Hello Friends,
The Centre is likely to release the draft rules under the Digital Personal Data Protection Act (DPDPA), 2023 within the next two weeks. The compliance or transition period under the same will likely be between six to eight months only, with up to Rs 250 crore penalty for any data breach.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organizational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Spanish supervisory authority fined Uniqlo Europe, Ltd. for violations of the GDPR.
The complainant whose employment contract had been terminated, requested access to their payroll information. In responding to the request, the controller sent an e-mail to the complainant that included his payroll and that of 446 other workers. Uniqlo was held to have violated Article 5 of GDPR by not ensuring confidentiality and integrity. It was also violative of Article 32 of the GDPR, due to failure to adopt appropriate technical and organisational measures. The Spanish Supervisory Authority, AEPD imposed a fine of 450,000 euros, which was later reduced to 270,000 euros.
Dutch DPA imposes a fine on Clearview for illegal data collection for facial recognition.
The Dutch DPA imposes a 30.5 million euro fine including orders subject to penalties for non-compliance. Clearview is an American company that offers facial recognition services. Among other things, Clearview has built an illegal database with more than 30 billion photos of faces, including of Dutch people. The Dutch DPA warns that using the services of Clearview is also prohibited. Clearview has not objected to this decision and is therefore unable to appeal against the fine.
Major private Company fined 7 million Baht for data breach by PDPC.
Thailand's Ministry of Digital Economy and Society (MDES) announced a 7 million THB (approx. $204,665) fine on a company for violations of the Personal Data Protection Act 2019 (PDPA). The company was penalized for failing to appoint a Data Protection Officer (DPO), lacking proper security measures, and mishandling a data breach notification. These failures led to a significant data leak, allowing a call center gang to misuse personal data. The company was ordered to implement corrective actions, including staff training and enhancing security measures.
Data Breach
1.7 million users impacted by SLIM CD data breach.
The payment gateway platform SLIM CD suffered a massive data breach between August 2023 and June 2024, compromising sensitive personal and credit card information, including names, addresses, credit card numbers, and card expiration dates. It is said to have affected over 1.7 million customers leaving them vulnerable to identity theft and financial fraud. SLIM CD has urged customers to take steps to protect themselves, such as freezing their credit reports, changing passwords, and watching out for phishing attempts. The company also promised to provide free credit monitoring services to help mitigate the risks associated with the breach.
Fortinet confirms data breach after hacker claims to steal 440GB of files.
Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company’s Microsoft Sharepoint server. The company has said that the incident affected less than 0.3% of its customer base. The company has begun an investigation, contained the incident by terminating unauthorized individual’s access, and notified law enforcement. It has also published a notice on its website.
Privacy in Spotlight
Irish Court drops privacy case after X agrees to never use EU users' tweets to train AI.
Social media company X changed its privacy settings in July, so EU users had to opt out of having AI use their public posts to train Grok, Elon Musk’s new AI model. The DPC filed an emergency request to the Irish High Court about the changes because they believed privacy rights were being violated. The Irish Data Protection Commission (DPC) said this week that court proceedings against the social media platform X have ended as the company agreed to permanently suspend personal data collection for EU users to train its artificial intelligence (AI).
Google introduces streamlined data privacy for advertisers with confidential matching.
Google introduces confidential matching, a new way to securely connect first-party data for its measurement and audience solutions in its ad products. It gives an added data security and transparency, by isolating business information during processing so that no one can access the data being processed. In the coming months, the technology company plans to expand the use of confidential matching across more of its advertising solutions.
Regulations
California: Bill on publicly available data passes legislature
The Assembly Bill 1008 California Consumer Privacy Act of 2018: Personal Information passed the Californian legislature and is awaiting the Governor’s consent. The bill provides for exclusions to the definition of personal information and specifies that it does not include publicly available information or lawfully obtained, truthful information that is of public concern. The term 'publicly available' does not include biometric information collected by a business without the consumer's knowledge.
Australia: Privacy and Other Legislation Amendment Bill 2024 read for the first time.
The Privacy and Other Legislation Amendment Bill was introduced in the House of Representatives. The Bill proposes amendments to the Privacy Act, 1988, strengthening the enforcement powers of the Office of the Australian Information Commissioner (OAIC). It also introduces provisions related to children’s online privacy, automated decision making and data breaches. The bill introduces a statutory tort for serious invasions of privacy. However it also provides for certain exemptions under the tort, such as journalism, intelligence agencies and enforcement bodies.