Hello Friends,
The Central Government is authorized by Section 16(1) of the DPDP Act to notify the nations to which the transmission of personal data would be forbidden. Section 16(2) of the Act gives precedence to current legislation with stronger data protection safeguards when transferring data overseas in order to prevent any possible conflicts with regulations already in place. That is, it applies if there is another legislation that provides more robust safeguards. This guarantees a solid foundation for data security.
Furthermore, the Act covers entities outside the nation due to its extraterritorial application.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Norway's DPA fines public entity NOK20M
Norway's data protection authority, Datatilsynet, fined the Norwegian Labor and Welfare Office NOK20 million for large-scale processing of personal data without proper safeguards and access controls. Datatilysnet opened its investigation in September 2023 and found "a number of breaches of the law."
Iceland's DPA issues ISK1.5M employee monitoring fine
Iceland's data protection authority, Persónuvernd, issued a ISK1.5 million fine to Stjörnuna ehf, the operator of Iceland's Subway restaurants. The Persónuvernd found the company did not comply with the law on personal protection and processing of personal information following an investigation of an employee complaint alleging nonconsensual employer monitoring through surveillance cameras.
Data Breach
French unemployment agency data breach affects 43M
France's unemployment agency, France Travail, experienced a cyberattack that breached the data of 43 million people. The agency said citizens' personally identifiable information, including job candidate profiles, was compromised during the cyberattack.
Oklahoma health care company agrees to $1.45M data breach settlement
Oklahoma City-based Avem Health Partners agreed to a USD1.45 million lawsuit settlement after it experienced a cyberattack that breached the health data of 271,303 people. The lawsuit claimed patients' health information was "negligently maintained and had appropriate cybersecurity measures have been implemented, the breach could have been prevented."
Privacy in Spotlight
Facebook used interceptor to monitor Snapchat activity
Meta's Facebook allegedly used an interception and decryption program to obtain analytics on Snapchat user activity. The use of the Onavo program allowed Facebook to intercept user information before it became encrypted. Details of the action were made public in a class-action lawsuit unfolding in California federal courts.
Regulations
Florida passes bill to ban social media users under 14
Florida passed a law to ban minors under 14 from social media even if the users have parental consent. NetChoice Vice President and General Council Carl Szabo, CIPP/US, said the law violates citizens' freedom of speech. “There are better ways to keep Floridians, their families, and their data safe and secure online without violating their freedoms," Szabo said.
CNIL publishes personal data security guide
France's data protection authority, the Commission nationale de l'informatique et des libertés, published a 2024 personal data security guide. It is focused particularly on artificial intelligence, mobile apps, cloud computing and application programming interfaces as well as how personal information related to those areas should be processed.
Denmark's DPA rules against unlawful cookie wall practice
Denmark's data protection authority, Datatilsynet, ordered newspaper Berlingske's to bring its cookie walls use into EU General Data Protection Regulation compliance. An investigation found the company blocked content if a user did not allow data collection. Datatilsynet said the practice does not meet valid consent requirements under the GDPR.