Popular culture to deliver privacy messages

National Data Protection Authorities (DPAs) devote most of their resources to their customary focus on the data privacy laws, interpretations, guidance and enforcement. But some are now extending their horizons in awareness building to match the ever-expanding data privacy universe.

Novel communication approach to teenagers

These DPAs are now extending their methods of communication to engage with young people via novel artistic routes.

Their initiatives sometimes cross cultural gaps with a fresh approach. A good example is the CNIL’s current education programme in France via a manga(1) publication, a form of immersive cartoon and comic book which originated in Japan and is now popular with young people in many countries.

The CNIL is engaging with teenagers by using a manga style of communication addressing the digital risks that concern them, such as hacking, cyberbullying, identity theft, e-reputation, and cybersecurity. The CNIL’s aim is to motivate teenagers to discuss online privacy in a format they find attractive. So the CNIL worked with Faouzi Boughida, a video game scriptwriter, and Grelin, an illustrator and comic book author, to produce books in both electronic and paper formats.

The resulting manga style of publications, a data privacy adventure set in a high school, published by the CNIL in June in French and soon in English, are highly likely to stimulate teenagers’ interest in ways which more traditional methods may not.(2)

Femtech takes off

At PL&B’s International Conference in Cambridge in July 2023, Stephen Bonner, then Head of Regulatory Supervision at the UK’s ICO, confirmed that his office focused not only on harm already occurring but also before products and services come to market. He referred to issues such as problem gambling, and fertility and period tracking apps. This was the first time I had heard any DPA refer to femtech and, with these few words, he drew my attention to the issue.

Now in this August edition of PL&B International Report, we publish an article by Dr Maria Tzanou, a Senior Lecturer in Law at the University of Sheffield, UK, and Lead of the Leverhulme Trust funded project FemTech surveillance: Gendered digital harms and regulatory approaches. She makes substantive points about surveillance of women via femtech products and services, arguing that there are “problematic and often unlawful data collection practices.” I expect that this issue will become increasingly mainstream. Until now it has been rather neglected, although clearly close to the hearts and bodies of half the population.

The EU continues on its principled path

In the EU, the European Data Protection Board (EDPB) provides a common framework for national data privacy regulators and issues decisions binding on the national DPAs. But there are plenty of national differences about the way that the GDPR is interpreted and enforced in the European Economic Area Member States, as the national courts are not under EU jurisdiction.

Despite pressure from the new US administration, the EU continues on its principled and influential path in the data privacy law area. On 9 July, the EDPB discussed and issued an Opinion on GDPR simplification. On 22 July, the European Commission declared its approval of the adequacy of the UK’s new Data (Use and Access) Act 2025 to be followed by Opinions by the EDPB, the European Parliament and the Member States.

Despite a very different political context, the many new and revised laws in the Arab region are clearly influenced by the EU GDPR, some of them aspiring to EU adequacy to support their aim to become regional data hubs. But the new law in Malaysia is clearly less motivated in this regard.

Influential regional and common language DPA groups

Common language DPA groups are much less visible but nevertheless have their own significant spheres of influence.

The Spanish and Portuguese DPA group: The “Brussels effect” continues to be influential in Latin America, as can be seen by the example of Paraguay’s GDPR-inspired data protection bill. The group that brings the Spanish and Portuguese speaking DPAs together is the Ibero-American Network(3) and its permanent secretariat is held by Spain’s Data Protection Agency. Brazil’s DPA currently holds the Presidency and the Executive Committee of the Network is formed by the DPAs of Argentina, Colombia, Peru and Uruguay.

La Red Iberoamericana de Protección de Datos (RIPD) held its 22nd meeting in June in Cartagena de Indias, Colombia. The RIPD approved its 2026–2030 Strategic Plan, covering artificial intelligence, biometrics, and the protection of vulnerable groups, neuro-rights and neuro-technologies.. They also created an Ibero-American Data Protection Observatory as an analysis and foresight tool.

The French language group: The French language group is the Association of Personal Data Protection Authorities for which the initials are AFAPDP in French.(4) The AFAPDP's activities have developed around three pillars: promoting the protection of personal data, strengthening the capacities of its members and promoting French-speaking vision and expertise internationally.

The AFAPDP, with its secretariat in Paris, brings together independent DPAs from 23 states and governments that share a common French language, legal tradition, and values. An example of its influence is that in Africa, French-speaking countries such as Burkina Faso, Tunisia, Morocco, Madagascar, and Mali, now have privacy protection legislation.

Other initiatives by DPAs which expand their scope

Please contact Laura Linkomies, Editor, to draw our attention to initiatives by DPAs anywhere in the world which are expanding their attention to data privacy subjects beyond their traditional agendas, techniques and priorities.

Licensing PL&B material: If you wish to discuss re-using any articles published in PL&B Reports, please contact me.

Photos and videos from July’s PL&B 38th International Conference in Cambridge are now available on our website. Full videos may be accessed by participants. If you missed the conference, anyone who registers via our website may also pay and view them. The video highlights will be available later this month.

We are now putting together our plans for future events in London, Dublin and Birmingham, and look forward to meeting you during the year ahead.

Regards

Stewart Dresner
Publisher, Privacy Laws & Business

August 2025