NicFab Newsletter
Issue 1 - December 16, 2025
Privacy, Data Protection, AI, Cybersecurity & Tech Law - Weekly Review
Welcome to the first issue of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you’ll find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.
FROM THE PREVIOUS WEEK (December 8-14, 2025)
FROM MY BLOG
Cloud and AI Development Act: Europe Accelerates Digital Sovereignty with AI Gigafactories
In-depth analysis of the EU Council’s decision of December 9, 2025, on AI Gigafactories and the Cloud and AI Development Act. The article examines the three strategic pillars of European competitiveness in artificial intelligence: research and innovation for computational efficiency, conditions for data center investments, and the development of a secure, sovereign cloud. With 76 expressions of interest representing over €230 billion in potential investments, Europe is preparing to challenge American and Chinese dominance in AI through up to 5 ultra-scalable infrastructures, each equipped with over 100,000 advanced AI chips.
FROM EUROPEAN INSTITUTIONS
Court of Justice of the EU
Judgment C-485/24 - Locatrans (December 11, 2025)
The Court of Justice rules on the determination of applicable law in transnational employment contracts under the 1980 Rome Convention. The decision clarifies the criteria to follow when the habitual place of work changes during the employment relationship, providing essential guidelines for resolving conflicts of law in situations of cross-border worker mobility.
European Commission
X (Twitter) - EU Advertising Account Closure After Historic Fine (December 8, 2025)
X closed its advertising account in the European Union after receiving a $140 million fine from the European Commission for violations of the Digital Services Act. Elon Musk’s company claimed that the Commission exploited a vulnerability in its advertising platform. Musk’s angry reaction to the sanction raises concerns among DSA enforcement officials, highlighting growing tensions between Big Tech and European regulators.
Shaping Europe’s Digital Future - DG CONNECT Newsletter (December 11, 2025)
The European Commission’s Directorate-General for Communications Networks, Content and Technology publishes updates on ongoing digital initiatives, including developments on the Digital Services Act, Data Act, and strategies for European digital sovereignty.
Environmental Simplification Package (December 11, 2025)
The European Commission presents a new environmental simplification package to streamline regulations across environmental assessments, industrial emissions, and the circular economy. The initiative aims to reduce bureaucratic complexity while maintaining environmental and health protection standards, in line with the European Green Deal objectives.
European Parliament
Youth and Social Media - Italian Chamber of Deputies Hearing (December 9, 2025)
The joint Culture and Transport Committees of the Italian Chamber of Deputies held a public hearing, broadcast live on webtv, to examine legislative proposals on transparency and equal treatment on digital platforms. The meeting addressed issues related to freedom of expression and the dissemination of social information on digital channels, with particular focus on protecting minors online.
European Parliament Plenary Session - December 2025 (December 15, 2025)
The final plenary session of 2025 focused on geopolitical tensions and key themes: defense, human rights, trade, energy, and environment. The agenda reflected European priorities for the coming year, with particular attention to the implications of the war in Ukraine, transatlantic relations post-US elections, and implementation of the European digital framework.
DIGITAL MARKETS & PLATFORM REGULATION
European Commission - Digital Markets Act
Meta commits to offering choice on personalized advertising (December 8, 2025)
The European Commission recognizes Meta’s commitment to offer EU users a choice between Facebook and Instagram services with less personalized advertising, in compliance with the Digital Markets Act. That is the first time this choice has been offered on Meta’s social networks. Meta will provide European users with two options: (1) consent to the sharing of all personal data and see fully personalized advertising, or (2) share less personal data for an experience with limited personalized advertising. The new options will be presented to EU users in January 2026. The commitment follows close dialogue between the Commission and Meta after the Commission found Meta in breach of the DMA in April 2025, issuing a non-compliance decision regarding user choice.
Fifth meeting of the High Level Group on the Digital Markets Act (December 12, 2025)
The fifth meeting of the High-Level Group on the DMA was held, discussing with civil society experts and consumer representatives the role the group can play in coordinating the different regulatory frameworks applicable to digital markets. The group discussed possible ways to strengthen collaboration in the application and enforcement of the EU digital acquis. The High Level Group also approved a joint document on Artificial Intelligence that maps regulatory interactions relating to AI and proposes exploring closer cross-regulatory cooperation between competent authorities regarding the development and deployment of AI systems by gatekeepers. Other topics discussed include developments in public and private enforcement of the DMA, as well as the work of the thematic subgroups on data obligations, interoperability, and artificial intelligence.
EDPS - European Data Protection Supervisor
International Agenda on Data Protection and AI (December 9-12, 2025)
The European Data Protection Supervisor, Wojciech Wiewiórowski, participated in a series of high-level international events during the week:
G7 Data Protection Roundtable (December 9-10): Virtual roundtable with G7 data protection authorities to coordinate common enforcement and supervision strategies, with particular attention to the impact of artificial intelligence on fundamental rights.
AI Convention Conference - Warsaw (December 10): Speech on the panel “Key aspects of personal data protection in light of the AI Framework Convention”, analyzing the intersections between the Council of Europe’s Framework Convention on AI and the European data protection framework.
Council of Europe Event - Warsaw (December 10): Speech on “The role of the Council of Europe’s Framework Convention on Artificial Intelligence in the protection of privacy and personal data”, jointly organized by the Council of Europe and the Polish Personal Data Protection Office.
5th High-level Group Meeting - Digital Markets Act (December 12, Brussels): Participation in the fifth meeting of the high-level group for the Digital Markets Act, strengthening coordination between EDPS and the authorities responsible for DMA enforcement.
This intense international agenda underscores the EDPS’s growing role in global coordination of data protection policies and in defining artificial intelligence governance standards, at a time when the intersection of the AI Act, the GDPR, and sectoral regulations requires an increasingly integrated approach.
Research and Innovation
Fourth EU-Moldova Horizon Europe Joint Research and Innovation Committee (December 3, 2025)
The fourth meeting of the EU-Moldova Joint Committee for Research and Innovation under the Horizon Europe programme was held in Brussels. This meeting represents an essential milestone in scientific collaboration between the European Union and Moldova, with a focus on collaborative research projects in the digital, AI, and cybersecurity fields.
ARTIFICIAL INTELLIGENCE
Research and Technological Developments
Leveraging Complex Network Features Improves Vaccine Stance Classification (December 8, 2025)
A study published in Nature Scientific Reports demonstrates that the use of complex network features significantly improves automatic classification of vaccine positions in social media. Researchers developed a model that, by analyzing both textual content and user interactions, achieves superior accuracy compared to methods that consider only text. The research has significant implications for the fight against health misinformation and for online sentiment analysis, central themes in debates over content moderation and public health protection on digital platforms.
Multimodal Knowledge-Enhanced Whole-Slide Pathology Foundation Model (December 12, 2025)
Published in Nature Communications, the article presents an advanced artificial intelligence model for analyzing whole slide images (WSI) that integrates multimodal knowledge and foundation model techniques. This approach enables more accurate analysis of pathological images, overcoming the limitations of previous models by incorporating related textual and visual information. The development raises relevant questions regarding AI Act compliance, medical device regulation, and health data protection.
Usage Analysis and Behavioral Patterns
Microsoft Copilot Usage Analysis: The 2 AM Philosophy Questions Phenomenon (December 12, 2025)
Microsoft’s analysis of Copilot usage reveals a fascinating behavioral pattern: conversations about religion and philosophy increase significantly during nighttime hours. This phenomenon reflects F. Scott Fitzgerald’s observation of the human tendency toward existential contemplation at night, demonstrating that this inclination persists even in the age of artificial intelligence.
The study offers fascinating insights into the relationship between humans and AI assistants, raising ethical questions about the nature of these interactions: are users replacing personal reflection with conversations with AI? What are the privacy implications of these intimate conversations? And how should this data be treated from a GDPR perspective, considering that it could reveal philosophical or religious opinions (special categories of personal data under Article 9 GDPR)?
Global AI Governance
AI Could Undermine Emerging Economies - Development Prospects (week of December 8-14)
The impact of artificial intelligence on emerging economies continues to be the subject of international debate. While developed countries accelerate AI investments, concern grows about the digital divide that could widen, with consequences for global economic competitiveness and access to opportunities generated by the AI revolution.
OECD - AI Policy & Research
AI and the Global Productivity Divide (December 8, 2025)
The OECD publishes a policy paper analyzing how artificial intelligence is exacerbating the global productivity divide between advanced and emerging economies. The study demonstrates that the adoption of generative AI tools can significantly improve workplace performance by 20-40% on specific tasks, but benefits are concentrated in countries with adequate digital infrastructure and AI skills. The research highlights critical challenges: skill gaps, legacy IT systems, and limited data access represent major barriers for AI adoption, particularly for SMEs and developing economies. The paper provides strategic recommendations for policymakers to ensure more equitable distribution of AI benefits.
AI Adoption by Small and Medium-Sized Enterprises (December 9, 2025)
New OECD working paper examines the specific challenges SMEs face in adopting artificial intelligence technologies. The research reveals that while large enterprises are rapidly integrating AI systems, SMEs lag behind due to structural barriers: insufficient technical expertise, outdated IT infrastructure, limited access to quality training data, and tight budgets. The study analyzes successful adoption models and identifies policy interventions that could accelerate AI diffusion among smaller businesses, crucial for maintaining competitive dynamics in digital markets and preventing further market concentration.
Harnessing Artificial Intelligence in Social Security (December 10, 2025)
The OECD releases a comprehensive report on AI applications in social security systems, examining how governments are leveraging AI to improve fraud detection, automate benefit assessments, and enhance citizen services. The report addresses critical governance challenges: ensuring algorithmic fairness, preventing discriminatory outcomes, maintaining human oversight in automated decision-making, and protecting sensitive personal data. With social security systems processing vast amounts of personal information under strict GDPR requirements, the study provides essential guidance for balancing innovation with fundamental rights protection. The report emphasizes that trustworthy AI deployment in public services requires robust risk management frameworks and continuous monitoring.
AI Adoption in the Education System (December 11, 2025)
OECD working paper explores the integration of artificial intelligence in educational systems across member countries. The research examines AI applications ranging from personalized learning platforms to automated assessment tools, while addressing critical concerns about data privacy, algorithmic bias in educational outcomes, and the need for AI literacy among students and educators. The study reveals that while AI holds significant promise for addressing educational challenges and improving learning outcomes, implementation remains uneven. The paper provides policy recommendations for governments to foster responsible AI adoption in education while safeguarding student data and ensuring equitable access to AI-enhanced learning opportunities.
CYBERSECURITY
Critical Vulnerabilities
React2Shell Vulnerability (CVE-2025-55182) - December 8, 2025
Check Point Research disclosed a critical remote code execution vulnerability affecting React 19.x and related server-side frameworks including Next.js 15.x/16.x. The React2Shell vulnerability enables unauthenticated attackers to achieve full server control via malicious HTTP requests targeting the server’s decoding process. Security researchers identified exploitation affecting 30+ organizations with approximately 77,000 IP addresses remaining vulnerable. The flaw allows attackers to intercept sensitive data, inject false transactions, and potentially pivot deeper into enterprise environments. Check Point IPS provides protection, but the widespread use of React-based frameworks makes this a critical concern for web application security. Organizations running affected versions should immediately apply available patches.
Vulnerabilities and Attack Campaigns
BRICKSTORM: Stealthy Backdoor for VMware vSphere Environments (December 8, 2025)
US and Canadian cybersecurity agencies have outlined BRICKSTORM, a stealthy backdoor used by China-affiliated hackers to infiltrate VMware vSphere environments and maintain long-term access. The campaign targeted government and IT services, stealing credentials via virtual machine snapshots and creating hidden machines. The attack poses a significant threat to enterprise virtualization infrastructures.
Check Point Threat Intelligence Report
ShadyPanda: 7-Year Campaign via Verified Chrome and Edge Extensions (December 8, 2025)
The threat actor ShadyPanda conducted a seven-year campaign weaponizing verified Chrome and Edge extensions to infect over 4.3 million devices with spyware. Capabilities included remote code execution, payload delivery, traffic redirection, credential and cookie theft, browser fingerprinting, HTTPS credential interception, and behavioral biometrics exfiltration. The discovery highlights the risks associated with browser extension supply chains, even when verified by official stores.
Check Point Threat Intelligence Report
Data Breaches and Security Incidents
Freedom Mobile (Canada): Breach on Customer Account Management Platform (December 2025)
Canadian wireless telecommunications provider Freedom Mobile suffered a data breach that resulted in unauthorized access to its customer account management platform and the theft of personal information, including names, addresses, dates of birth, phone numbers, and account numbers. The company did not disclose the exact number of customers affected.
Check Point Threat Intelligence Report
Marquis Software Solutions: Ransomware Attack Affects 74+ US Financial Institutions (December 2025)
Financial software provider Marquis Software Solutions disclosed a data breach that impacted over 74 banks and credit unions in the US, exposing sensitive data from over 780,000 customers. The Akira ransomware group is believed to be responsible for the attack, which exploited vulnerabilities in SonicWall firewalls to gain network access. The compromise originated from an exploit of the SonicWall firewall and resulted in the exfiltration of aggregated datasets of high-value customers stored for analytics, marketing, and compliance. The attackers performed lateral movement in environments hosting multi-client data warehouses before deploying the ransomware. Check Point Threat Emulation protects against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins. Akira).
Breach window: Initial compromise and ransomware deployment on August 14, 2025.
Disclosure window: Impact and victim count emerged through regulatory filings and press reports on December 3-8, 2025.
Check Point Report | FireCompass Analysis
Inotiv: Qilin Ransomware - Data Exfiltration of 9,500+ Individuals (December 2025)
American pharmaceutical company Inotiv confirmed a ransomware attack in August 2025. The Qilin ransomware group claimed responsibility, disclosing personal information of over 9,500 individuals, including current and former employees and their family members. The attackers gained unauthorized access to Inotiv’s systems between August 5 and 8, 2025, moved laterally to critical servers, exfiltrated data, and then deployed ransomware, encrypting internal systems and forcing the network shutdown. The scale of the data breach was publicly clarified in December reports. Check Point Threat Emulation and Harmony Endpoint protect against this threat.
Attack window: August 5-8, 2025 - unauthorized access, ransomware encryption, and data exfiltration.
Disclosure window: The extent of the data breach was publicly detailed in media and regulatory notices on December 4-7, 2025.
Check Point Report | FireCompass Analysis
TECH & INNOVATION INSIGHTS
Platform Updates & Software Releases
macOS Tahoe 26.2 - Official Release (December 12, 2025)
Apple released macOS Tahoe 26.2, the second major update to macOS Tahoe (version 26), introduced in September 2025. The update, identified with build number 25C56, introduces the new “Edge Light” feature designed to improve facial illumination during video calls on Mac.
Edge Light represents a significant evolution in video conferencing quality, using artificial intelligence algorithms to optimize facial illumination in real time during video calls. The feature automatically activates during FaceTime and compatible third-party video calls, analyzing ambient light conditions and applying dynamic corrections to improve face visibility.
From a privacy perspective, Edge Light technology processes video data locally on the device, in line with Apple’s privacy-first approach. No biometric data or video frames are transmitted to Apple servers for processing, respecting the principles of data minimization and privacy by design under GDPR.
The macOS Tahoe 26.2 update fits into Apple’s broader strategy of integrating artificial intelligence into productivity features while maintaining a focus on personal data protection through on-device processing. For Mac users in professional and enterprise settings, the update represents a significant improvement in the quality of remote communication, increasingly central to post-pandemic hybrid work models.
The update is available free for all compatible Macs through the Software Update section in System Settings.
Tech Culture & Digital Transformation
USA: Calibri is Too Inclusive - Return to Times New Roman (December 11, 2025)
The US State Department ordered the abandonment of the Calibri font, introduced in 2023 by the Biden administration, and the restoration of Times New Roman for all official communications. The decision, announced by Secretary of State Marco Rubio, is part of a broader context of reviewing the previous administration’s policies.
Apparently anecdotal, this issue raises interesting questions about digital accessibility: Calibri is considered more readable for people with dyslexia and other reading difficulties, and its adoption was also motivated by principles of inclusiveness. The return to Times New Roman could therefore have implications for the accessibility of public documents, a theme regulated in the EU by the European Accessibility Act, which will enter complete application in 2025.
ANALYSIS COMMENTARY
The Week of Reckoning Between Big Tech and European Regulators
December 8-14, 2025, marked a turning point in relations between major technology platforms and the European Union, highlighting growing tensions in the enforcement of the European digital framework.
The X/Twitter affair dominates the week: after the record $140 million fine for DSA violations, the closure of the European advertising account represents a worrying escalation. It is no longer a matter of compliance or sanctions: it is a fracture in the relationship between one of the leading global platforms and the European market. Musk’s reaction – accusing the Commission of “exploiting a vulnerability” in the platform – reverses the narrative: it is no longer the platform that violates the rules, but the regulator that would act in bad faith. This position, however questionable from a legal standpoint, is politically relevant because it heralds a conflict that will go well beyond the specific case.
DSA guardians are uneasy, as EURACTIV reports. And they have reason to be: the enforcement of the Digital Services Act is based on the assumption of good-faith cooperation between platforms and authorities. If a Very Large Online Platform decides that sanctions are an acceptable cost for non-compliance – or worse, that it can simply withdraw services from the European market – the entire regulatory architecture wavers. The X/Twitter case is not isolated: it is the test balloon to understand how far the EU is willing to enforce its rules when economic and political costs become significant.
On the AI research front, the studies published this week in Nature reveal impressive progress but raise immediate regulatory questions. The model for multimodal pathological analysis clearly falls under AI-powered medical devices: how will the Medical Device Regulation apply alongside the AI Act? Who is responsible when AI makes a wrong diagnosis? And, most importantly, have patients given real, informed consent for the use of their histological data in these foundation models?
Microsoft’s analysis on Copilot – with the “2 AM philosophy questions” phenomenon – takes us into the most disturbing territory of conversational AI. When human beings begin to discuss existential questions with AIs during their hours of greatest emotional vulnerability, we are facing a new type of data processing that GDPR did not anticipate. Nighttime conversations with Copilot potentially reveal:
- User’s emotional state (Article 9 GDPR - biometric data?)
- Philosophical/religious opinions (Article 9 GDPR)
- Exploitable psychological vulnerabilities
Is Microsoft storing these conversations? Is it using them for training? Are users aware that their nighttime existential crises feed AI models? Here we are, beyond standard informed consent: a deep ethical reflection on the boundary between technical assistance and artificial emotional support is needed.
The judgments and institutional documents of the week – from the Court of Justice (Locatrans) to the Council documents on EU enlargement – show a Europe that continues to build its legal framework with meticulous precision. But while the EU refines its rules on transnational employment contracts and accession criteria, global platforms unilaterally decide whether to stay or leave the European market.
The Commission’s environmental simplification package is symptomatic: even in environmental matters – where Europe has always claimed leadership – it is admitted that regulatory complexity has become unsustainable. If this is true for the environment, how much more so for digital, where the speed of change is orders of magnitude higher?
The return to Times New Roman in the USA is the grotesque cherry on an already surreal week. That a government considers a font “too inclusive” and decides to return to one that is less accessible to people with reading difficulties says a lot about the political direction. But it is also a reminder that digital accessibility – which Europe is codifying with the European Accessibility Act – is far from taken for granted and can be subject to political rollbacks.
In summary, this week shows a Europe that continues to build the world’s most sophisticated digital regulatory framework, while platforms increasingly openly evaluate whether to accept these rules or leave them. The DSA is law, but enforcement requires platforms to want to remain in the European market. And if they don’t want to?
The question underlying the entire week is: how much is the European market worth to Big Tech? The answer will determine whether the European regulatory model is globally exportable or will remain an isolated experiment progressively circumvented.
Elon Musk made his move. Now it’s Europe’s turn to respond. And the response cannot be just another fine.
📧 Edited by Nicola Fabiano
Lawyer - Studio Legale Fabiano
🌐 Studio Legale Fabiano: fabiano.law
🌐 Blog: www.nicfab.eu
🌐 DAPPREMO: www.dappremo.eu
Partnership:
Feedback and suggestions are always welcome to improve future editions. See you next Tuesday!