Hello Friends,
The DPDP Act assigns restrictions and obligations to organizations that process personal data, including Obtaining consent from individuals before processing their personal data, Organizations must obtain consent from individuals before processing their personal data unless an exemption applies. Use personal data only for the purposes for which it was collected. Protect personal data from unauthorized access, use, disclosure, alteration, or destruction. Organizations must respond to individual requests for access, correction, deletion, and objection within a reasonable time. Organizations must report data breaches to the DPB within 72 hours of becoming aware of the breach.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
CNIL fines retail chain for alleged spam messages
France's data protection authority, the Commission nationale de l'informatique et des libertés, fined technology retail chain Hubside.Store 525,000 euros for allegedly using unsolicited phone calls and text messages to promote products sold in its stores. The CNIL claims the retailer purchased prospective customers' personal data from data brokers and did not obtain valid consent to target them with promotions.
Data Breach
Boat suffers data breach: Personal data of 7.5 mn users leaked on dark web
Homegrown electronics brand Boat on Monday acknowledged allegations of a data breach, stating that the company is currently conducting an investigation on the issue. The breach has reportedly exposed personally identifiable information (PII) of around 7.5 million users on the internet and could be accessible to any user willing to pay for the database.
Employee and applicant data affected in cyberattack
The personally identifiable information of more than 13,000 employees and applicants was breached in an August 2023 cyberattack on Hong Kong's Cyberport. Hong Kong's Office of the Privacy Commissioner said approximately 400 gigabytes of data were stolen due to the Cyberport's alleged lack of data protection safeguards.
Ransomware group requested $30M from Las Vegas casino during data breach
Ransomware group Star Fraud requested a USD30 million ransom payment for stolen data during a cyberattack in September 2023 on MGM Resorts International. The cyberattack breached consumers' personally identifiable information and affected the casino's systems leading to USD100 million in lost revenue.
AT&T resets 7.6M customer passcodes after data leak
The New York Times reports AT&T reset the passcodes of 7.6 million customers after it found data was released on the dark web. The company also found that 65.4 million former account holders' data was affected in the incident and that Social Security numbers were included in some of the datasets. "AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier," AT&T stated.
Privacy in Spotlight
DuckDuckGo to release privacy tool; Proton acquires Standard Notes
DuckDuckGo will launch a privacy tool that can ask websites to delete consumers' personal data from people-search websites. Meanwhile, privacy firm Proton announced it acquired Standard Notes and will use the company's shared values to deepen its reach with an engaged community of pro-privacy users.
Regulations
MeitY establishes working groups for anonymization, IoT
India's Ministry of Electronics and Information Technology convened five working groups to develop guidelines for data anonymization standards, Internet of Things devices, mobile device security, and more. The forthcoming reports by each working group will be included in the updated India Digital System Architecture.
South Korea's PIPC releases compliance guide for overseas businesses
South Korea's Personal Information Protection Commission released a guide to help overseas businesses comply with the Personal Information Protection Act. The guide focuses on approved changes to the law in 2023 that businesses might have missed.
PCPD discusses protecting employees' personal data
Hong Kong's Office of the Privacy Commissioner for Personal Data advised on sharing information with human resources through messaging apps. Organizations should have policies that explain relevant legislative requirements, describe the data protection measures and procedures adopted by organizations, outline employees’ responsibilities in protecting personal data, and provide clear guidance on the secure usage of personal data.