Hello Friends,
Regulated entities under the Reserve Bank of India’s (RBI) regulatory sandbox (RS) framework must comply with the provisions of the Digital Personal Data Protection (DPDP) Act. Additionally, the central bank said that under the updated sandbox framework, entities should have appropriate technical and organizational measures to ensure effective compliance with the provisions of the Act and rules made thereunder.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Railway Company to Pay $75M to Resolve Biometrics Lawsuit
BNSF Railway agreed to pay USD75 million to settle a class-action lawsuit claiming its use of biometrics violated the Illinois Biometric Information Privacy Act. The lawsuit claimed the company collected fingerprints at automated gate systems. BNSF did not admit liability.
BEUC members file complaints over Meta's 'pay or OK' model
Eight members of the European Consumer Organisation filed complaints with their national data protection authorities objecting to Meta's so-called "pay or OK" model. The complaints will be consolidated by each data protection authority and referred to Ireland's Data Protection Commission. The complaints generally argue the "pay or OK" model does not adhere to the EU General Data Protection Regulation's principles on fair processing, data minimization, and purpose limitation.
Data Breach
Saskatchewan school district told to monitor dark web following data breach
The Office of the Saskatchewan Information and Privacy Commissioner is requesting a local school district to monitor the dark web for possibly leaked personally identifiable information of staff and current and former students. The South East Cornerstone Public School Division estimated upward of 20,000 people were impacted following a breach of three of its IT systems on 8 Feb., according to a report from the provincial data protection authority.
Privacy in Spotlight
Consumer Reports finds privacy risks with video doorbells
An investigation by Consumer Reports found alleged privacy issues with video doorbells that could expose users' IP addresses, access video footage, and be hacked by bad actors. The advocacy group is asking the U.S. Federal Trade Commission to stop the sale of video doorbells sold by online retailers such as Amazon, Sears, Shein, Temu, and Walmart.
Research explores India's Aadhaar privacy safeguards
ABV-Indian Institute of Information Technology and Management assistant professor Debanjan Sadhya and Safeguard Global Sourcing Specialist Tanya Sahu explored privacy and security aspects of India's Aadhaar framework. The research examined the biometric data collected for Aadhaar identification and determined the work provided efficient authentication services in India's public delivery systems.
Meta to collect anonymized data from virtual reality users
Meta will start collecting anonymized data from Quest virtual reality users, including data on users' body and eye movements. The move raised privacy concerns due to the lack of an opt-out option potentially cornering users into accepting these terms to continue using their Quest headsets.
Regulations
Singapore's PDPC issues use guidelines for AI-powered automated decision-making
Singapore's Personal Data Protection Commission issued guidelines for the use of personal data in artificial intelligence-powered automated decision systems. The guidance provides clarity for the use of personal data to train and develop AI systems, information to be provided to consumers for obtaining lawful consent, information for third-party developers employing AI models, and best practices for complying with the Personal Data Protection Act.
Garante begins consultation on email retention rules
Italy's data protection authority, the Garante, announced a 30-day comment window for public input on the retention period for employee emails. It has deferred recent guidance on the metadata storage timeline of emails after receiving several requests for clarification.
India to introduce draft law regulating AI
India's Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology Rajeev Chandrasekhar said the country is working on a draft regulation for artificial intelligence. Chandrasekhar said the draft law is anticipated to be released in early summer and will be designed to promote economic growth, mitigate risks and harms, and improve India's global competitiveness
NIST offers resources for HIPAA Security Rule compliance
The U.S. National Institute of Standards and Technology released a resource guide on how to comply with the Health Insurance Portability and Accountability Act Security Rule. The guide includes a list of publications on the topic and a map of the rule's standards and implementation specifics.