Hello Friends,
India’s Ministry of Electronics & IT (MeitY) has released detailed guidelines outlining the ideal Consent Management System (CMS) under the DPDP Act 2023. The rules require explicit, purpose-specific user consent, clear withdrawal mechanisms, and standardized records to be maintained by entities processing personal data. CMS providers, intermediaries, and Data Protection Officers must register and comply with fiduciary duties, transparency, data minimization, and secure handling of consent metadata. The framework also mandates oversight, audit trails, breach notifications, and defines roles for significant data fiduciaries and grievance redressal processes.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
South Korea: PIPC fines Telus International AI KRW 89.2 million for data breach notification delay
The Personal Information Protection Commission (PIPC) fined TELUS International AI KRW 89.2 million for delaying data breach notifications, violating the Personal Information Protection Act (PIPA). The investigation revealed that TELUS failed to address security vulnerabilities, affecting personal information of 13,622 data subjects and 680,000 individuals globally. TELUS notified the PIPC and users of the breach more than 72 hours after awareness, without a justifiable reason for the delay, breaching Articles 29 and 34 of PIPA.
Ireland: DPC fines City of Dublin Education and Training Board €125,000 following a data breach
The Irish Data Protection Commissioner fined the City of Dublin Education and Training Board €125,000 for GDPR violations following a data breach inquiry. The breach involved personal data of approximately 13,000 student grant applicants, including sensitive information, due to malware on CDETB's web server. The DPC found CDETB failed to implement adequate security measures, notify the breach timely, and communicate with affected data subjects. Consequently, the DPC reprimanded CDETB and ordered compliance with GDPR security requirements.
Data Breach
Montana: AG launches investigation into Lee Enterprises following cyberattack
The Montana Attorney General launched an investigation into Lee Enterprises after a cyberattack compromised personal information of nearly 40,000 individuals. The investigation, under Montana's Consumer Protection Act, seeks to determine the type of data collected by Lee Enterprises, its purpose, and the notification process to customers about the breach. A Civil Investigative Demand was issued, requiring Lee Enterprises to respond within a month.
Romania: ANSPDCP fines Vodafone Romania RON 20,225 for a data breach
The National Supervisory Authority for Personal Data Processing (ANSPDCP) fined Vodafone Romania RON 20,225 for GDPR violations due to a data breach involving unauthorized disclosure and access to personal data. The investigation revealed Vodafone Romania's failure to implement adequate technical and organizational measures to protect data, violating GDPR Articles 25(1) and 25(2). Consequently, ANSPDCP mandated Vodafone Romania to enhance security measures through periodic testing and evaluation to prevent future breaches.
Privacy in Spotlight
Utah: Attorney General sues Snapchat for use of AI on minors
The Utah Attorney General, along with the Governor and Department of Commerce, filed a lawsuit against Snap, Inc. for using addictive design features on Snapchat to exploit minors, violating the Utah Consumer Privacy Act. The lawsuit claims Snap misled parents about safety, used dark patterns to gather data from children via the MyAI chatbot, and failed to disclose OpenAI's involvement in data processing. Additionally, Snap's MyAI collected geolocation data despite privacy settings and lacked proper testing, providing harmful advice to minors.
Berlin: Berlin Commissioner rules DeepSeek's data transfers unlawful
The Berlin Commissioner ruled that Hangzhou DeepSeek Artificial Intelligence Co., Ltd.'s data transfers violated the GDPR due to inadequate data protection for German users. Despite offering services in Germany, DeepSeek lacks an EU regional office and failed to ensure equivalent data protection standards in China. Consequently, the Berlin Commissioner requested DeepSeek to remove its apps from German app stores or comply with legal data transfer requirements. Upon non-compliance, the Commissioner reported the issue to Apple and Google under the Digital Services Act, prompting them to consider blocking DeepSeek's apps.
Regulations
Virginia: Act restricting sharing of reproductive health data enters into effect
Senate Bill 754 amends the Virginia Consumer Protection Act to prohibit obtaining, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information without consumer consent, effective July 1, 2025. The Act defines reproductive or sexual health information broadly, including data related to health conditions, services, and purchases, as well as inferred or algorithmic data. This legislation aims to protect consumer privacy concerning reproductive health data.
Vietnam: National Assembly passes Personal Data Protection Law
The National Assembly of Vietnam passed the Personal Data Protection Law (PDPL) on June 26, 2025, effective January 1, 2026, ensuring legal consistency and international compatibility. The PDPL provides exemptions for small businesses and start-ups regarding impact assessments and data protection personnel for five years, while prohibiting seven specific acts related to personal data misuse. It allows personal data transfers under certain conditions, such as consent and organizational restructuring, and imposes penalties for violations, including fines up to 10 times the amount obtained from illegal data sales and up to 5% of the previous year's revenue for cross-border transfer violations.