Mailfence Privacy Digest January 2026, N°9

Featured image for the Mailfence Privacy Digest January 2026

Table of Contents

Share this article:

Welcome to the January edition of Mailfence’s Privacy and Cybersecurity Newsletter! As 2026 begins, the digital privacy landscape is shifting on multiple fronts. This month brought a wave of breaches – from 149 million stolen credentials surfacing on an unsecured server to Nike investigating claims that hackers grabbed 1.4 TB of internal data. A class-action lawsuit now challenges whether WhatsApp’s “end-to-end encryption” is as private as Meta claims. Meanwhile, a landmark ASPI report revealed how China has become the world’s largest exporter of AI-powered surveillance technology, and President Trump signed an executive order targeting state-level AI regulations after Congress rejected a ten-year moratorium. On the regulatory front, California launched its ground-breaking DROP platform, the EU unveiled sweeping cybersecurity reforms, and the UK’s Data (Use and Access) Act began reshaping British privacy law. Here’s what happened this month:

149 Million Credentials Exposed, Including 48 Million Gmail Accounts: Security researcher Jeremiah Fowler discovered an unprotected 96 GB database containing login details harvested by infostealer malware, with no password or encryption.

WhatsApp Encryption Under Fire in Class-Action Lawsuit: International plaintiffs allege Meta can access “virtually all” WhatsApp messages despite end-to-end encryption claims, citing unnamed whistleblowers. Meta denies the allegations.

California Launches DROP: One-Click Data Deletion from 500+ Brokers: The world’s first government-run data deletion platform now allows California residents to request removal from all registered data brokers with a single submission.

China Becomes World’s Largest AI Surveillance Exporter: A December 2025 ASPI report details how the CCP has embedded AI into censorship, criminal justice, and online control – and is now exporting these systems globally.

Trump Executive Order Targets State AI Regulations: After Congress rejected a ten-year moratorium in a 99-1 Senate vote, the administration signed an order creating mechanisms to challenge and condition funding for state AI protections.

AI Increasingly Used in Courts, Benefits Administration, and Lawmaking: From US federal judges consulting ChatGPT to algorithms reviewing Medicare claims, AI is increasingly present across government functions.

AI-Enabled Toys Raise Child Privacy Concerns: US lawmakers are raising alarms about Chinese-made toys with AI capabilities that store voice data and conversation histories on foreign cloud servers.

EU Cybersecurity Act Revision Targets “High-Risk” Suppliers: The European Commission unveiled sweeping reforms that could ban Chinese tech from critical EU infrastructure across 18 sectors.

UK Data (Use and Access) Act Takes Effect: Major changes to UK data protection law came into force, diverging from EU GDPR with new legitimate interest grounds and relaxed automated decision-making rules.

DeepSeek Faces Global Crackdown Over Data Sovereignty: Italy blocked the app in January 2025, Germany formally requested app store removal in June 2025, and the Netherlands banned it on government devices.

Data Protection Day 2026: Europe Debates GDPR’s Future: The EDPS and Council of Europe convened policymakers to examine how “regulatory simplification” can coexist with strong privacy safeguards.

149 Million Credentials Exposed, Including 48 Million Gmail Accounts

Security researcher Jeremiah Fowler discovered an unsecured database containing 149,404,754 unique login credentials – totalling 96 GB of raw data – left exposed online without a password or encryption. The database included an estimated 48 million Gmail accounts, 17 million Facebook logins, 6.5 million Instagram credentials, and millions more from Netflix, Yahoo, TikTok, banking platforms, and even government portals with .gov domains.

This was not a single company breach but rather an aggregation of credentials harvested by “infostealer” malware over an extended period. The data structure matched typical outputs from popular infostealer tools that capture keystrokes and stored passwords from infected devices. The database was actively being updated, suggesting ongoing criminal operations. Google confirmed awareness of the dataset but stressed its systems were not breached – the credentials came from malware on users’ personal devices.

To protect yourself, check whether your email appears in known leaks using haveibeenpwned.com or Google’s password checkup. Change passwords immediately for any exposed accounts, prioritising email, banking, and crypto wallets. Enable two-factor authentication everywhere possible – ideally using authenticator apps or hardware keys rather than SMS. Run a full malware scan on all your devices, as infostealers may still be active. Consider switching to a dedicated password manager with auto-fill, which defeats basic keyloggers by never actually typing your credentials.

Learn more: Data Leak Exposes 149M Logins, Including Gmail, Facebook (TechRepublic)

WhatsApp Encryption Under Fire in Class-Action Lawsuit

An international group of plaintiffs has filed a class-action lawsuit against Meta, alleging that WhatsApp’s “end-to-end encryption” claims are misleading and that the company can access user messages. Filed on 24 January 2026 in the US District Court for the Northern District of California, the complaint accuses Meta and its executives of defrauding WhatsApp’s billions of users worldwide by misrepresenting how their data is handled.

The lawsuit, which includes users from Australia, Brazil, India, Mexico, and South Africa, references unnamed “whistleblowers” who allegedly revealed internal processes. The plaintiffs allege that Meta employees can bypass encryption through internal systems – claims that Meta has categorically denied. According to the complaint, workers can allegedly read messages by sending internal “tasks” that, once approved, grant access via a widget using a user’s unique ID. Meta spokesperson Andy Stone called the lawsuit “a frivolous work of fiction,” stating that “WhatsApp has been end-to-end encrypted using the Signal protocol for a decade.” WhatsApp head Will Cathcart added that the company “can’t read messages because the encryption keys are stored on your phone.”

To limit your exposure, remember that even if message content is encrypted, metadata – who you message, when, and from where – is not. Review whether your chat backups are enabled on cloud services like Google Drive or iCloud, as these may not have the same encryption protections. Consider what information flows through “report” features, which by design allow WhatsApp to view flagged content. For the most sensitive communications, evaluate whether any centralised messaging platform meets your security needs.

Learn more: Lawsuit Claims Meta Can See WhatsApp Chats in Breach of Privacy (Bloomberg via Yahoo Finance)

California Launches DROP: One-Click Data Deletion from 500+ Brokers

On 1 January 2026, California launched the Delete Request and Opt-out Platform (DROP) – the world’s first government-operated system allowing residents to request deletion of their personal information from hundreds of data brokers with a single submission. Mandated by the 2023 Delete Act, DROP represents a fundamental shift in the balance of power between individuals and the multi-billion dollar data broker industry.

The platform is straightforward to use: California residents verify their residency, create a deletion request with basic information (name, date of birth, postcode, and phone number), and submit. The request then goes to all 545+ data brokers currently registered with the state. However, the impact will not be immediate – brokers are not required to begin processing requests until August 2026, after which they must check DROP every 45 days and respond to requests. Non-compliance carries penalties of $200 per request per day.

To take advantage of DROP if you are a California resident, visit privacy.ca.gov to submit your deletion request. You can also include your mobile advertising ID for more targeted deletion. Remember that DROP only covers registered data brokers – companies that collect and sell information without having a direct relationship with you – so continue exercising caution about sharing personal information online. For those outside California, DROP may serve as a model for future legislation in other states and countries.

Continue reading: California residents can use new tool to demand brokers delete their personal data (TechCrunch)

China Becomes World’s Largest AI Surveillance Exporter

A landmark December 2025 report from the Australian Strategic Policy Institute (ASPI) reveals how China has embedded artificial intelligence throughout its systems of political control – and is now exporting these technologies globally. Titled “The Party’s AI: How China’s New AI Systems are Reshaping Human Rights,” the report details rapid advances between 2023 and 2025 in four key areas: multimodal censorship of politically sensitive images, AI integration into the criminal justice pipeline, industrialised online information control, and AI-enabled platforms operated by Chinese companies abroad.

The findings are stark. China’s biggest tech companies – including Tencent, ByteDance, and Baidu – have become “key enablers and enforcers of the CCP’s online content censorship policies,” developing AI censorship platforms they sell to smaller companies throughout China. In the criminal justice system, AI now recommends whether judges should arrest or grant suspended sentences to defendants, whilst “smart prisons” monitor inmates’ facial expressions and emotions. Chinese companies are also developing large language models for minority languages including Uyghur, Tibetan, and Mongolian – ostensibly to improve surveillance of these communities. “AI has become the backbone of a far more pervasive and predictive form of authoritarian control,” said ASPI analyst Nathan Attrill.

To protect yourself, understand that Chinese AI models are increasingly dominant as open-weights alternatives, meaning other countries’ companies and research units may adopt them for cost reasons. As ASPI researcher Qiang Xiao warned, “if you use those models, you’re fundamentally sitting on their platforms – the censorship and the surveillance and the control, the influence, come with it.” Evaluate the origin and governance of AI tools you use, and support international efforts to establish human rights standards for AI deployment.

Read more: China’s censorship and surveillance were already intense. AI is turbocharging those systems (CNN)

Trump Executive Order Targets State AI Regulations

On 11 December 2025, President Trump signed an executive order aimed at limiting state-level artificial intelligence regulations through targeted litigation, conditional federal funding, and administrative pressure. The order, titled “Ensuring a National Policy Framework for Artificial Intelligence,” came after Congress twice rejected proposals for a ten-year moratorium on state AI laws – first stripping it from the One Big Beautiful Bill Act in a 99-1 Senate vote in July 2025, and later declining to include it in the National Defense Authorization Act.

The executive order empowers the Department of Justice to create a task force challenging state AI laws “on grounds that such laws unconstitutionally regulate interstate commerce, are preempted by existing Federal regulations, or are otherwise unlawful.” It directs the Department of Commerce to identify and publish a list of state AI laws that conflict with the administration’s “minimally burdensome” framework. The order also allows agencies to consider conditioning certain federal grants on states agreeing not to enact or enforce conflicting AI laws. However, the order does not directly preempt state laws – legal challenges would need to proceed through courts, and states could choose to forgo certain funding rather than comply.

To engage with these developments, understand that state privacy protections remain in effect whilst legal challenges proceed. White House AI advisor David Sacks clarified that the order is “not a national framework itself, or an amnesty or moratorium, but rather a statement of principles and a set of tools.” Monitor how your state responds and support organisations challenging federal overreach. The ultimate scope of the order will depend on court rulings, agency implementation, and whether states are willing to forgo federal funding to maintain their regulatory authority.

Continue reading: Trump signs executive order blocking states from enforcing their own regulations around AI (CNN)

AI Increasingly Used in Courts, Benefits Administration, and Lawmaking

Artificial intelligence is increasingly being used across government functions, often without broad public awareness. In the judiciary, US Circuit Judge Kevin Newsom has openly discussed consulting ChatGPT for legal research, whilst judges in Colombia, Brazil, and Japan have also acknowledged using AI tools – raising questions about transparency when litigants may not know an algorithm assisted in their case.

In the executive branch, AI algorithms play a growing role in administering public benefits. Private insurers running Medicare Advantage plans use automated systems to review and make coverage decisions, a practice that has drawn scrutiny from regulators and patient advocates concerned about algorithmic denials of care. Meanwhile, legislatures worldwide are increasingly turning to AI: Brazil passed a municipal law drafted entirely by AI in 2023, France developed a parliamentary AI model for amendments, and surveys suggest significant uptake among US state legislative staffers, though statistics vary by source.

To engage with these changes, understand that AI in government is a power-enhancing technology – it can strengthen democracy if used to amplify citizen voices, or concentrate power if tied to party leadership or lobbyists. Security expert Bruce Schneier notes that “we are not going to be fully governed by AI anytime soon, but we are already being governed with AI.” Support transparency requirements for algorithmic decision-making in public services, and advocate for disclosure when AI influences judicial proceedings. The choices made now about how governments deploy AI will shape accountability for years to come.

Read more: Are We Ready to Be Governed by Artificial Intelligence? (Schneier on Security)

AI-Enabled Toys Raise Child Privacy Concerns

US lawmakers have raised concerns about toys manufactured in China that incorporate AI capabilities. These toys can hold conversations with children, respond to questions, and often store voice data and conversation histories in cloud systems. The concern is that this data may be subject to Chinese data-access laws, potentially allowing foreign government access to recordings of children’s conversations.

While there is no confirmed evidence of data exfiltration to Chinese government systems, the potential risk has prompted congressional attention. For AI-enabled toys, the combination of always-on microphones, cloud connectivity, and foreign data storage creates a concerning risk profile. Children may share personal details, family information, or location data without understanding the implications, and parents may not realise how much data these toys collect and transmit.

To protect your children, research any internet-connected toy before purchase, paying attention to where the manufacturer is based and where data is stored. Review the privacy policy – if it mentions data storage in China or is vague about data handling, consider alternatives. Disable always-on listening features where possible, and supervise children’s interactions with AI-enabled devices. For toys already in your home, check if they have offline modes or if cloud features can be disabled.

Read more: California lawmaker proposes a four-year ban on AI chatbots in kids’ toys (TechCrunch)

EU Cybersecurity Act Revision Targets “High-Risk” Suppliers

On 20 January, the European Commission unveiled a sweeping revision of the 2019 Cybersecurity Act, introducing measures that could ban equipment from “high-risk” third-country suppliers across 18 critical sectors. Whilst the proposal carefully avoids naming specific countries, EU officials acknowledge it builds on longstanding concerns over Chinese technology groups – particularly Huawei and ZTE in mobile networks – and years of frustration over the uneven application of the EU’s voluntary 5G Security Toolbox.

The scope is broad, covering telecom networks, data centres, cloud services, connected devices, and even solar inverters – which Chinese companies have come to dominate in the EU market. Under the revised framework, the Commission would organise EU-level risk assessments and support restrictions or bans on equipment used in sensitive infrastructure. Most notably, the proposal includes provisions to potentially recall and phase out products already deployed if suppliers are later deemed high-risk – unprecedented regulatory reach that could force massive infrastructure overhauls.

To prepare, organisations operating in critical sectors should begin assessing their supply chain dependencies. Understand where your equipment comes from and whether suppliers might be classified as high-risk under the new framework. For businesses, the proposal’s focus on “non-technical” risks – particularly concerns about suppliers being subject to foreign government influence – signals that traditional security audits may no longer be sufficient. The proposals now move to the European Parliament and Council, with implementation likely several years away.

Continue reading: Brussels pushes for stronger cybersecurity oversight of high-risk technology suppliers (Euronews)

UK Data (Use and Access) Act Takes Effect

The main data protection changes introduced by the UK’s Data (Use and Access) Act 2025 came into force this January, marking the most significant divergence from EU GDPR since Brexit. The Act creates a more permissive framework for businesses whilst maintaining core privacy principles – part of the UK government’s strategy to position Britain as an innovation-friendly regulatory environment.

Key changes include a new “recognised legitimate interests” lawful basis that removes the need for balancing tests in certain circumstances, including crime prevention, national security, and – notably – direct marketing. The Act relaxes restrictions on automated decision-making, allowing it in wider circumstances provided transparency and human intervention safeguards remain. International data transfers now require only that the destination country’s protections are “not materially lower” than the UK’s, rather than the stricter “essentially equivalent” EU standard. Organisations must also implement accessible complaints procedures and acknowledge data protection complaints from individuals within 30 days.

To stay compliant, organisations processing UK personal data should review their privacy documentation to reflect the new lawful bases. The Information Commisioner’s Office has advised that law will be applied as it stands at the time of any infringement, so compliance planning should begin now. For businesses operating in both the UK and EU, the divergence creates additional complications – consider whether maintaining a single, stricter standard across jurisdictions is more practical than managing parallel compliance programmes.

Learn more: The Data Use and Access Act 2025: what does it mean for organisations? (ICO)

DeepSeek Faces Global Crackdown Over Data Sovereignty

Chinese AI startup DeepSeek is facing mounting regulatory pressure worldwide as governments cite data sovereignty, national security, and privacy concerns. Italy blocked the app from its app stores in January 2025. Germany’s Berlin Data Protection Commissioner formally requested that Apple and Google remove DeepSeek in June 2025 after the company failed to comply with EU data transfer requirements, invoking Article 16 of the Digital Services Act. The Netherlands banned the app on government devices, and Belgium advised government officials against using it.

At the heart of the controversy is DeepSeek’s data-handling policy. According to its own privacy policy, the AI chatbot stores user prompts, uploaded files, and behavioural biometrics – including keystroke patterns – on servers in China. Security researchers at NowSecure found the app transmits some data without encryption and uses hardcoded encryption keys, a fundamental security flaw. Wiz researchers discovered a publicly accessible database containing over one million sensitive records, including chat histories and API keys. Under Chinese law, particularly the 2017 National Intelligence Law, authorities can compel companies to hand over user data without notification.

To protect yourself, if you are considering using DeepSeek, understand that your data will be stored in China and may be accessible to Chinese authorities. For sensitive work, use AI tools from providers based in jurisdictions with strong privacy protections. Enterprise users should conduct independent security audits before adopting any AI platform and monitor outbound network traffic for unexpected data transmission.

Read more: Governments, Regulators Increase Scrutiny of Chinese AI Startup DeepSeek (Insurance Journal)

Data Protection Day 2026: Europe Debates GDPR’s Future

Data Protection Day on 28 January saw the European Data Protection Supervisor (EDPS) and Council of Europe convene a major conference examining how Europe can modernise its privacy framework without compromising core principles. Under the theme “Reset or refine?”, policymakers, regulators, academics, and practitioners gathered to explore whether “regulatory simplification” can coexist with strong individual safeguards.

The timing was pointed. The European Commission’s Digital Omnibus proposals, released in November 2025, would amend the GDPR to recognise AI development as a “legitimate interest” and introduce new legal bases for processing sensitive data in AI training. Privacy advocates have warned these changes could weaken protections, whilst industry groups argue simplification is overdue. The conference asked hard questions: How can Europe maintain its normative leadership in a rapidly changing technological landscape? And can the lessons from Convention 108+ – the first legally binding privacy treaty – inform the next generation of legislation?

To engage with these debates, follow the work of your national data protection authority and the EDPB, which has announced that transparency obligations under Articles 12-14 GDPR will be its coordinated enforcement focus for 2026. Regardless of how the regulatory landscape evolves, the core principles remain relevant: know what data you share, with whom, and why. As the frameworks shift, informed users remain the last line of defence.

Continue reading: Data Protection Day 2026: Reset or refine? (EDPS)

That’s All for This Month’s Newsletter!

January 2026 has opened the year with unmistakable clarity: the battle for privacy is now inseparable from broader questions about how AI reshapes power. From China exporting surveillance tools to 80+ countries to the Trump administration pressuring states to abandon AI protections, this month revealed how technology governance has become a proxy for deeper struggles over accountability and control. Yet amidst the concerning trends, there are reasons for measured optimism – California’s DROP platform proves that privacy tools can be built to serve people, and bipartisan congressional resistance to AI deregulation demonstrates that checks on concentrated power remain possible. As these forces collide, informed citizens remain the last line of defence. Thank you for reading, and we look forward to keeping you informed in February.

Best,

Patrick

Get the latest privacy news in your inbox

Sign up to the Mailfence Newsletter.

Reclaim your email privacy.
Create your free and secure email today.
Picture of Patrick De Schutter

Patrick De Schutter

Patrick is the co-founder of Mailfence. He's a serial entrepreneur and startup investor since 1994 and launched several pioneering internet companies such as Allmansland, IP Netvertising or Express.be. He is a strong believer and advocate of encryption and privacy.

Recommended for you