Hello Friends,
The Minister of Electronics and Information Technology announced that the rules for the Digital Personal Data Protection Act, 2023 will be released within one month. The implementation of the data privacy law would be “digital by design” with respect to the processes followed by the Data Protection Board of India (DPBI).
India’s National Commission for Protection of Child Rights (NCPCR) is set to approach the MeitY to recommend mandating KYC-based system for verifying children’s age under the DPDPA.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Danish Datatilsynet fined Municipality of Odsherred 100,000 - DKK 200,000 for data security failures.
The Danish Data Protection Authority (Datatilsynet) announced a fine of DKK 100,000 - DKK 200,000 (approx. $14,892 - $29,514) on the Municipality of Odsherred following a breach of personal data security. An employee’s work laptop containing sensitive personal data, including social security numbers and information about children, had been stolen. The laptop had not been encrypted which was a serious breach of the GDPR requirements for processing security.
Hanwha Hotels & Resorts was fined by South Korean PIPC.
Hanwha Hotels & Resorts was fined 180 million won and a penalty of 3 million won for exposing user personal information due to a system development error. This incident occurred during the process of changing the online reservation procedure for an event that allowed online members to make lodging reservations using coupons. The error resulted in up to 1,818 cases of information from people other than the coupon users being viewed. The PIPC emphasized the severity of the negligence in system development and prior verification, leading to the significant fine and penalty.
Belgium DPA fines telecommunications company €100,000 for delay in responding to access request
The Belgian DPA noted that it received a complaint from an individual who was a client of the company claiming that between January 2021 and February 2021, the company made unsolicited changes to the individual's subscriptions. Later, the individual submitted an access request under Article 15 of the GDPR to the company. The Belgian DPA found that the company did not facilitate the exercise of the individual's rights in accordance with Article 12(2) of the GDPR. In particular, the Belgian DPA determined that the company failed to appropriately process and reply to the individual's access request. The company only provided a response to the access request 14 months after it was submitted.
Data Breach
NOYB files two complaints against EU Parliament over massive data breach.
The European Parliament informed its staff of a massive data breach in the institution’s recruiting platform called “PEOPLE”, in May 2024. The breach affected the personal data of more than 8,000 staff. This included ID cards, passports, criminal record extracts, residence documents and even sensitive data such as marriage certificates that reveal a person’s sexual orientation. NOYB has now lodged two complaints with the European Data Protection Supervisor.
Toyota confirms data breach impacting customers.
Toyota confirmed that customer data was exposed in a third-party data breach after an attacker grouper claimed to have leaked an archive of 240GB of data stolen from Toyota’s systems on a hacking forum. The company added that it is engaged with those who are impacted and will provide assistance if needed.
Privacy in Spotlight
National Public Data confirms massive data breach.
The National Public Data suffered a massive data breach involving social security numbers and other personal data on millions of Americans. NPD said the breached data included names, email addresses, phone numbers, mailing addresses, as well as social security numbers. They have declared that they are cooperating with investigators and has implemented additional security measures to prevent reoccurrence of such a breach.
Dutch Authority fines Uber €290M for transfers of driver data to the US.
The Dutch Data Protection Authority found Uber to be transferring European drivers’ data, including location data, photos, ID documents and medical and criminal offence data to its US servers without adequate safeguards. This was done in violation of General Data Protection Regulation’s concept of having adequate safeguards for transferring data.
Regulations
Malaysia Cybersecurity Act, 2024 comes into effect.
The Prime Minister published an order determining that the Cybersecurity Act 2024 will come into effect on August 26, 2024. The Act received Royal Assent on June 18, 2024. The Act provides for the establishment of the National Cyber Security Committee, duties and powers of the Chief Executive of the National Cyber Security Agency. Entities classified as National Critical Information Infrastructure are subject to stringent risk assessment and audit regulations. These entities are required to conduct a comprehensive cybersecurity risk assessment at least once annually.
Moldova NCPDP announces publication of new data protection law.
The National Centre for the Protection of Personal Data (NCPDP) announced the publication of Law No. 195/2024 in the Official Gazette of the Republic of Moldova. The Act defines personal data rights, sets seven core data processing principles, and establishes a regulatory authority for compliance, including rules for data breaches and transfers. The act safeguards the fundamental rights and freedoms of individuals, particularly concerning the processing of personal data.