🦄🇫🇷 La France est le pays européen qui perd le plus ses licornes au profit des États-Unis La promesse est alléchante, la réalité peut-être moins, selon une étude 👇 presse-citron.net/9-licornes…

Solution: proprietary systems. Better compliance, access controls, governance, protection, immunization, integration... The data sovereignty is guaranteed.

Yes, Europe needs to wake up. Modern defense systems powered by AI are intertwined. So, relying on foreign codes is a massive risk. To preserve data privacy and security of robust defense capabilities, European nations need proprietary AI systems that don't leak data to foreign servers.

The JACE on deck AI model delivers intelligent, tunable data classification that adapts to your policies, always in sovereign control.

NEW: U.K. advances proposal to force Apple, Google, Signal, & other platforms to scan private content on users’ devices — executives could face prison if they refuse.

the end to spam

The future?

Special attention should be paid to data sovereignty. Countering foreign laws, safeguarding critical infrastructure, foreign hyperscalers, and protecting citizens' privacy and human rights are just some challenges. In today's world, data sovereignty is no longer optional. Do governments understand that?

The normalization of mass surveillance. The illusion of free consent. Algorithmic bias and discrimination. Data security and mission creep. Continue the list...

To prove someone is a child online, you must first prove who an adult is. The adults need to verify their identity. Any data privacy?

Someone guesses a customer's password and reads their data. Clearly a breach. Someone finds an exposed database and accesses it, but does not download anything. Still a breach, even without exfiltration. Malicious code runs on your server, but you catch it before it accesses data. Probably not a breach. You think someone might have accessed data, but you're not sure. You should probably notify anyway. Your vendor gets hacked, and your customers' data is on their servers. Your breach, too, even though it was technically their system. The last one is the one that catches most companies.

The breach notification problem starts with a simple question nobody can agree on: what counts as a breach? A data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed." That sounds clear until you realize it could mean almost anything. Did someone access the data? Does it matter if they did not download it? Does it matter if we quickly revoke their access? Does it matter if the data was encrypted? Organizations interpret "breach" differently, with many deciding that minor security incidents do not count as breaches requiring notification. Regulators have started disagreeing with those interpretations, fining organizations for under-reporting breaches they genuinely believed did not qualify. Breach notification failures in enforcement investigations throughout 2025 revealed that organizations had experienced security incidents they classified as "not breaches" that regulators classified as "definitely breaches." That resulted in fines for both the underlying incident and the failure to notify.

Did unauthorized people access personal data? If yes, it's a breach. Did the data get disclosed to people who should not have seen it? If yes, it's a breach. Is the data encrypted? Does not matter if the encryption was also breached. Do you think the attacker probably did not do anything with the data? Still a breach. The notification requirement is conditional on whether the data was compromised. Most companies make this too complicated.

The problem with the DPIA requirement is that organizations have to make a judgment call about risk, and regulators have the authority to disagree with that judgment after the fact. That creates a structure where organizations either: Option A: Do DPIAs conservatively. If you DPIA everything that might be high-risk, you are over-DPIAing, but you are also safe. Option B: Skip DPIAs you think are unnecessary. If you are wrong about the risk level, the lack of DPIA becomes a documented violation. Most companies choose Option B because DPIAs are expensive and time-consuming. Then enforcement happens and they wish they had chosen Option A. Here is what actually counts as high-risk and requires a DPIA: Automated decision-making that significantly affects individuals (not optional recommendations, but decisions that determine access to services) Large-scale processing of special category data (health, biometric, genetic) Systematic monitoring of individuals (continuous tracking, behavioral monitoring) Profiling or scoring individuals based on personal data (credit scoring, hiring scoring, risk scoring) Vulnerable populations (children, the elderly, people with disabilities) Processing that involves tracking location, health, or sensitive behaviors Combining data sources in ways that create new inferences about individuals If your processing falls into any of these categories, you probably need a DPIA. If your legal team has ever said, "I don't think we need a DPIA," you probably need a DPIA.

A DPO argued with her CTO about whether a new processing activity required a DPIA. The DPO said, "This looks like automated decision-making. That requires a DPIA." The CTO said, "It's just recommendations. Not actual decisions." The DPO said, "But you are using it to determine what customers see." The CTO said, "But they can still see other options." They went back and forth for two weeks. Finally, they decided: "It's probably not high-risk enough for a DPIA." Three months later, a regulator started investigating that exact system. The first thing the regulator asked for was the DPIA. The company had not done one. The lack of a DPIA became a documented violation separate from whatever the actual processing problem was.