU has published its Code of Practice on Transparency of AI-Generated Content to support compliance with Article 50 of the AI Act. The voluntary code sets out expectations around synthetic content, deepfakes, machine-readable marking and labelling, and will become a key reference point for assessing transparency compliance. Tech Policy Press
Türkiye has announced its 2026–2030 Artificial Intelligence Action Plan, placing digital sovereignty at the centre of national AI policy. The plan includes the development of the Turkish large language model “Bilge”, investment in data centres and cloud infrastructure, regulatory sandboxes and a human-centred legal framework. AA | T24 | AA
Norway will ban generative AI use in primary schools for pupils aged 6–13 from August, citing concerns over reading, writing and foundational learning skills. The policy allows later supervised use, sort of a staged approach to AI literacy in education. Transparency Coalition
Estonia will create digital identity codes for autonomous AI agents, aiming to clarify who is responsible for an agent’s actions and on whose behalf it operates. The initiative addresses a key legal gap around agentic AI, delegation and liability. Euroactiv | Euronews
In Türkiye, a lawyer is facing prosecutorial and bar disciplinary scrutiny after relying on AI-generated, false Court of Cassation citations in a petition. The incident has triggered debate over professional responsibility, verification duties and the limits of AI-assisted legal drafting. T24 | Memurlar.Net
👾 Blockchain & Crypto-Assets
The U.S. Federal Trade Commission (FTC) filed a major enforcement action against an international subscription scam network that allegedly deceived consumers through misleading digital products, hidden recurring charges and deliberately obstructive cancellation mechanisms. According to the complaint, the operation relied on a complex cross-border corporate structure involving entities in Cyprus and Ukraine to conceal responsibility while processing payments globally. The case is significant for digital consumer protection, cross-border enforcement and online payment regulation, demonstrating regulators’ increasing willingness to pursue sophisticated international subscription fraud schemes. FTC | TechCrunch
The Istanbul 1st Commercial Court of First Instance ruled that a dispute concerning cryptocurrency assets allegedly stolen through fraud on a digital banking platform falls within the jurisdiction of Türkiye’s specialised Financial Courts. Rather than examining the merits of the claim, the court issued a decision of lack of jurisdiction, reinforcing the procedural distinction between general commercial disputes and specialised financial litigation involving digital assets. Ministry of Justice Case Law
🪁 Children’s Rights in Cyberspace
The United Kingdom announced plans to introduce one of the world’s strictest social media regimes for minors by prohibiting access to social media platforms for individuals under the age of 16. The proposed legislation, expected to be introduced next spring, would prevent children from creating accounts on platforms such as TikTok, Instagram and Snapchat, while also restricting livestreaming features and communication with unknown adults. The initiative forms part of the government’s broader online safety strategy following mounting evidence linking excessive social media use to deteriorating mental health among children and adolescents. While parent organisations broadly welcomed the proposal, digital rights organisations warned that mandatory age verification and identity checks may undermine privacy, anonymous speech and children’s access to online information. The Information Commissioner’s Office (ICO) and Ofcom both indicated that they would work closely with the government to implement and enforce the new framework if enacted. — Euroactiv | Al Jazeera | EFF | TechCrunch | CNBC | ICO | IAPP
Ofcom imposed an £80,000 fine on pornography provider First Time Videos LLC after concluding that the company had failed to implement effective age assurance measures required under the UK’s Online Safety Act. The decision marks one of the regulator’s earliest enforcement actions under the new legislation and signals that age verification obligations will be actively enforced against adult content providers. — Ofcom
Rhode Island enacted three new artificial intelligence laws specifically addressing children’s safety online. One law prohibits unlicensed AI systems from providing therapy or psychotherapy services. A second requires operators of AI chatbots to implement crisis intervention protocols whenever users express suicidal ideation or self-harm, including referrals to appropriate support services and reporting obligations to the Attorney General. A third law obliges healthcare providers to notify patients whenever AI is used to record or transcribe clinical consultations and to verify the accuracy of AI-generated medical documentation. Together, the legislation establishes one of the most comprehensive state-level regulatory frameworks governing AI systems interacting with vulnerable users. — Transparency Coalition
The G7 data protection authorities adopted a joint declaration promoting privacy-preserving age verification mechanisms and responsible governance of connected devices used by children. The authorities emphasised that age assurance technologies should only be deployed where legally required or where substantial risks justify their use, while minimising unnecessary collection of personal data and preserving children’s privacy rights. The declaration also addresses the responsible development of artificial intelligence systems affecting minors. — CNIL | BfDI | Garante
🎩 Competition
The European Commission reached a preliminary conclusion that Amazon Web Services (AWS) and Microsoft Azure should be designated as gatekeepers under the Digital Markets Act (DMA). According to the Commission, both providers occupy entrenched positions in the European cloud computing market, benefit from significant customer lock-in effects and increasingly function as essential digital infrastructure for artificial intelligence services. If formally designated, AWS and Azure will become subject to the DMA’s ex ante obligations, including restrictions on self-preferencing, interoperability obligations and enhanced regulatory oversight. The decision would represent the first application of the DMA to cloud infrastructure providers, significantly expanding the scope of the Regulation beyond consumer-facing digital platforms. — European Commission | European Commission Press Corner | Politico | Euractiv
Türkiye’s Competition Authority concluded its investigation into Meta’s integration of Threads with Instagram after accepting a package of legally binding commitments offered by the company. Under the commitments, users in Türkiye will be able to create and maintain a Threads account independently from Instagram, while Meta undertook not to combine user data across the two services without an appropriate legal basis. Following acceptance of these commitments, Threads has resumed operations in Türkiye. The case represents one of the Authority’s most significant digital markets interventions and illustrates the growing interaction between competition law and personal data protection in digital ecosystems. — AA | T24
Brazil’s Supreme Federal Court (STF) substantially expanded the civil liability of online platforms for unlawful third-party content. The Court held that platforms may incur joint liability where systemic failures contribute to the dissemination of illegal content or where platforms fail to remove unlawful material after receiving notice. The judgment also establishes a statutory “duty of care,” requiring major platforms to maintain effective moderation systems and legal representation within Brazil. The decision has attracted strong opposition from major technology companies and has become a focal point in international debates on intermediary liability and platform accountability. — Convergência Digital | Tech Policy Press
A Florida federal district court reaffirmed that content moderation decisions taken by social media platforms constitute protected editorial speech under the First Amendment. Although the judge described several provisions of Florida’s social media law (SB 7072) as unconstitutionally vague and practically impossible to comply with, existing U.S. Supreme Court precedent prevented the court from invalidating the legislation outright at this procedural stage. The litigation therefore continues despite the court’s serious constitutional concerns. — Techdirt
Apple agreed to permit alternative app stores and third-party payment systems in Brazil following negotiations with the Brazilian competition authority (CADE). The agreement mirrors similar regulatory developments under the EU Digital Markets Act and Japanese competition law, reflecting a broader international trend towards reducing restrictions within mobile application ecosystems and limiting the market power of dominant digital gatekeepers. — TechCrunch
The U.S. Senate introduced the bipartisan JAWBONE Act, designed to prohibit government officials from coercing online platforms into removing lawful speech. The proposal would create a federal cause of action against officials engaging in unconstitutional pressure campaigns and require greater transparency regarding communications between government agencies and digital platforms. The bill follows years of litigation concerning alleged informal government influence over online content moderation decisions. — EFF | Techdirt
🔐 Cybersecurity
Anthropic’s Mythos model reportedly identified multiple security vulnerabilities within classified U.S. government systems during a security evaluation, discovering weaknesses within only a few hours. The episode demonstrated the considerable defensive potential of frontier AI systems while simultaneously prompting concerns that similarly capable models could also be exploited to identify offensive attack paths. The findings became one of the principal justifications cited by U.S. authorities when imposing temporary export controls on the models. — Euronews Next
The European Commission announced the creation of regional monitoring hubs dedicated to protecting submarine internet cables, supported by an initial budget of €8.3 million. The initiative follows increasing concerns regarding sabotage of critical communications infrastructure and seeks to improve monitoring, rapid incident response and resilience across Europe’s digital backbone. — Euractiv
Germany’s Federal Office for Information Security (BSI) announced its participation in Operation Endgame, a coordinated international law enforcement operation targeting several major malware families. Beyond providing technical analysis, the BSI has begun notifying affected German businesses and operators of critical infrastructure about compromised systems, reflecting the increasingly proactive role of national cybersecurity authorities under the evolving European cyber resilience framework. — BSI
Investigations revealed that Russian authorities allegedly used forensic software developed by Israeli company Cellebrite to extract data from the iPhone of a political activist despite the company’s earlier announcement that it had ceased operations in Russia. Human rights organisations argued that the incident demonstrates the continuing risks associated with commercial surveillance technologies and renewed calls for stronger export controls, technical safeguards and corporate accountability mechanisms governing digital forensic tools. — Access Now
🔏 Data Protection & Privacy
The Turkish Constitutional Court delivered a judgment concerning the processing of publicly disclosed personal data under the Law on the Protection of Personal Data (Law No. 6698). The Court held that the Personal Data Protection Authority (KVKK) violated the constitutional principle of legality by imposing an administrative fine based on the concept of the “purpose of public disclosure” (“alenileştirme amacı”), despite that concept not being expressly defined in the statute. Stressing that administrative sanctions interfering with fundamental rights must rest on sufficiently clear and foreseeable legal provisions, the Court annulled the sanction and established an important precedent for future KVKK enforcement. — Resmî Gazete | M. Bedii Kaya
The Court of Justice of the European Union ruled that a supervisory authority may not reject a GDPR complaint solely because judicial proceedings concerning the same subject matter are pending before national courts. The Court confirmed that administrative complaints and judicial remedies provided under the GDPR are complementary and may proceed simultaneously, ensuring that data subjects enjoy effective and independent avenues of redress. — EUR-Lex
The European Data Protection Board (EDPB) updated its One-Stop-Shop Case Digest on the rights to object and erasure under the GDPR. The revised publication incorporates hundreds of additional supervisory authority decisions across the European Union, providing practitioners with an increasingly comprehensive overview of enforcement trends relating to Articles 17 and 21 GDPR. — EDPB
The Irish High Court largely upheld the Irish Data Protection Commission’s findings against TikTok concerning unlawful transfers of personal data to China and failures to satisfy GDPR transparency requirements. However, the Court annulled the immediate suspension order requiring TikTok to halt transfers, directing the DPC to reconsider that aspect of its decision in light of TikTok’s “Project Clover” data localisation programme. The judgment is expected to influence future enforcement relating to international data transfers. — GDPRhub
The Polish Supreme Administrative Court confirmed that a city mayor unlawfully processed personal data by accessing a former employee’s private Facebook account and using personal conversations during official proceedings. The Court held that login credentials and private social media communications constitute personal data under the GDPR and may not be accessed or used without an appropriate legal basis. — GDPRhub
The United Kingdom’s new statutory data protection complaints regime entered into force on 19 June. Under the new framework, organisations must establish internal complaint-handling procedures before complainants may escalate matters to the Information Commissioner’s Office (ICO). — IAPP
🛒 E-Commerce & Digital Consumer
The U.S. Federal Trade Commission (FTC) filed a major enforcement action against an international network accused of operating unlawful subscription schemes that allegedly deceived consumers through misleading digital products, hidden recurring charges and intentionally difficult cancellation procedures. According to the FTC, the enterprise used an intricate corporate structure spanning Cyprus, Ukraine and other jurisdictions to obscure responsibility while processing payments worldwide. The case highlights regulators’ increasing focus on subscription traps (“dark patterns”), cross-border consumer protection and digital payment enforcement. — FTC | TechCrunch
The Digital Economy Partnership Agreement (DEPA) concluded between the member states of the Organization of Turkic States entered into force in Türkiye following publication in the Official Gazette. The agreement establishes a common legal framework governing digital trade, electronic commerce, digital services, consumer protection, personal data protection and cybersecurity cooperation, with the objective of strengthening regional digital integration and facilitating cross-border digital commerce. — Official Gazette | Ministry of Trade
💻 Other tech
The U.S. Department of Transportation proposed removing the long-standing regulatory requirement that fully autonomous vehicles be equipped with brake pedals. The proposal applies exclusively to vehicles designed to operate without human drivers and is intended to eliminate regulatory barriers preventing large-scale deployment of autonomous driving systems. If adopted, the measure would modernise federal vehicle safety rules and benefit manufacturers developing purpose-built autonomous vehicles, including Tesla and other autonomous mobility companies. — TechCrunch
Türkiye amended its vehicle type-approval legislation by requiring manufacturers to submit conformity certificates electronically through the Union of Turkish Notaries. From 7 July 2026, certain categories of connected vehicles that fail to satisfy mandatory software update and cybersecurity requirements may no longer be manufactured or registered in Türkiye. The amendments align Turkish automotive regulation more closely with evolving international cybersecurity standards for connected vehicles. — Official Gazette
The European Parliament advanced negotiations on the Cybersecurity Act Revision (CSA2). The proposal strengthens the mandate of ENISA, expands the EU cybersecurity certification framework and introduces new tools to address ICT supply chain risks, including possible restrictions on suppliers considered high-risk for critical infrastructure. The reforms form part of the EU’s broader effort to enhance digital resilience and technological sovereignty. — European Parliament Think Tank
Featured image generated using DALL·E 3.