08 Apr 2026 · 20:30 UTCbreach🇪🇺EUmedium
Eurail December breach exposed passport numbers of more than 300,000 individuals
A December data breach at Eurail, the European rail pass operator, compromised passport numbers and personal data belonging to more than 300,000 individuals, with a threat actor claiming responsibility in February and asserting extraction of 1.3 TB of data including source code, database backups, and Zendesk support tickets. The exposure of passport numbers elevates the severity of the incident under EU data protection frameworks, likely triggering GDPR notification obligations to supervisory authorities and affected data subjects. Compliance teams should monitor for regulatory enforcement action and assess third-party vendor exposure given the reported compromise of customer support infrastructure.
08 Apr 2026 · 18:30 UTCbreach🇺🇸UShigh
Mercor Biometric and ID Document Breach Raises Deepfake Fraud Concerns
Mercor, a $10 billion AI training data supplier to Anthropic, OpenAI, and Meta, has disclosed a significant data breach involving biometric data—including facial and voice samples—and identity documents, stemming from a supply chain compromise of the open-source LiteLLM library attributed to hacking group TeamPCP. The exposure of biometric datasets at scale materially lowers the barrier for adversarial actors to construct synthetic identities and deepfake impersonations, with downstream risk extending to the enterprise and government clients of Mercor's AI company customers. Meta has suspended its engagement with Mercor pending investigation, and security analysts warn Mercor may be among the first in a broader extortion campaign targeting organizations exposed through the LiteLLM compromise.
08 Apr 2026 · 18:30 UTCanalysis🇪🇺EUlow
EU AI Act constraints shadow mmWave emotion recognition dataset release
Researchers have published what they describe as the first publicly accessible emotion recognition dataset using millimetre-wave radar, framing the contact-free physiological sensing approach as privacy-preserving relative to camera or wearable-based methods. The release warrants attention in the EU context because the AI Act prohibits emotion recognition systems intended for workplaces and educational institutions, creating regulatory risk for downstream applications built on such datasets, even if the academic data-collection exercise itself falls outside that prohibition. Methodological limitations—fifteen homogeneous participants, Hollywood-clip stimuli, and unresolved questions about whether film viewing reliably induces discrete emotional states—further constrain the dataset's practical utility for cross-jurisdictional deployment.
08 Apr 2026 · 16:30 UTClegislation🇬🇷GRmedium
Greece introduces legislation restricting minors' access to social media platforms
The Greek government, under Prime Minister Kyriakos Mitsotakis, has proposed legislation to restrict children's access to social media, citing child mental health protection as the primary rationale. The proposal places Greece among a growing number of jurisdictions—including Australia and France—pursuing statutory age-restriction frameworks targeting major platforms. Compliance teams operating in the EU should monitor the bill's progression, as its scope and enforcement mechanisms remain subject to legislative review.
08 Apr 2026 · 16:30 UTCstandards🇺🇸USmedium
Civil Society Urges NIST to Embed Anti-Discrimination Standards in LLM Benchmark Guidance
The Center for Democracy and Technology, alongside civil society signatories, has submitted formal comments to NIST urging the agency to incorporate civil rights principles—including disparate treatment and disparate impact testing—into its draft guidance on automated benchmark evaluations of language models. The intervention signals coordinated advocacy pressure to embed anti-discrimination frameworks at the standards layer, before NIST guidance is finalized. If adopted, such requirements would shape how AI developers design and document model evaluations across U.S. federal procurement and beyond.
08 Apr 2026 · 16:30 UTClegislation🇨🇳CNhigh
CAC Draft Rules Mandate Consent and Labeling for AI Virtual Humans
China's Cyberspace Administration of China has published draft Measures for the Management of Digital Virtual Human Information Services, requiring explicit consent for likeness and biometric data use, mandatory labeling, and prohibiting AI-generated personas from bypassing facial or voice authentication systems. The regulation builds on CAC's 2025 AI content labeling framework and introduces targeted protections for minors, including bans on simulated intimate relationships and exploitative services. Public consultation closes May 6th, after which the rules are expected to advance toward formal adoption.
08 Apr 2026 · 14:30 UTCenforcement🌐ISmedium
Iceland's Persónuvernd reprimands trade union for employee salary data processing
Iceland's data protection authority, Persónuvernd, has issued a formal reprimand to a trade union for processing an employee's salary information during collective bargaining procedures aimed at assessing workplace compliance with equal treatment law. The decision signals that a legitimate equal-pay enforcement objective does not itself confer lawful basis for processing personal salary data under applicable data protection rules. Organizations and unions conducting pay-gap or equal treatment analyses should review their legal basis and data minimization practices before processing individual compensation data.
08 Apr 2026 · 14:30 UTCenforcement🌐FImedium
Finland DPA reprimands credit agency over GDPR access request failures
The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) has issued a reprimand to a credit information agency for mishandling data subject access requests under GDPR. The controller improperly directed individuals to a self-service portal without further engagement and indicated it would impose fees on repeat access requests submitted within a 12-month period, both of which conflict with GDPR Article 12 obligations. The decision signals continued DPA scrutiny of fee-charging practices and passive compliance mechanisms that effectively obstruct the right of access.
08 Apr 2026 · 12:30 UTCenforcement🇮🇹ITmedium
Italy's Garante reprimands physiotherapy clinic for health data misdirection via email typo
Italy's Garante per la protezione dei dati personali has upheld a complaint against a physiotherapy clinic that transmitted a patient's clinical report to an unauthorized recipient due to a typographical error in the destination email address. The decision implicates Articles 5(1)(f), 9, and 32 GDPR, citing failures in both the confidentiality principle and technical security measures applicable to special category health data. The Garante issued a reprimand under Article 58(2)(b) GDPR, signaling continued supervisory focus on basic operational controls governing sensitive medical records.
08 Apr 2026 · 12:30 UTCenforcement🌐DKmedium
Datatilsynet permits municipality to use unlawfully obtained recordings in child welfare proceedings
Denmark's Datatilsynet has ruled that a municipality may rely on unlawfully obtained recordings as a lawful basis under Article 6(1)(e) GDPR in a child welfare case. The authority held that the fairness principle under Article 5(1) GDPR requires case-by-case balancing of competing rights per Recital 4, with the child's welfare carrying significant weight in that assessment. The decision signals that Danish supervisory practice will not apply a per se exclusionary rule to tainted data where overriding public-interest processing grounds are present.
08 Apr 2026 · 12:30 UTCenforcement🌐FImedium
Finland DPA reprimands credit agency over improper GDPR access request handling
The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) has issued a reprimand to a credit information agency under case TSV/3375/2023 for mishandling data subject access requests. The agency improperly directed individuals to a self-service portal (OmaData) without further controller action, and indicated that fees would be charged for repeat access requests within a 12-month period—a practice inconsistent with GDPR Article 12 obligations governing response procedures and the conditions under which fees may be applied. The decision signals continued supervisory scrutiny of automated or portal-based access fulfillment mechanisms and the fee-charging practices of credit and data broker entities in Finland.
08 Apr 2026 · 12:30 UTCenforcement🇪🇸ESmedium
Spain's AEPD fines energy supplier €30,000 for unverified customer connection data
Spain's data protection authority (AEPD) has imposed a €30,000 fine on an energy supplier under case EXP202306737, finding that the company failed to verify customer connection data before processing, resulting in an unauthorized energy supplier switch affecting the wrong individual. The enforcement action applies GDPR's lawful basis requirement, signaling that data accuracy and verification obligations extend to operational processes that trigger third-party personal data processing. Energy sector companies handling switching or onboarding workflows warrant review of their data validation controls in light of this ruling.
08 Apr 2026 · 12:30 UTCenforcement🇮🇹ITmedium
Italy's Garante Issues Enforcement Decision Under GDPR Case 10233368
The Italian data protection authority, Garante per la protezione dei dati personali, has issued an enforcement decision recorded under case number 10233368, published via its official docweb registry. The decision represents a formal regulatory action under GDPR, though full case details including the subject entity, violation findings, and any sanctions imposed remain pending complete documentation. Compliance teams monitoring Italian DPA enforcement patterns should track the Garante's official source for the complete ruling.
08 Apr 2026 · 10:30 UTCenforcement🇪🇸ESmedium
Spain's AEPD finds GDPR data accuracy violation in misidentification case
Spain's data protection authority (AEPD) has ruled that a controller violated Article 5(1)(d) GDPR by relying on an incorrect identifier that resulted in the misidentification of a data subject. The AEPD reclassified the case mid-investigation, shifting from an initial Article 6(1)(a) lawful basis inquiry to a data accuracy principle breach, a notable procedural step that signals the authority's willingness to reframe enforcement theories as evidence develops. Organizations processing personal data with third-party or legacy identifiers should review accuracy validation mechanisms in light of this holding.
08 Apr 2026 · 10:30 UTCenforcement🌐FImedium
Finland DPA rules against credit bureau's fee practice for repeat access requests
The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) has issued an enforcement decision against a credit data controller that charged EUR 9.90 for data subject access requests submitted more than once within a 12-month period. The case, stemming from complaints received between May 2018 and June 2021, examines whether imposing fees on repeat access requests complies with GDPR Article 15, which generally requires controllers to provide access free of charge. Credit reference agencies and other data controllers applying similar fee structures for repeat requests warrant attention to this ruling's scope and any remediation orders issued.
08 Apr 2026 · 04:30 UTClegislation🇦🇺AUmedium
Australia seeks multilateral alignment on child social media restrictions, engages EU
Australia's ambassador to the EU has signaled that Canberra cannot effectively enforce its child social media ban without coordinated international support, according to statements reported by POLITICO. The position indicates Australia views unilateral age-restriction legislation as insufficient against globally operating platforms, and is actively seeking regulatory convergence with the EU and other jurisdictions. This outreach warrants attention as it may accelerate cross-jurisdictional alignment on child online protection frameworks, with the EU's existing Digital Services Act provisions serving as a potential reference model.
08 Apr 2026 · 00:30 UTCanalysis🇺🇸USlow
Aspen Institute proposes aviation-style incident investigation framework for state AI governance
The Aspen Institute has released a policy framework recommending that U.S. states adopt structured investigation processes for AI incidents producing harmful or unintended outcomes, modeled on aviation accident review mechanisms. The framework signals growing interest in systematic post-incident accountability at the state level, filling a gap left by the absence of federal AI legislation. Compliance teams operating across multiple U.S. jurisdictions should monitor whether state legislatures or agencies move to adopt analogous reporting and investigation requirements.
07 Apr 2026 · 22:30 UTClegislation🇰🇷KRmedium
South Korea's FSS reports fraud accounts doubled in Q1 2026 amid AI-driven schemes
South Korea's Financial Supervisory Service has recorded over 7,000 fraud-linked accounts across nine major banks in Q1 2026, more than double the prior-year figure, with iM Bank, Hana Bank, and Woori Bank accounting for the largest share. The rise is attributed in part to generative AI and deepfake-enabled fraud, prompting legislative mandates requiring financial institutions to compensate voice phishing victims regardless of negligence, alongside a facial recognition pilot for mobile line activation running through June 30. Parallel data from BioCatch covering 36 Latin American institutions signals a broader regional pattern, with remote-access tool fraud up 409 percent and malware attacks up 225 percent, underscoring the scale of anti-fraud infrastructure gaps across emerging markets.
07 Apr 2026 · 20:30 UTClegislation🇪🇺EUhigh
EU Parliament lets e-Privacy derogation lapse, ending legal basis for voluntary chat scanning
The European Parliament has declined to extend an interim derogation from e-Privacy rules that permitted service providers to voluntarily scan private communications, effectively removing the legal cover for such practices. The lapse follows EU member states' earlier withdrawal of the mandatory encrypted-message scanning proposal under the Chat Control framework, marking a notable shift against mass surveillance measures. Enforcement risk for major platforms—including Google, Meta, Microsoft, and Snap, which have signaled intent to continue voluntary scanning—now warrants close compliance monitoring, given the EU's historically inconsistent enforcement record against large technology companies.
07 Apr 2026 · 20:30 UTCenforcement🇦🇺AUmedium
Australia's eSafety Reports Mixed Compliance in First SMMA Enforcement Review
Australia's eSafety Commission has published its first compliance report under the Social Media Minimum Age obligation, enacted December 2025, documenting 4.7 million age-restricted account removals and 310,000 additional accounts blocked by March 2026. The report signals uneven platform performance, with active investigations open against Facebook, Instagram, Snapchat, TikTok, and YouTube for potential non-compliance, while noting that platform-led deactivation remains the primary enforcement mechanism. Early monitoring data indicates children have not migrated in significant numbers to unregulated platforms, a concern that had featured prominently in pre-enactment debate.
07 Apr 2026 · 18:30 UTClegislation🇺🇸US-MEmedium
Maine Legislature Passes Resolve to Study Classroom Technology Safeguards
The Maine Legislature has finally passed LD2052, a resolve directing a formal study of technology use in classrooms and associated safeguards, with the measure advancing under emergency designation requiring a two-thirds elected majority. The emergency passage threshold signals legislative urgency around student-facing technology governance, likely encompassing data privacy, AI tools, and screen-time considerations in K-12 settings. The study's findings are expected to inform future legislative action on educational technology standards and protections within the state.
07 Apr 2026 · 18:30 UTClegislation🇺🇸US-SCmedium
South Carolina Legislature Introduces Bill Regulating Chatbot Access for Minors
The South Carolina House has introduced H5476, titled 'Protecting Children from Chatbots,' which has been referred to the Committee on Judiciary. The bill signals growing state-level legislative attention to the risks conversational AI systems pose to minors, a pattern emerging across multiple U.S. jurisdictions. Advancement will depend on committee review, with no further procedural status currently confirmed.
07 Apr 2026 · 18:30 UTCenforcement🌐PKmedium
Pakistan's NADRA intensifies identity fraud enforcement amid internal corruption arrests
Pakistan's National Database and Registration Authority (NADRA) has moved to tighten identity oversight through coordinated law enforcement action, including the arrest of a NADRA employee in Karachi for allegedly issuing fraudulent identity documents to Afghan nationals under the Foreigners Act, 1946, and the Prevention of Corruption Act, 1947. The measures follow the government's Illegal Foreigners' Repatriation Plan and accompany broader systemic reforms, including cancellation of identity cards linked to deceased individuals, SIM card deactivation in coordination with the Pakistan Telecommunication Authority, and the launch of the Nishan Pakistan unified digital identity platform. Concurrently, NADRA has upgraded its Pak ID mobile application to enable biometric facial verification and streamlined visa applications for nationals of 193 countries, signaling a dual focus on integrity enforcement and digital modernization.
07 Apr 2026 · 18:30 UTClegislation🇺🇸US-MDmedium
Maryland SB564 Advances Attorney General Data Protection Authority Through Second Reading
Maryland's SB564, which expands the Office of the Attorney General's data protection mandate, has passed its second reading with amendments. The bill signals Maryland's intent to strengthen state-level enforcement infrastructure around consumer data privacy, building on the Maryland Online Data Privacy Act framework. Compliance teams operating in Maryland should monitor the amendment details and track the bill's progress toward final passage and potential enactment.
07 Apr 2026 · 14:30 UTCenforcement🇮🇹ITmedium
Italy's Garante Issues Enforcement Decision Under Case Number 10234984
The Italian data protection authority, Garante per la protezione dei dati personali, has issued a formal enforcement decision recorded under case number 10234984. The decision, published on the authority's official portal in Italian, represents a GDPR enforcement action within Italy's jurisdiction. Full substantive details of the decision, including the subject entity, violation basis, and any sanctions imposed, require review of the source documentation for complete compliance assessment.