Hello Friends,
India’s new Data Protection Bill is likely to be presented in Budget Session. The bill may drop the concept of a centralized Data Protection Authority (DPA).
A proposal for a grievance redressal mechanism is being considered. “The government wants the bill to be as uncomplicated as possible,” the official said.
This news and more, in this fortnights' Data Privacy Insights- curated privacy news from across the globe.
Enjoy reading!
Privacy Enforcement
OCR issues a Fine of $300,640 over HIPAA Privacy Rule Violations
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) fined New England Dermatology and Laser Center (NEDLC) $300,640 for violating the Health Insurance Portability and Accountability Act Privacy Rule. The health center was found to have improperly deleted protected health information when it threw out specimen containers with labels carrying patient names, birthdates, dates of sample collection, and the name of the provider who took the specimen. In addition to the fine, OCR served NEDLC a corrective actions plan that is highlighted by two years of agency monitoring.
CNIL imposes €600,000 Fine on Accor over Various Direct Marketing Violations
France’s data protection authority, the Commission Nationale de l'informatique et des libertés (CNIL), imposes a €600,000 fine against the hotel company Accor, or one of the brands within its group for challenges encountered while exercising data subject rights. Individuals making a reservation directly with Accor are automatically added to a list of recipients of a newsletter containing commercial offers due to a pre-ticked box consenting to the same.
Data Breach
Block, Mobile Payment App Parent Company sued in Data Breach Lawsuit
Technology company Block is facing a class-action lawsuit for its alleged response to a data breach affecting 8.2 million users. Block waited four months to notify customers of a breach of its mobile payment service Cash App application. In December, Block discovered a former employee downloaded user information and was able to access customer names, brokerage account numbers, and trading activity. The complaint accuses Block of violating Illinois Consumer Fraud Act, and Texas Deceptive Trade Practices Act, including the California Customer Records Act.
Privacy in Spotlight
Whistleblower Disclosures allege Twitter Cybersecurity Issues
Peiter Zatko, Former Twitter Head of Security, filed whistleblower complaints to U.S. Congress alleging Twitter operates under lax and insufficient cybersecurity practices. The disclosures by Zatko claim the platform has issues with broad user data access to the platform's central controls and most sensitive information without oversight and its data deletion practices are inconsistent.
Regulations
India’s Next Data Protection Bill could be Presented to Parliament by Early 2023
The Indian Minister of Railways, Communications and Electronics and Information Technology Ashwini Vaishnaw indicated a fresh data protection bill will be published for public comments soon and hopefully be tabled during the Indian Parliament's Budget Session in January 2023. Vaishnaw said the bill will reflect modern thinking around data protection, adding that "it should not be like we are trying to create a paper system for a digital world." The upcoming draft may include reported changes to the structure such as it could exclude provisions for a data protection authority. An official familiar with Parliament's negotiations said many proposed DPA functions "were out of its remit" and dropping the DPA would help "to not overwhelm one authority and increase compliance costs for small companies." The new bill may add a consumer redress mechanism instead of a regulator.
CERT-In issued the Direction on the Stringent Cybersecurity Norms and Reporting Requirements
The Indian Computer Emergency Response Team ('CERT-In'), issued a direction relating to 'Information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet' ('the Direction') to impose stringent requirements for cybersecurity reporting and introduce broader compliance requirements. Subsequently, CERT-In released frequently asked questions ('the FAQs') to clarify certain aspects of the Direction. Reporting of incidents under the Direction applies to both Indian and foreign entities which have computer infrastructure (i.e., a 'computer', 'computer system', or 'computer network') located in India. The timeline for compliance with the Direction was extended for certain specific entities, including for 'Micro, Small and Medium Enterprises' ('MSMEs') to 25 September 2022.
Scotland set to Pass World’s First Biometric Data Code of Practice
Scotland is close to passing the world’s first statutory Code of Practice for use of biometric data. The regulation would govern police and the criminal justice system’s “acquisition, retention, use, and destruction of biometric data.” Scotland’s Criminal Justice Committee has signed off on the regulation, which could be brought into effect in or around mid-November if national ministers do not object to any of its provisions in their meeting on Sept. 7.
Proposed LGPD Amendment could Limit National Security Data Processing
The Chamber of Deputies of Brazil announced consideration of an amendment to the General Data Protection Law (LGPD) that would limit most processing activities involving national security data. The proposed bill is described as seeking to prohibit "the processing of data related to national security and defense by private companies, except in processes commanded by a legal entity governed by public law." Potential updates to provisions for access to information, data transfers, and the penalty scheme concerning national security data will all be considered under the bill.
Vietnam Decree Details Data Localization, Crime Data Collection Requirements
Vietnam's government issued Decree No. 53/2022/ND-CP outlining provisions of the Cybersecurity Law. The decree covers requirements for data localization and law enforcement data collection related to criminal investigations. Localization provisions include types of data to be localized, company compliance thresholds, and data retention periods. The decree becomes effective October 1.