Hello Friends,
India is coming up with a new version of the PDP Bill and the Digital India Act.
“What we are looking at is making the online world more accountable for what is being published there”, Vaishnaw said.
This news and more, in this fortnights' Data Privacy Insights- curated privacy news from across the globe.
Enjoy reading!
Privacy Enforcement
CARU finds Children’s game app maker violated COPPA, Advertising, and Privacy Guidelines
Children’s Advertising Review Unit found the owner of a children’s mobile application game violated the U.S. Children’s Online Privacy Protection Act. The company, Tilting Point Media, also violated CARU’s self-regulatory Guidelines for Advertising and for Children’s Online Privacy Protection. As per COPPA and CARU guidelines, companies cannot collect the personal information of users under age 13. However, CARU reviewers were able to use the app posing as a 10-year-old and could consent to receive “personalized” advertising. Upon receiving CARU’s notice, Tilting Point “proactively” addressed the concerns raised.
CNIL issues a Fine of 250K Euro over Data Security, Retention Violations
France’s data protection authority, the Commission Nationale de l'informatique et des libertés, fined Infogreffe, a legal service provider, 250,000 euros for violating the EU General Data Protection Regulation. An investigation found alleged violations of data retention requirements under Article 5(1)(e) of the GDPR and data security obligations under Article 32. The CNIL found that 25% of Infogreffe users had their personal data held by the website beyond the stated 36-month period and did not provide a secure password mechanism due to its limited size.
Ireland’s DPA Issues Fines to Instagram for Violating Children’s Privacy
Irish data protection authority issued a 405 million euros fine to Instagram for children's privacy violations under the EU General Data Protection Regulation. The fine, which is the second-largest GDPR penalty to ever be handed down, covers alleged violations stemming from Instagram's default account settings for children ages 13-17 that exposed email addresses and phone numbers associated with child-operated accounts. The investigation into the allegations began in October 2020 and the preliminary decision by the DPC was subject to a dispute resolution procedure under Article 65 of the GDPR.
Data Breach
U-Haul International suffers Data Breach exposed Customer Driver’s Licenses
U-Haul International, a moving and storage company, revealed a data breach after a customer contract search tool was hacked potentially exposing customers’ names and driver's licenses or state identification numbers. In a draft letter to consumers, the moving and storage company said the breach did not affect credit card information.
Samsung suffers Data Breach affecting US Customers
Samsung Electronics records a data breach that targeted its U.S. customers. The breach compromised some customers’ personally identifiable information including name, contact details, demographic details, date of birth, and product registration data, but it did not include their Social Security numbers or credit card information.
Chinese Tech Company records Database Leak Reportedly affects 800M Records
The database from Chinese technology company Xinai Electronics, containing data on facial images and license plates, experienced a “massive” data breach. The database contained more than 800 million records. The breach was attributed to “likely” human error. The breach is believed to be the second largest in China, behind only to the breach of a Shanghai police database in June.
Privacy in Spotlight
US House Members chide Meta for Sharing User Data with Police
Four top Democratic lawmakers on the U.S. House Committee on Energy and Commerce sent a letter to Meta CEO Mark Zuckerberg that inquired about the company releasing "sensitive" private user data to be used in state criminal investigations. The letter, signed by Committee Chairman Rep. Frank Pallone, Jr. (D-NJ), along with Reps. Anna Eshoo, D-Calif., Diana DeGette, D-Colo., and Jan Schakowsky, D-Ill., pressed Meta on reports it supplied user communications about receiving an abortion to law enforcement.
Regulations
India’s PDP Bill in ‘Progress’ and Digital India Act ‘in the Works’
The Indian Minister of Railways, Communications and Electronics and Information Technology Ashwini Vaishnaw said a new version of the PDP Bill and the proposal of the amendment to the IT Act 2000, known as the Digital India Act is forthcoming. He further added the government was looking at a ‘complete overhaul’ of cyber laws in the country and very soon the government will be coming up with a telecom bill.
Indonesia advances Personal Data Protection Bill to the Ratification Process
The Indonesian House of Representatives announced an agreement between the House Commission on Defense, Foreign and Information Affairs, and the Ministry of Communication and Information to elevate the Personal Data Protection Bill to a plenary meeting for immediate ratification into law. "The PDP Bill raises public awareness and ensures recognition and respect for the importance of protecting personal data," Minister of Communication and Information Johnny Plate said. Lawmakers and the ministry recently reached an agreement on the creation of the Indonesian data protection authority.