Hello Friends,
The proposed new DPDP Bill of India could allow global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted.
Enjoy reading!
Privacy Enforcement
SEC fines Data Management Platform $3M over Incident Notification
The U.S. Securities and Exchange Commission fined data management platform Blackbaud USD3 million for improper disclosures to individuals affected by a 2020 ransomware attack. Blackbaud told customers the incident did not compromise bank account information and Social Security numbers when, according to the SEC, security and communications personnel knew the information was accessed. Without due notice, senior management left the full disclosure out of its quarterly report and characterized a breach of personal data as hypothetical.
Finnish DPA fines Consumer Credit Company over Customer Payment Data Handling
Finnish consumer credit company Suomen Asiakastieto was fined 440,000 euros by Finland’s Office of the Data Protection Ombudsman. The company claimed the fine was related to a misunderstanding, in which the DPA interpreted the company setting default payments for certain customers as an unwillingness to pay their balances. Suomen Asiakastieto has not yet decided to appeal the fine.
Turkey’s KVKK fines TikTok TL1.75M for insufficient Data Protections
Turkey’s data protection authority, the Kişisel Verileri Koruma Kurumu, fined TikTok 1.75 million liralar for insufficiently protecting users from unlawful data processing. The KVKK said the fine resulted from TikTok not taking all necessary measures to ensure the appropriate level of security to prevent the unlawful processing of personal data. It also said the platform should update the texts of its privacy and cookies policies to meet the country’s regulations
Privacy in Spotlight
WhatsApp to increase EU Privacy Notice Transparency
The European Commission announced Meta's WhatsApp agreed to improve user transparency for its EU terms of service and privacy notice. The commitments are in response to two requests in 2022 from the Commission's Consumer Protection Cooperation Network for the messaging app to clearly outline its personal data practices in disclosures to users. WhatsApp will be clear about its updates moving forward and make it easier for users to reject updates when they disagree with them while explaining service termination based on those rejections.
Regulations
India to propose Open Transfer Regime in Draft Data Protection Bill
India's government plans to amend draft provisions on data transfers in the proposed Digital Personal Data Protection Bill. The data transfer language under Clause 17 of the bill will reportedly be reworked to allow for data to flow freely across borders. A senior government official labeled the framework as an allowed-by-default model. The official added, If the government does not want data to be transferred to a particular region, it will mention that region in its blacklist.
China to establish single Data Regulator
The National People’s Congress of China is expected to approve the creation of a data authority during March's annual session. The current regulatory structure on data violations is shared across multiple agencies. More specifically, the new regulator will enforce data collection, sharing, and transfer rules under the Personal Information Protection Law while also monitoring data security standards and the use of algorithms.
Czech DPA issues guide for Cookie Disclosure
The Czech Republic’s data protection authority, the Úřad pro ochranu osobních údajů, published guidance on cookie disclosures for web operators. The guide states web operators must disclose if their website uses non-technical cookies that collect visitors’ personal data. However, the use of technical cookies does not necessitate introducing a cookie bar on those websites as long as there is visible documentation explaining what types of data they collect.
NZ OPC considering Biometrics Regulation
New Zealand Privacy Commissioner Michael Webster discussed the costs of privacy breaches, data minimization, biometrics regulation, and more. Webster said he encourages businesses to rethink the data they collect with an eye toward data minimization and noted the Office of the Privacy Commissioner is exploring regulatory options for biometrics to make it clear to agencies and organizations that they need to follow a very specific set of rules and guidance when they are considering collecting that sort of information.