Hello Friends,
Apart from exemptions to certain classes of data fiduciaries from immediately complying with the Digital Personal Data Protection Act, the government expects entities to comply with the law within a year, said Minister of State for Electronics and Information Technology Rajeev Chandrasekhar.
Enjoy reading!
Privacy Enforcement
CNIL issues 200K Euro Employee Privacy Fine
France's data protection authority, the Commission nationale de l'informatique et des libertés, fined multinational air freight provider SAF Logistics 200,000 euros for alleged EU General Data Protection Regulation violations related to employee data. The CNIL acted on a complaint the company carried out excessive data collection on employees' private lives.
Kenya's ODPC issues KES9.375M in Data Protection Fines
Kenya's Office of the Data Privacy Commissioner announced three penalties totaling KES9,375,000 for alleged violations of the Data Protection Act. Each penalty concerns claims of nonconsensual use of personal data. The largest fine was KES4,550,000 to Roma School for posting pictures of minors without parental consent
Data Breach
Ransomware Attack of Ohio College impacts nearly 290K People
Lakeland Community College in Ohio will notify nearly 290,000 people whose personal information may have been compromised in a March data breach. The college's health center partners with University Hospitals, which is a network of 21 hospitals in Ohio. In a recently filed breach notification, the college did not disclose any details related to the attack, but the ransomware group Vice Society posted stolen personally identifiable information from the college on its website.
Privacy in Spotlight
Chinese firmware campaign cited in Japan-US cybersecurity probe
Cybersecurity and law enforcement entities from Japan and the U.S. issued a joint advisory regarding router firmware threats by the Chinese-based hacker group BlackTech. The authorities alleged that BlackTech maintains capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships. The advisory also recommends implementing mitigation strategies that detect this activity and protect devices from the backdoors.
ID verification startup claims no personal data required
Identification verification startup ShareID is entering the market with the self-proclaimed ability to function without personal data storage. The company instead asks users for proof they are real humans through a live picture or video from their phone cameras. The picture or video is then used to create a unique ID before the information is deleted.
Regulations
MeitY hosted industry consultation on India's data protection law implementation
India's Ministry of Electronics and Information Technology held a consultation on 20 Sept. with industry stakeholders on the implementation of the Digital Personal Data Protection Act. Discussion on 21 draft regulations is expected while the meeting will also provide a firm timeline for implementation of DPDPA regulations and sectoral transition periods.
India DPDPA rules, Data Protection Board appointees imminent
India Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the government will finalize Data Protection Board appointments and Digital Personal Data Protection Act rules within 30 days. Now in force, the bill will likely have a one-year grace period. However, Chandrasekhar said breaches occurring in the interim period will "get accumulated" and addressed by the DPB once its members are
Saudi Arabia enacts Personal Data Protection Law
Saudi Arabia's Personal Data Protection Law was enacted on 16 Sept. The law regulates the collection, processing, disclosure, and preservation of data, including a detailed framework of processing standards, the rights of data subjects, the obligations of relevant bodies when processing, as well as data sovereignty, and penalties in the event of violating the provisions of the law.