Hello Friends,
India’s Data Protection Bill is to be tabled during the budget session in February 2023.
“Security is an important pillar in Digital India itself. Data is important and it is equally important who is handling the data. Trust is important to need open, safe, secure and trusted internet which will help the digital economy to reach $1 trillion mark,” says Sanjay Bahl, director-general, (CERT-In).
This news and more, in this fortnight’s Data Privacy Insights- curated privacy news from across the globe.
Enjoy reading!
Privacy Enforcement
ICO fines 4.4 Million GBP over Interserve for Violating Employee Privacy
The U.K. Information Commissioner's Office fined construction company Interserve Group 4.4 million GBP over alleged employee data protection issues. The ICO found insufficient security measures that left 113,000 Interserve employees exposed to a phishing scheme that affected contact information, national insurance numbers, and bank account information. Information Commissioner John Edwards said, “a lack of security measures is never acceptable and onlookers can expect a similar fine if a business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings."
Zoetop agrees to pay $1.9 M in Penalties following Data Breach
Zoetop, owner of online fashion retailers SHEIN and ROMWE, will pay $1.9 million in penalties to the state of New York following a 2018 data breach that impacted more than 800,000 New Yorkers. Under the agreement, Zoetop will also strengthen cybersecurity measures, including hashing customer passwords and implementing network monitoring and incident response policies with timely investigations, consumer notice and password resets. The agreement “should send a clear warning” for companies to strengthen digital security measures and consumer transparency.
Data Breach
DHSS Files accessed in Data Breach
Yukon’s Health and Social Services Minister Tracy-Anne McPhee said a recent data breach has been contained, where a USB drive containing confidential Department of Health and Social Services (DHSS) case files was obtained from a pawn shop. The files contained data information from the office’s family and children’s services branch and approximately 30 to 60 people were affected. McPhee said, “Ensuring that Yukoners’ personal information is protected and secure is of the utmost importance and we are taking this situation very seriously.”
Privacy in Spotlight
Disconnect launches ‘Do Not Track Kids’ App
U.S.-based security firm Disconnect released its "Do Not Track Kids" tool, which provides children's privacy education while simultaneously blocking online tracking of minors. The application can be installed on a device to immediately block the trackers from third-party apps and those sent to email inboxes while also blocking cryptocurrency miners. The app also encrypts and filters domain name systems to shield them from telecommunications and internet service provider tracking. Disconnect CEO Casey Oppenheim said tracking aims to "influence your behavior" and "that’s really sinister" in the context of kids.
Marketers can target Uber Riders through Travel History and Destination
Through Uber’s newly rolled out mobility media division, advertisements will be available across the application to help marketers target riders based on their recent travel history and geographic destination. “Journey ads” will also enable single brands to sponsor a rider’s entire trip, showing different ads while the user is waiting for the car, traveling, and upon reaching their destination. An Uber spokeswoman said aggregated data, not users’ individual data, is shared with advertisers and users can opt-out of ad targeting at any time.
Regulations
Indian Government indicates Budget Session tabling for Data Protection Bill
National Cyber Security Coordinator of India Rajesh Pant said the revised Data Protection Bill will be tabled by the Indian Parliament during the budget session starting February 2023. Pant called the draft bill "very critical" and said Parliament will consider the proposal "early next year" following a public consultation. Ministry of Electronics and Information Technology's Indian Computer Emergency Response Team Director-General Sanjay Bahl added how legislating on data protection "is important" while "it is equally important who is handling the data."
ICO issues Guidance on Direct Marketing using Electronic Mail
The U.K. Information Commissioner’s Office released guidance on direct marketing using electronic mail. It details what is needed to comply with the Privacy and Electronic Communications Regulations 2003, including what electronic mail marketing is and how to comply with rules on direct marketing. It also discusses the relationship between the PECR and data protection regulations, what those rules mean for electronic mail marketing, as well as what happens in the event of non-compliance.
ICO issues Employment Guidance Consultation
The ICO also released employment guidance consultations. The guidance is aimed at learning how employers use and protect the health information of their employees. The consultations are part of a process to replace the existing employment code with U.K. General Data Protection Regulation “guidance.” The consummation period ends on 26 Jan. 2023. The ICO previously released a draft guidance on monitoring employees at work. The consultation period for that guidance ends on 11 Jan. 2023.
Ontario IPC releases Guide on Protecting against Ransomeware
The Information and Privacy Commissioner of Ontario published a guide on protecting against ransomware, calling it a “top threat facing Ontario organizations.” The Canadian Centre for Cybersecurity reported 235 ransomware attacks affecting Canadian organizations in 2021, a number believed to be much higher due to underreporting. The guide discusses the impacts of ransomware attacks, obligations to safeguard against ransomware, the stages of an attack, ways to mitigate threats and protect organizations, and responding to cybersecurity incidents.