Section 702 of the Foreign Intelligence Surveillance Act expired at midnight on June 12, creating the first formal lapse in this surveillance authority in its modern history. The expiration followed Senate Democratic opposition to reauthorization tied to the nomination of Bill Pulte — who lacks intelligence or national security experience — as Director of National Intelligence. The immediate operational consequence is a gap in the legal basis for FBI access to 702-collected communications involving Americans, though reauthorization negotiations are expected to continue. Organizations subject to government data demands, or whose data flows depend on US-EU adequacy frameworks that reference US surveillance law, should assess exposure for the duration of the lapse.
Watch level: PREPARE (US national security counsel, transatlantic data transfer compliance teams, cloud and telecoms providers)
South Korea's Personal Information Protection Commission has imposed a record 620 billion won ($409 million) penalty on e-commerce platform Coupang for a personal data breach — the largest fine in the PIPC's history and nearly three times the previous record set against SK Telecom earlier this year. The rapid succession of nine-figure penalties signals a deliberate enforcement escalation, not an isolated event. Companies with Korean market exposure should treat the PIPC's demonstrated willingness to issue penalties at this scale as a structural feature of the regulatory environment, not an outlier.
Watch level: PREPARE (e-commerce operators, data-intensive platforms, and compliance teams with South Korean market exposure)
A convergence of EU-level signals indicates that a coordinated, wallet-based age verification architecture is emerging as the bloc's preferred regulatory response to child safety online. Ireland has designated age verification as a central priority for its EU Council presidency beginning July 2026 and is advancing a national digital wallet as the preferred mechanism. Separately, D9+ digital ministers published a Luxembourg Declaration endorsing privacy-preserving EU-wide age verification with explicit reference to the EU Digital Identity Wallet. The ETSI has simultaneously published more than 24 technical specifications for the EUDI Wallet ecosystem, covering identity proofing, trust list formats, and cross-border interoperability — creating a concrete standards foundation for the political architecture both declarations contemplate.
Watch level: PREPARE (age-assurance vendors, social media platforms, adult content operators with EU exposure, digital identity technology providers)
The ACLU's lawsuit against two Florida law enforcement agencies over a wrongful arrest from a false facial recognition match brings the documented US total to fifteen such cases. The suit implicates the FACES system, used by 263 agencies without formal auditing mechanisms. Concurrently, Türkiye's Personal Data Protection Board has ruled that biometric attendance monitoring by employers is generally unlawful, finding that neither statutory authorization nor employee consent provides a valid legal basis given the power imbalance inherent in employment relationships. These two developments — one in litigation, one in enforcement — reflect a common pressure point: biometric systems deployed at scale without proportionality analysis or independent accountability structures are drawing successful legal challenges across jurisdictions.
Watch level: PREPARE (law enforcement technology vendors, HR tech providers with biometric attendance products, employers operating in Turkish jurisdiction)
Federal AI preemption through a children's safety legislative vehicle — covered in Friday's briefing — has advanced further, with the White House and Senate Republicans pursuing a narrower approach pairing subject-matter-specific state law displacement with KOSA, the App Store Accountability Act, and the NO FAKES Act. The strategy's viability remains constrained by a divergent House Republicans package and the absence of a formal White House position on the combined measure. The Computer & Communications Industry Association separately filed an emergency Supreme Court petition to block the Texas App Store Accountability Act after the Fifth Circuit lifted a district court injunction, escalating First Amendment litigation as the industry's primary counter-strategy. Compliance teams should treat these two tracks — federal preemption negotiation and Supreme Court intervention — as parallel, not sequential.
Watch level: MONITOR (app store operators, platform counsel, state AG offices, ed-tech and social media compliance teams)
Brazil's adoption of Presidential Decree No. 12,976 on May 20, establishing a framework targeting online violence against women including AI-amplified harms, warrants attention from digital platforms with Brazilian market exposure. The decree was issued alongside Decree No. 12,975, which reforms intermediary liability, indicating a coordinated regulatory intervention rather than a standalone measure. Companies should assess compliance exposure across both instruments, particularly regarding algorithmic accountability and content moderation obligations. The Canadian Privacy Commissioner's completed finding that Grok's operators violated privacy law over deepfakes — previously noted as a finding under review — has now been formally published, establishing interpretive precedent for how PIPEDA applies to generative AI systems facilitating non-consensual synthetic imagery.
Watch level: MONITOR (platforms with Brazilian operations, generative AI developers, content moderation counsel)
Policy Signal · policysignalhq.com · Major privacy + AI governance moves, distilled.