Tuesday, 12 May 2026 · ~3 min read

Today's Focus: Privacy & Personal Data Protection

The Irish Data Protection Commission published its final decision against Permanent TSB on 8 May 2026, closing an inquiry into breaches first reported in May 2022. Attackers used customer information to impersonate accountholders via PTSB's Open24 Contact Centre and change account details, in some cases causing financial loss. The DPC found infringements of Article 5(1)(f), 32(1) and 33(1) and split the fine into €250,000 for security failings plus €27,500 specifically for late breach notification. This is the DPC's third Article 33 timing fine of 2026 — a clear signal that the 72-hour clock is being enforced as a standalone obligation.

DPC press release · EDPB News

🇺🇸 FTC v. Kochava — non-consensual sale of sensitive location data banned (4 May 2026). The FTC's proposed stipulated order bans Idaho data broker Kochava from selling precise location tied to medical facilities, places of worship, schools and childcare, shelters, addiction-recovery centres, or military and federal-law-enforcement sites without affirmative express consent. Kochava must build a sensitive-location list, run upstream supplier assessments, report downstream contract breaches, and let consumers see who bought their data and withdraw consent. The FTC's biggest data-broker action of 2026 — and a template for future orders. Action: push a Kochava-style sensitive-location attestation into your location-data DPAs now. FTC press release

🇪🇺 EDPB CEF 2026 Transparency Action — 25 EU/EEA DPAs in fact-finding mode. Launched 19 March 2026, the Coordinated Enforcement Framework targets Article 12–14 obligations. National authorities are sending questionnaires that may convert into formal investigations. Action: verify your Article 12–14 notices reflect actual data flows, not last year's privacy policy. EDPB CEF announcement

🇺🇸 California DROP — data brokers ~81 days from go-live. The CPPA's Delete Request and Opt-Out Platform went live 1 January 2026, and registered data brokers are reportedly scheduled to begin processing DROP requests on a 45-day cycle from 1 August 2026. Recent CPPA and California AG opt-out enforcement (Disney, PlayOn Sports — reported at $2.75M and $1.10M respectively) underlines the exposure. Action: confirm broker registration status now; if you register, lock in DROP integration before mid-July. CPPA announcements

No privacy deadlines fall inside the next 14 days. Next critical date: 25 June 2026 — EDPB Guidelines 1/2026 on scientific research close for public consultation. Research, biobank, and AI-training teams should file comments before then. EDPB Guidelines

Run a 30-minute self-audit of your Article 33 breach-notification workflow. PTSB was fined €27,500 only for the timing failure on top of its security finding. Confirm: (1) who starts the 72-hour clock the moment detection fires, (2) the template you send your lead DPA, (3) the escalation path if your DPA office is in a different timezone. If any answer takes longer than the audit, fix it before close of business.

AI governance — Wednesday's brief picks up the latest on the EU AI Act timeline, US state AI laws, and global regulator posture on foundation models and AI training data.

CyberEyeQ — Actionable Regulatory IntelligenceReply with feedback: [email protected]