Hello Friends,
The Ministry of Electronics and Information Technology (MeitY) has reportedly extended the public feedback period on draft rules for the Digital Personal Data Protection Act till March 2, 2025, following the concerns from various stakeholders. Previously, February 18, 2025, was set as the last date.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organizational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Spain AEPD fines Atrium Lex SFC €100,000 for lack of security measures.
The Spanish data protection authority (AEPD) fined ATRIUM LEX SFC, S.L. €100,000 for GDPR violations after a complaint from an investor who was asked for their national identification document (DNI) without being informed about the data processing. The AEPD deemed the DNI as sensitive data and found ATRIUM's request legitimate but criticized the lack of information provided to the complainant and the insecure method of sending the DNI via simple email. The fine was divided equally for infringements of Article 13 (information to be provided) and Article 32(1) (security of processing) of the GDPR.
Sweden: Administrative Court upholds IMY's SEK 13M fine on Bonnier News.
The Administrative Court in Sweden confirmed a SEK 13 million fine against Bonnier News AB for GDPR violations, as determined by the Swedish Authority for Privacy Protection (IMY). Bonnier News was found to have improperly collected and processed personal data from customers and web visitors for marketing purposes, creating profiles without proper consent. The Court ruled that the privacy interests of individuals outweighed Bonnier's business interests, thus requiring consent for such data processing.
Data Breach
Massive IoT Data Breach Exposes 2.7 Billion Records including Wi-Fi and IP addresses.
A massive 2.7 billion records containing sensitive user data, including Wi-Fi network names, passwords, IP addresses, and device identifiers, were exposed in a massive IoT security breach linked to Mars Hydro, a China-based grow light manufacturer, and LG-LED SOLUTIONS LIMITED, a California-registered firm. The database, comprising 1.17 terabytes of unprotected data, contained 13 folders with over 100 million records each. Additionally, error logs revealed device operating system details, API tokens and app versions.
New York NYDFS reaches $2M settlement with PayPal over data breach.
The New York State Department of Financial Services (NYDFS) settled with PayPal, Inc. for $2 million due to violations of its Cybersecurity Regulations after PayPal's investigation revealed a data breach where customers' social security numbers were exposed online. PayPal's platform had forms with unmasked consumer information, prompting corrective actions such as implementing CAPTCHA and updating policies. The NYDFS found PayPal failed to maintain proper policies and controls for access, identity management, and customer data protection, leading to the violation of multiple sections of the Cybersecurity Regulations.
Privacy in Spotlight
European Commission announced a programme including the withdrawal of ePrivacy Regulation.
On 11 February 2025, the European Commission announced a work program withdrawing the proposal for a regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing the Directive 2002/58/EC (ePrivacy Directive). The commission highlighted that no agreement was expected from the co-legislators. It also specified that the proposal became outdated in light of recent developments in both the technological and legislative landscapes. The proposal complemented the General Data Protection Regulation (GDPR) by detailing the cases in which the providers of electronic communications can process, store, and erasure data, metadata, and electronic communications content.
South Korean PIPC announced an investigation into the processing of DeepSeek.
The PIPC requested information from DeepSeek regarding the collection and processing of data, including personal information, throughout the development and provision of the service, as well as its compliance with the Personal Information Protection Act. The areas of focus include the entity responsible for processing personal information, the types of data collected, the purposes of collection, and how the data is used, stored, and shared. The PIPC is also reviewing documents and conducting technical analysis of data and traffic in collaboration with specialized institutions. Finally, PIPC advised caution in the use of DeepSeek and specified that is preparing policy materials to ensure the responsible use of generative AI.
Regulations
Vermont Consumer Data Privacy and Online Surveillance Bill introduced to House.
The Bill proposes to provide data privacy and online surveillance protections to Vermonters. It is a comprehensive law designed to protect consumers' personal data and provide them with greater control over how their information is collected, used, and shared online. The bill defines key terms like "personal data," "sensitive data," and "consumer" and establishes several important rights for Vermont residents, including the ability to confirm what data companies have collected about them, request corrections or deletions of their personal data, opt out of targeted advertising and data sales, and receive clear privacy notices.
Californian Bill on Deceptive Terms in Health Care and AI introduced to the Assembly.
This bill would make provisions of law that prohibit the use of specified terms, letters, or phrases to falsely indicate or imply possession of a license or certificate to practice a health care profession, as defined, enforceable against an entity who develops or deploys artificial intelligence technology that uses one or more of those terms, letters, or phrases in its advertising or functionality. The bill would prohibit the use by AI technology of certain terms, letters, or phrases that indicate or imply that the advice or care being provided through AI is being provided by a natural person with the appropriated health care license or certificate.