Hello Friends,
One of the key provisions of the DPDP Act, Section 9, mandates that data fiduciaries, including platforms, browsers, and OS providers, obtain ‘verifiable parental consent’ when processing data of users aged below 18 years.
Enjoy reading!
Data Breach
Norway's DPA issues NOK20M data security fine
Norway's data protection authority, Datatilsynet, announced a NOK20 million fine issued to the Norwegian Labour and Welfare Administration. An investigation found the agency's system measures are not satisfactory to ensure compliance with the privacy regulations, and that the safeguarding of confidentiality in the IT systems is also not satisfactory. The NAV will have an opportunity to comment on the allegations and potentially have the proposed fine reduced.
Ransomware attack compromises Canadian government employee data
Ransomware group LockBit claimed responsibility for a data breach that stole 1.5 terabytes of data from Canadian government employees. The Treasury Board of Canada Secretariat said it is working to identify specific employees affected, however, any employee who used two specific government contractors since 1999 could have had their data compromised. Data potentially affected included personal information and financial data.
Privacy in Spotlight
Accenture swaps passwords for PIN, biometric logins
Consulting firm Accenture removed passwords for employees, instead opting for PIN and biometric-based logins. Accenture started password-free logins in 2020 with the aim of limiting cybersecurity vulnerabilities. The shift has drawn more than 600,000 employees to abandon passwords.
Airlines considering selling consumer data for targeted ads
United Airlines may use consumer data to serve targeted ads on its mobile app or planes' entertainment systems. Passenger information such as flight history or United MileagePlus rewards could be used to target ads, however, consumers will have the option to opt out of data tracking.
Regulations
New South Wales' updated breach notification framework takes effect
Enforcement of New South Wales' Mandatory Notification of Data Breach Scheme began on 28 Nov. Brought on by amendments to the Privacy and Personal Information Protection Act, the notification scheme requires breach reporting to the privacy commissioner's office with breaches of personal or health information likely to result in serious harm. Covered entities are also obligated to generate and manage a data breach incident register and a publicly-accessible data breach policy.
Advocates study India's approach to child privacy in DPDPA
The Quantum Hub and Young Leaders for Active Citizenship released a paper examining the children's privacy and parental consent landscape under India's Digital Personal Data Protection Act. The paper cites the need for a way to record and verify a user's age accurately and recommends the government come up with different tiers of age verification to help companies comply with the law.
South Korea's PIPC announces PIPA amendments
South Korea's Personal Information Protection Committee said several proposed changes to the Personal Information Protection Act will be released between 23 Nov. to 2 Jan. 2024. They include establishing data rights for people subjected to automated decisions, outlining the role of data protection officers, and establishing procedures to evaluate protections for personal information used in the public sector.
CNIL publishes social work data retention framework
France's data protection authority, the Commission Nationale de l'informatique et des libertés, devised a framework for data retention periods in general and health-related social work fields. The CNIL offered a repository for identification and determination of relevant storage periods while also publishing practical recommendations for the daily management of retention periods.