April 10, 2026

European data protection authorities are driving the most consequential enforcement activity this week, with rulings from Finland, Spain, Italy, and Denmark collectively reinforcing four distinct compliance pressure points: access request fee practices, data accuracy obligations, health data operational controls, and the admissibility of unlawfully obtained data in public-interest proceedings. Against that backdrop, the Mercor biometric breach — covered yesterday — has developed materially: Meta has now formally suspended its engagement with Mercor pending investigation, and security analysts assess the incident may be the opening move in a broader extortion campaign targeting organizations exposed through the LiteLLM supply chain compromise.

The Finnish Data Protection Ombudsman's decision against a credit information agency (TSV/3375/2023) consolidates three angles into one ruling: improper deflection of access requests to a self-service portal, a €9.90 fee applied to repeat requests within twelve months, and the period under review stretching back to complaints filed as early as May 2018. Together, these findings signal that Finnish supervisory practice treats passive or automated access fulfillment as insufficient and fee-charging for repeat requests as presumptively unlawful under Article 12 and 15. Credit reference agencies, data brokers, and any controller relying on portal-based access workflows should treat this as a direct audit prompt. Watch level: PREPARE (credit bureaus, data brokers, and controllers using portal-based DSAR workflows across EU)

Spain's AEPD imposed a €30,000 fine on an energy supplier (EXP202306737) after the company processed unverified customer connection data, triggering an unauthorized supplier switch affecting the wrong person. Notably, the AEPD reframed its enforcement theory mid-investigation — shifting from a lawful basis inquiry under Article 6(1)(a) to a data accuracy breach under Article 5(1)(d) — signaling that the authority is willing to pursue the most legally sustainable theory as evidence develops rather than commit to an initial framing. The practical question for energy, telecoms, and financial services operators is whether their onboarding and switching workflows include identity verification steps sufficient to meet the accuracy principle in operational, not just data-collection, contexts. Watch level: PREPARE (energy, telecoms, and financial services operators handling switching or onboarding workflows in Spain and the EU)

China's Cyberspace Administration has published draft Measures for the Management of Digital Virtual Human Information Services, requiring explicit consent for likeness and biometric data use, mandatory AI labeling, and prohibiting AI-generated personas from bypassing facial or voice authentication systems. The draft also targets minors specifically, banning simulated intimate relationships and exploitative AI services directed at children. Public consultation closes May 6; formal adoption is expected to follow. Organizations deploying synthetic avatars, voice clones, or AI-generated personas in China-facing products should begin mapping their technical implementations against the consent and labeling requirements now — particularly given the CAC's track record of moving quickly from consultation to enforcement after adoption. Watch level: PREPARE (AI product teams, legal, and compliance functions with China-market deployments involving synthetic media or virtual personas)

Denmark's Datatilsynet has ruled that a municipality may rely on unlawfully obtained recordings as evidence in child welfare proceedings, holding that Article 5(1) GDPR's fairness principle requires a case-by-case balancing of competing rights under Recital 4 rather than a categorical exclusionary rule. This is a significant interpretive position: it suggests that Danish supervisory practice will not automatically treat the taint of unlawful collection as disqualifying for subsequent processing where an overriding public-interest ground under Article 6(1)(e) is present. Practitioners advising public-sector clients — particularly in child protection, social services, or regulatory contexts — should note that this balancing approach does not immunize the initial collection, and organizations remain exposed to enforcement for the original unlawful act. Watch level: MONITOR (public-sector legal teams, child welfare agencies, and data protection officers in Denmark and EU jurisdictions monitoring DPA interpretive trends)