Data Privacy

SECURE Data Act Would Establish Federal Privacy Law

On April 22, 2026, U.S. House Energy and Commerce Committee Vice Chairman John Joyce, R-Pa., introduced the SECURE Data Act (HR 8413), the first major attempt in the 119th Congress to establish comprehensive federal consumer privacy rules. The bill would preempt state consumer privacy laws, data broker registries, and possibly some sectoral state laws through a strong preemption regime. If enacted, the bill would grant consumers rights to access, correct and delete personal data, obtain portable copies, and opt out of sales, targeted advertising and profiling. The bill would treat personal data of teens under age 16 as sensitive data requiring parental opt-in consent, expanding COPPA by three years. Enforcement would fall to the FTC and state attorneys general, with no private right of action.

AI for HR in Canada and the US: New 2026 Employer Obligations

Ontario employers with 25 or more employees must disclose AI use in job postings effective January 1, 2026, under the Working for Workers Four Act, 2024 — the only Canadian province with AI-specific disclosure requirements for hiring. In the United States, California, Illinois, New York City, and Texas explicitly regulate employer use of AI for hiring, promotion, and performance management, with additional access rights and bias-audit requirements in certain jurisdictions. Class-action litigation challenging AI tools in employment under anti-discrimination and background-check legislation continues to rise.

SECURE Data Act: Republicans Propose Federal Privacy Law Preempting State Laws

House Committee on Energy and Commerce Republicans introduced the discussion draft SECURE Data Act on April 22, 2026, proposing a federal comprehensive privacy standard that would preempt state laws including the CCPA and CPRA. The bill omits a private right of action and requirements for data protection impact assessments, data protection officers, or universal opt-out mechanisms. Key new provisions include an FTC-managed data broker registration, a Department of Commerce safe harbor program, and classification of children's data alongside health and geolocation as sensitive data. The bill was introduced jointly with a companion GLBA reform measure.

Estonia: 68 Data Violations Reported in Q1 2026

The Estonian Data Protection Inspectorate (AKI) published its Q1 2026 report documenting 68 data protection violations reported by organisations, representing a 5% increase compared to Q1 2025. Public sector entities (government agencies, local governments, and their subsidiaries) accounted for 31 of the reported cases. The report provides incident examples and prevention recommendations, including guidance on session management, browser hygiene, and mitigating risks from infostealer malware targeting personal devices used for work purposes.

Why Prescription Packaging Displays Personal Data

The Latvian Data State Inspectorate (DVI) has issued guidance explaining why pharmacy names and pharmacist identifiers appear on prescription drug packaging. The pharmacy name is legally required to verify dispensing and process reimbursement claims, while patient surnames are not required and may be omitted on request.

2 Legal Consultant Vacancies, Data Protection, Latvia

The Latvian Data Protection Inspectorate (DVI) has posted two legal consultant vacancies for its Prevention Division. The positions involve legal consultation work related to data protection matters under Latvian and EU data protection law. No regulatory obligations or compliance deadlines are established by this vacancy announcement.

Modified Opening Hours April 30, 8am to 1pm

On April 30, 2026, the Latvia DVI office will operate modified hours from 8:00 AM to 1:00 PM with a lunch break from 12:00 to 12:30. Telephone consultations will be available from 9:00 AM to 12:00 PM. The modified schedule is based on Article 135 of the Labour Law, as April 30 precedes the Labour Day public holiday.

EDPB Approves Europrivacy as First European Data Protection Seal, Issues Scientific Research Guidelines

The European Data Protection Board (EDPB) adopted guidelines clarifying personal data processing for scientific research purposes, alongside two opinions approving Europrivacy certification criteria as an EU data protection seal under GDPR Article 42(5). The guidelines identify six key factors for determining whether activities constitute scientific research under GDPR, confirm that further processing for scientific research is compatible with the original purpose without a compatibility test, and specify when data subjects' right to erasure and right to object may be restricted. EDPB also first recognized Europrivacy as a data transfer tool under Articles 42 and 46 GDPR for non-EU controllers under Article 3(2) GDPR. The scientific research guidelines are subject to public consultation until 25 May 2026.

EDPB Adopts Standardized DPIA Template, Public Consultation Until June 9

The European Data Protection Board (EDPB) has adopted a standardized Data Protection Impact Assessment (DPIA) template accompanied by an explanatory manual, aimed at simplifying GDPR compliance and strengthening consistency across Europe. The template provides predefined fields to help organizations structure, harmonize, and clearly demonstrate their DPIA procedures, minimizing procedural errors and saving time. Use of the template is voluntary; organizations may continue using their own risk-assessment methodologies. A public consultation is open until 9 June 2026, after which national supervisory authorities will adopt the template as a standard or meta-template with which national variants must align.

Quebec Privacy Law Private Sector Anonymization Regulations

Quebec's Act respecting the protection of personal information in the private sector (P-39.1) establishes rules governing the collection, holding, use, and communication of personal information by enterprises operating in Quebec. The law requires every enterprise to designate a privacy officer, implement governance policies and practices for personal information, and conduct privacy impact assessments for any acquisition, development, or redesign of information systems. The table of contents references a companion anonymization regulation (A-2.1, r. 0.1) and a confidentiality incidents regulation (A-2.1, r. 3.1).

Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels

This is Quebec's foundational access to information and privacy protection statute (chapter A-2.1), establishing the regime governing public document access and personal information protection by public bodies. The law applies to documents held by all designated public organisms — government, ministries, municipal bodies, school boards, and healthcare and social services institutions — regardless of format (written, graphic, sound, visual, computerized, or other). Professional orders are also subject to the Act as specified under the Professional Code. The Commission d'accès à l'information (CAI) oversees compliance and exercises the powers assigned to it under the Act.

Hamburg DPA Annual Report 2025: 4,200+ Submissions, €492k Fine, AI Dominates

The Hamburg Data Protection Authority (HmbBfDI) has released its 34th Annual Data Protection Activity Report covering 2025. The report documents over 4,200 submissions—a 60 percent increase year-over-year—with this trend continuing at plus 10 percent through February 2026. The authority imposed a fine of €492,000 on a financial services company for rejecting credit card applications via automated decisions and subsequently failing to fulfill its legally required information and disclosure obligations when affected individuals requested access. AI-related issues feature prominently: complaints about social networks have nearly tripled, and HmbBfDI has ongoing investigations into Meta's AI training with user data from social networks and Meta's Ray-Ban AI glasses.

6. Hamburger Datenschutzforum: Reform des Datenschutz- und KI-Rechts

The Hamburg Data Protection Commissioner (HmbBfDI) and the Hamburg Society for the Promotion of Data Protection will host the 6th Hamburg Data Protection Forum on May 6, 2026, from 14:00–17:00 at the Handelskammer Hamburg. The event will address the EU Digital Omnibus reform of data protection and AI law, with speakers including Thomas Fuchs (HmbBfDI) and Max Schrems discussing proposed changes to GDPR obligations, AI training regulations, and the right of access under Art. 15 GDPR. Attendance is limited and registration is required.

Norwegian Schools Survey on Privacy in Free Apps Used by Children

Datatilsynet (Norway's data protection authority) surveyed 38 free online services used by children in Norwegian schools as part of the Global Privacy Enforcement Network (GPEN) coordinated initiative, conducted in November 2025. Key findings include: 28 services collected personal data and 14 shared it with third parties for marketing; only 12 of 20 services claiming age limits had actual age-verification functions, and 10 of those were bypassable; and 3 services involved data processing assessed as high risk for children. Datatilsynet is not conducting supervisory action but is publishing recommendations for municipalities and schools to apply when approving digital tools for classroom use.

Norway DPA Responds to Health Crisis Legislation Proposals, Flags Privacy Gaps

Datatilsynet (Norway's Data Protection Authority) has submitted formal consultation responses to two proposed laws from the Ministry of Health and Care Services: the proposed Health Preparedness Act (helseberedskapsloven) and the proposed Infection Control Act (smittevernloven). The DPA finds that privacy impact assessments in both proposals are insufficient, raising concerns about extensive personal data collection without consent, extended registry use, and prolonged data retention periods. The authority cites its experience with the Smittestopp coronavirus app, where it had to issue a temporary prohibition due to inadequate documentation of necessity and violations of data minimisation principles.

Norway Proposes New Rules for Financial Data Sharing

Finansdepartementet submitted Proposition 39 L (2025-2026) to Stortinget on March 20, 2026, proposing expanded data sharing among financial institutions for economic crime prevention. Datatilsynet's consultation feedback was largely incorporated, including strengthened purpose limitation requirements, safeguards for sensitive personal data with a maximum five-year retention period, and explicit legal basis for processing special categories under GDPR Articles 9 and 10.

Training Session on Data Protection Basics, 15th Jun

CNPD Luxembourg published an announcement for a data protection basics training session scheduled for 15 June 2026. The English-language version of the page contains no substantive content and redirects users to the French-language version of the same page. No compliance obligations, registration details, or further information are provided in the available content.

CNPD Wins Court Judgment Against Amazon for GDPR Violations

The Luxembourg Administrative Court on March 12, 2026 endorsed the CNPD's 2021 compliance order against Amazon Europe Core S.à r.l. for GDPR violations related to online behavioural advertising, confirming that Amazon's reliance on legitimate interests as a legal basis was not justified. The court also upheld the CNPD's finding that Amazon's information procedures did not comply with GDPR at the time of the decision. Amazon had already complied with the compliance order prior to the hearing. However, the court annulled the financial penalty, citing post-decision CJEU case law requiring a different analytical framework for assessing whether Amazon demonstrated negligence.

Gyerekeknek szóló adatvédelmi rajzpályázat a NAIH-tól

A NAIH adatvédelmi témájú gyermekrajz-pályázatot hirdet általános iskolás tanulók számára, beküldési határidő: 2026. május 20. A pályamunkákat zárt borítékban kell benyújtani.

NAIH Warns Public Bodies About Lawful Document Destruction Requirements

Hungary's NAIH issued a public notice on April 17, 2026, warning all public bodies that destruction of public interest data must comply with statutory procedures, including proper authorization, archival approval, and documentation. The authority explicitly references Section 220 of the Criminal Code, stating that unauthorized destruction may constitute the criminal offense of 'Abuse of Public Interest Data,' and that obstructing access to public interest data may also trigger disciplinary or labor law liability.

EU Parliament Rejects Chat Control 1.0 Extension

The European Parliament voted 228 in favor, 311 against, and 92 abstentions on March 26, 2026, to reject the European Commission's proposal to extend the temporary exemption under Regulation (EU) 2021/1232 (Chat Control 1.0). As a result, the legal framework permitting providers of interpersonal communications services—webmail, messaging, and VoIP—to voluntarily detect, report, and remove CSAM in private communications ceased to apply starting April 4, 2026. Negotiations on the permanent framework (Chat Control 2.0 / CSAR) continue, with the next trilogue expected in April 2026.

Guidelines 1/2026 on Good Legislation for Personal Data Processing

The Hellenic Data Protection Authority (HDPA) published Guidelines 1/2026 on good legislation in relation to personal data processing, dated 10 March 2026. The guidelines require that when a legal rule establishes, permits, or presupposes personal data processing, compliance with specific principles and guarantees derived from EU and national constitutional law is mandatory. The guidelines mandate that drafting bodies consult the HDPA, particularly for high-risk processing, and provide a comprehensive checklist covering processing purpose, legal basis, roles, recipients, data categories, retention periods, data subject rights, security measures, and international transfers.

EDPB Publishes Template for Data Protection Impact Assessments – Provide Feedback

The European Data Protection Board (EDPB) published a template for Data Protection Impact Assessments (DPIAs) to support organizations in reporting and consistent GDPR compliance across the EU. The template provides a step-by-step structure for presenting DPIA results and includes guidance on key concepts. A public consultation is open until 9 June 2026, after which EU national data protection authorities will adopt the template either as-is or as a national version.

Guidelines 1/2026 on Processing Personal Data for Scientific Research

Euroopan tietosuojaneuvosto on julkaissut ohjeistuksen henkilötietojen käytöstä tieteellisessä tutkimuksessa. Ohjeet selkeyttävät tutkimusdatan uusiokäytön sääntöjä, laajentavat suostumusmahdollisuuksia "laajaan suostumukseen" ja "dynaamiseen suostumukseen" sekä määrittelevät kuusi kriteeriä tieteellisen tutkimuksen tunnistamiseksi. Kommentit ohjeistuksen luonnokseen otetaan vastaan 25. kesäkuuta 2026 asti.

Europrivacy Certification Now Covers Non-EU Organizations

The European Data Protection Board approved updated Europrivacy certification criteria at its April 2026 plenary session and endorsed the use of Europrivacy certification as a tool for international personal data transfers under Articles 42 and 46 GDPR. The certification scheme has been expanded to cover non-EU controllers and processors subject to GDPR, including organizations offering products or services to Europeans or processing personal data for behavioral monitoring of EU residents. Non-EU data importers not directly subject to GDPR can now apply for Europrivacy certification to validate appropriate safeguards for data transfers they receive from the EU. The original Europrivacy criteria were approved in October 2022 as the first EU-wide data protection seal.

AZOP na EDPB Simpoziju privatnosti u Veneciji

Potpredsjednik EDPB-a i ravnatelj AZOP-a Zdravko Vukić sudjelovao je na Simpoziju privatnosti na Sveučilištu Ca' Foscari u Veneciji od 20. do 24. travnja. Konferencijska sesija 'Ključna obraćanja o međunarodnoj suradnji' naglasila je važnost jačanja suradnje među europskim tijelima za zaštitu podataka. AZOP je rangiran visoko po broju izrečenih kazni za povrede GDPR-a prema godišnjem izvješću EDPB-a.

EDPB Guidelines on Personal Data Scientific Research

AZOP reports that the European Data Protection Board (EDPB) has adopted Guidelines on personal data processing for scientific research purposes, providing interpretation of GDPR provisions applicable to scientific research data processing. The guidelines address conditions for processing, safeguards, and data subject rights in the research context. AZOP, as a member of the EDPB, shares this development with stakeholders in Croatia.

EDPB Vice President Vukic Highlights International Cooperation at Privacy Symposium

At its latest plenary session, the European Data Protection Board (EDPB) adopted Guidelines on Processing Personal Data for Scientific Research purposes. The Board also established a dedicated team to accelerate completion of anonymization guidelines. AZOP reports that EDPB Vice President Vukic highlighted the importance of strengthening international cooperation at a privacy symposium. The EDPB further adopted two additional decisions at this session, though details were not fully reported.

Director Position, Contentious Chamber, Belgian DPA, Deadline 23rd Apr

The Belgian Chamber of Representatives has issued a call for candidates for the position of Director of the Contentious Chamber of the Autoriteit voor Gegevensbescherming (APD). The Director will join the APD's Management Committee and lead the Contentious Chamber. Candidates must be Dutch-speaking magistrates. Applications must be submitted within thirty days of publication in the Belgian Official Journal (Moniteur belge), with a deadline of 23 April 2026. The application process is handled exclusively through the Chamber of Representatives.

AI Impact on Privacy, Belgian APD Brochure

The Belgian Data Protection Authority (APD) published on April 13, 2026 a first brochure entitled 'The Impact of Artificial Intelligence (AI) on Privacy', the inaugural publication of its 'AI & Data Protection' series. The brochure is aimed at citizens who interact with AI systems daily and explains how these systems function, the types of personal data they process, the associated risks, and the rights granted to individuals under data protection legislation. This initiative builds on APD's December 2024 publication on AI systems and the GDPR.

APD and UK ICO Sign Data Protection Cooperation Agreement at Venice

The Belgian Data Protection Authority (APD) and the UK's Information Commissioner's Office (ICO) signed a Memorandum of Understanding titled 'Cooperation in the Regulation of Laws Protecting Personal Data' at the Privacy Symposium in Venice, Italy. The agreement establishes a cooperation framework for cross-border data protection enforcement, including information sharing, best practices exchange, and coordinated investigations affecting both countries.

Denmark Opens New AI Sandbox Round for Applications

Datatilsynet and Digitaliseringsstyrelsen have opened applications for a new round of their joint regulatory AI sandbox. The sandbox offers free, hands-on guidance on GDPR compliance and the EU AI Act for companies, authorities, and organizations developing or using AI. Each sandbox engagement runs up to four months, is tailored to the specific project, and culminates in a public report sharing lessons learned. Applications are evaluated based on societal significance, level of innovation, and project maturity.

Denmark DPA 2025 Annual Report Published

Datatilsynet (Denmark's Data Protection Authority) has published its 2025 Annual Report, covering the authority's supervisory work, new guidance documents, updated enforcement practices, oversight of municipalities, supervision of AI use, international cooperation, consultation on legislative proposals, and trends in personal data breach notifications. The report also highlights the DPA's focus on advisory services supporting both citizens and data controllers. The report was published on March 31, 2026.

Danish DPA Approves Employer Sharing Union Data

Datatilsynet issued a decision in a complaint case where a union, on behalf of its member, challenged an employer's disclosure of personal data—including union membership information—to a third party in connection with an employment dispute between the parties. The third party was a relative of the employer and a colleague in the complainant's current position. Datatilsynet found the disclosure fell within the framework of data protection rules, noting the employer shared information with an advisor who assisted in hiring the complainant and would have the necessary qualifications to assist in the employment case. The DPA emphasised that information about party representatives—including union affiliation—is typically considered relevant to disclose to advisors when defending against legal claims.

Joint Declaration on AI-Generated Images and Privacy

The AAIP joined over 60 global data protection authorities in issuing a joint declaration addressing AI systems that generate realistic images and videos of identifiable persons without their knowledge or consent. The declaration outlines fundamental expectations including implementation of robust security measures to prevent misuse, transparency about AI capabilities, accessible mechanisms for individuals to request removal of personal content, and specific protections for children and adolescents. The declaration was adopted under the Global Privacy Assembly Working Group on International Enforcement Cooperation, with adherence from authorities spanning six continents.

AAIP Leads 65th Bureau Meeting on Convention 108+ Data Protection

Beatriz Anchorena, Head of the AAIP and President of the Convention 108 Committee Bureau, chaired the 65th Bureau meeting of the Council of Europe's Data Protection Committee on March 18–19. The meeting reviewed Convention 108+ ratification status, which stands at 33 ratifications with 5 additional ratifications required for entry into force. Participants advanced work on Model Contractual Clauses for cross-border data flows and guidelines on AI large language models and neuroscience under the 2026–2029 Work Programme. Observers included EDPS, EDPB, Ecuador's Superintendent of Personal Data Protection, Brazil's ANPD, and Interpol.

AAIP Investigates 5 ON LINE S.R.L. for Alleged Data Protection Violations in Telephone Debt Collection

The AAIP, as the enforcing authority for Argentina's Law No. 25.326 on Personal Data Protection, has initiated an investigation into 5 ON LINE S.R.L. following complaints about alleged illegitimate processing of debtor data during telephone collection activities. The agency has notified potentially linked entities to inform them of the ongoing proceedings and remind them of their legal obligations. If violations are confirmed, the applicable sanctions include fines, warnings, suspension, closure, or cancellation of data databases.

PIPC Chairperson Delivers Cyber Diplomacy Lecture to Ambassadors

PIPC Chairperson Kyung Hee Song delivered a special lecture on cyber diplomacy to ambassadors stationed in Korea, timed to coincide with Women's Month. The engagement reflects Korea's PIPC actively conducting international outreach on data protection and privacy matters. The announcement is published on the official PIPC website as a news item.

PIPC Korea AI Transformation, Pseudonymization, Privacy Notices April 2026

The Personal Information Protection Commission (PIPC) of Korea published a page listing ten recent notices and press releases from March 5 to April 22, 2026. Topics covered include AI transformation pathways, fact-finding reviews of customer service outsourcing across five sectors, an overhaul of pseudonymization guidelines to introduce a risk-based approach, a new one-stop support center for pseudonymized data, and initiatives to strengthen privacy responsibilities and management frameworks to prevent data breaches. Additional notices address ISMS/ISMS-P certification improvements, cyber diplomacy, and transparency in AI-era privacy policy.

Christie's Fined KRW 287.2M by Korea PIPC for Data Breaches

The Personal Information Protection Commission imposed a fine of KRW 287.2 million on Christie's for data breaches. The enforcement action was taken on April 22, 2026. This marks a significant enforcement outcome for an international commercial entity under Korea's data protection framework, signalling continued regulatory attention on cross-border data handling practices.

Access Your Health Information Rights in Australia

The OAIC published guidance explaining that Australian privacy law grants individuals a general right to request access to health information held by health service providers. The guidance specifies that providers should respond within 30 days, may charge a non-excessive fee for access, and must provide written notice if refusing a request. Individuals may authorize representatives, request information in specific formats, and lodge complaints with the OAIC if unsatisfied.

Australian Privacy Rights, Consent to Personal Information

The OAIC has published guidance explaining the requirements for obtaining valid consent to collect, use, and disclose personal information under Australian privacy law. The guidance distinguishes between express consent (verbal or written, required for sensitive information), implied consent (requires opt-out option), and bundled consent (combined requests that may not give individuals genuine choice). Individuals may withdraw consent at any time, and organisations must make withdrawal easy and accessible.

Access Your Australian Credit Report for Free Every Three Months

The OAIC has published guidance explaining that Australian credit reporting bodies must provide consumers with free access to their credit reports once every three months. Consumers are also entitled to a free copy if they have been refused credit within the past 90 days or if their credit-related personal information has been corrected. At other times, credit reporting bodies may charge a fee, provided it is not excessive.

UK ICO Media Centre News Blogs and Speeches Archive

The ICO Media Centre archive page provides a searchable index of the Information Commissioner's Office news releases, blog posts, speeches, and statements. Users can filter content by type (News, Blog, Speech, Statement) and date range, and sort by newest or oldest. No specific regulatory announcements, enforcement actions, or guidance documents are presented on this page itself.

Data Protection Basics AI Guide Available in French Only

The CNPD Luxembourg published a Data Protection Basics guide focused on AI on May 5, 2026. The English-language version of this page confirms the guide is currently only available in French. The full substantive content of the AI guide is accessible via the linked French-language page on the CNPD website.

DAAZ Workshop Feedback and Graduation Ceremony, Luxembourg, 29th April

The Luxembourg National Data Protection Commission (CNPD) announces a DAAZ feedback workshop and graduation ceremony on 29 April 2026 from 5:30 p.m. to 7 p.m. at the House of Entrepreneurship, 14 rue Erasme, L-1468 Luxembourg. The event targets business leaders, young female entrepreneurs, and DAAZ tool 'Finishers', and will be held in French. Registration is open via the House of Entrepreneurship website.

Türk Nippon Sigorta A.Ş. Veri İhlali Bildirimi – 193 Kişi Etkilendi

KVKK published Türk Nippon Sigorta A.Ş.'s data breach notification revealing that insufficient object-level authorization controls and query parameter manipulation on the company's claims inquiry screen allowed unauthorized access to third-party claims file contents. The breach began on April 6, 2026 and was discovered on April 9, 2026, affecting 193 individuals' personal data comprising names and vehicle license plates. KVKK's Personal Data Protection Board decided on April 22, 2026 to publish the notification on its website, with investigations continuing.

KVKK Publishes Data Breach Notice for English Time Eğitim Kurumları AŞ

KVKK published a public data breach notice regarding English Time Eğitim Kurumları AŞ following Board Decision No. 2026/798 dated April 15, 2026. The breach began April 4, 2026 and was discovered April 12, 2026, after attackers gained unauthorized access to the company's CRM panel and used automated tools to extract data in bulk. Approximately 300,000 individuals were affected, including students (whose identity, contact, location, and transaction data were exposed) and other personnel (whose identity, contact, location, and employment records were compromised).

Decreto 12.881/2026 Formaliza Reestruturação Regulatória da ANPD

Decreto 12.881/2026 e Resolução CD/ANPD nº 33 concretizam a transformação da Agência Nacional de Proteção de Dados em agência reguladora, concedendo-lhe as mesmas prerrogativas previstas na Lei nº 13.853/2019, incluindo receitas vinculadas e carreira própria de pessoal. A nova estrutura organiza-se em seis Superintendências — Executiva, Inovação Tecnológica, Regulação, Fiscalização, Relações Institucionais e Internacionais e Gestão Interna — além de uma unidade de Auditoria. Com aproximadamente 500 pessoas, a ANPD prevê a criação de 200 novos cargos por meio de concurso público para a carreira de Especialista em Regulação de Dados Pessoais.

ANPD Participates in Roundtable on Ethical AI Guide Public Consultation

ANPD participated in a roundtable discussion on April 10 at the Palacio da Justiça to contribute to the public consultation process for Brazil's Ethical AI Use Guide (Guia de Uso Ético de Inteligência Artificial). Director Lorena Giuberti Coutinho represented ANPD at the panel on 'Artificial Intelligence and Gender: Contemporary Challenges and Paths to Algorithmic Justice.' The guide, being developed by multiple federal entities through the Secretaria Nacional de Direitos Digitais (SEDIGI/MJSP), aims to inform the general public about AI functioning, uses, limitations, risks, and rights and duties in technology interactions. The document specifically addresses deepfake risks and recommendation algorithm effects on mental health, noting women and girls as the most affected demographic group.