Hello Friends,
The DPDPA has given data principals the right to grievance redressal in the event of any non-performance of obligations by the data fiduciary or consent manager. This redressal mechanism should be made readily available by a data fiduciary of a consent manager. The data fiduciary or consent manager is required to respond to any grievances within the prescribed period from the date of its receipt. The data principals are required to approach the grievance redressal before approaching the Board.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Kenya ODPC orders Ceres Tech to pay KES 2.6M for processing data without consent.
The ODPC stated that three complaints were lodged in 2023 against Ceres Tech after alleged unsolicited promotional measures and calls were received by the complainants with the aim of having the complainants take a loan with Ceres Tech. Ceres Tech was ordered to pay KES 2.6 million (approx. $20,252) as compensation for violating the Data Protection Act of 2019 (the Act) following three complaints.
Spain AEPD fines CUI ZSQ Food €70,000 for violation of the GDPR.
The complainant, an employee of CUI ZSQ alleged that an official shared video footage of the complainant in a company group chat, allegedly showing that the complainant was absent from their workplace for a prolonged time. Following an investigation, the AEPD found that the dissemination of the video in the group chat lacked any legal basis and the confidentiality of the personal data of the complainant as well as the employees visible in the video was violated. Subsequently, the AEPD determined that CU I ZSQ had the integrity and confidentiality of the data it processed.
Sweden fines Avanza Bank SEK 15M for unlawful transfer of personal data to Meta.
The Swedish Authority for Privacy Protection (IMY) found that Avanza used Meta Pixel without implementing proper technical and organizational measures, leading to unauthorized transfer of personal data, including personal IDs and financial information, to Meta (Facebook). The incident affected between 500,001 and 1 million individuals. IMY found that Avanza failed to follow its procedures and detect these unauthorized data transfers promptly. Avanza Bank was fined 15 million SEK (approx. $1.4 million) for violating GDPR.
Data Breach
Manila NPC reports data breach affecting 11M Jollibee customers and others.
The National Privacy Commission (NPC) reported that it had been notified by fast food giant Jollibee Foods Corp. (JFC) of a data breach affecting some 11 million customers. Information including dates of birth and senior citizen identification card numbers were compromised during a security incident. The company is addressing the incident and has deployed enhanced security measures. The company has also launched its investigation on the matter to understand the scope of this incident and is currently collaborating with the relevant authorities and experts in its investigation.
UK National Health Services confirms patient data stolen in ransomware attack.
NHS England has confirmed its patient data managed by pathology testing organisation Synnovis was stolen in a ransomware attack. More than 3,000 hospital and GP appointments were disrupted by the attack. A sample of the stolen data seen by the BBC includes patient names, dates of birth, NHS numbers and descriptions of blood tests. Synnovis, a collaboration between the hospitals and the German company Synlab, will conduct a thorough investigation to determine the extent of the data breach and its impact on patients.
Privacy in Spotlight
Switzerland designated as a “qualifying state” by US Attorney General
The US Attorney General designated Switzerland as a qualifying state for the purposes of the redress mechanism. The two-level redress mechanism now allows Swiss individuals to file complaints. The designation is to become effective on date of entry into Annex 1 to the Swiss Data Protection Ordinance, listing the United States for data transferred in reliance on the Swiss-U.S. Data Privacy Framework.
Meta pauses plan to train AI with user data.
Several data protection authorities announced that Meta had agreed to pause and review plans to use Facebook and Instagram user data to train its large language models (LLMs) using public content shared by adults. This comes after the None of Your Business (NOYB) filed complaints with various data protection authorities across Europe, alleging violation of GDPR. The Irish Data Protection Commission (DPC) issued a statement welcoming this decision by Meta.
Regulations
EU AI Act signed by Presidents of the Parliament and Council
On June 13, 2024, the President of the European Parliament and the President of the Council of the European Union signed the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act). The AI Act will enter into force 20 days after its publication in the EU Official Journal and will apply two years after it enters into force, with some specific exceptions.
Texas DIR opened portal for public comments on the Data Privacy and Security Act.
The Texas Department of Information Resources (DIR) has launched a public portal, inviting public feedback regarding the Texas Data Privacy and Security Act, which becomes effective on July 1. The Act is meant to regulate collection, use, processing, and treatment of consumer data. It will apply to many consumer-facing companies doing business with Texas residents. The DRI invited both consumers and businesses to share their comments in the portal open to receive comments through September 30, 2024.