April 13, 2026

The Mercor breach is the week's most consequential developing story, but the broader picture today is European: a cluster of GDPR enforcement actions across Romania, Belgium, and Greece reinforces that access request failures and DPA obstruction are active enforcement priorities, not theoretical risks. China's AI virtual human draft rules add a parallel biometric governance thread. U.S. activity is lighter, with one standards intervention and one state education bill awaiting executive action.

The Mercor breach has materially advanced since yesterday's coverage. The disclosed data now confirmed to include biometric samples — facial and voice data — alongside identity documents for a supply chain breach traced to the LiteLLM library. The practical question for enterprise AI buyers is downstream exposure: organizations whose vendors use Mercor-sourced training data or whose employees interacted with Mercor's platform may have biometric data at risk. The deepfake fraud vector is concrete, not speculative — biometric datasets at this scale lower the cost of synthetic identity construction. Security, legal, and procurement teams at AI companies with Mercor exposure should be reviewing contractual indemnification provisions and assessing notification obligations under applicable state biometric privacy laws, particularly Illinois BIPA. Watch level: ACT NOW (AI company legal, security, and procurement teams with Mercor or LiteLLM exposure — breach is confirmed and in active escalation; biometric data exposure triggers state-law notification analysis now)

Eurail has disclosed that a December breach exposed passport numbers and personal data for more than 300,000 individuals, with the threat actor claiming 1.3 TB of exfiltrated data including source code, database backups, and customer support records. Passport numbers qualify as a category that elevates GDPR notification severity; supervisory authority and data subject notification obligations under Articles 33 and 34 GDPR are likely triggered if not already fulfilled. Compliance teams with exposure to Eurail's systems — or with Zendesk-based support infrastructure more broadly — should assess whether the customer support compromise creates vendor-side notification obligations of their own. Watch level: PREPARE (EU-based travel, logistics, and SaaS companies using shared customer support infrastructure — enforcement referrals are a plausible next step once supervisory review begins)

Romania's ANSPDCP issued two separate fines in the past reporting cycle: approximately €8,000 against Altex România for ignoring data subject requests and obstructing DPA inquiry, and approximately €3,000 against Your Consulting SRL for inadequate web application security controls. Read together, these actions suggest ANSPDCP is operating across both the Article 15 rights-fulfillment and Article 32 technical security tracks simultaneously. The Belgian APD's parallel decision — finding that email reproduction satisfies Article 15(3) copy obligations — offers a useful compliance data point: fulfillment modality matters, but reproduction of source materials can be sufficient. Practitioners managing high-volume DSARs in employment contexts should note the Belgian ruling as persuasive authority, though not binding outside Belgium. Watch level: MONITOR (EU privacy and HR counsel — enforcement signals are relevant to DSAR program design but no immediate action threshold is crossed)

CDT's formal comments to NIST urging anti-discrimination standards in LLM benchmark guidance are worth tracking for AI governance teams, even though no regulatory action has resulted yet. The intervention targets the standards layer specifically — if NIST incorporates disparate impact and disparate treatment testing requirements into finalized benchmark guidance, it would shape federal procurement expectations and likely influence enterprise AI audit frameworks beyond the public sector. The practical question is whether NIST's final guidance treats civil rights testing as optional best practice or as a documented requirement. Monitor the comment period close and NIST's response for signal on which direction the agency is leaning. Watch level: MONITOR (AI governance leads and federal contractors — NIST guidance is not yet finalized; this is an input to a process, not an output)