Hello Friends,
Lowering the age for consent under the proposed Indian Data Protection Law was one of the biggest demands of Internet companies like Facebook and Google, as that has a significant impact on their business operations in the country.
Enjoy reading!
Privacy Enforcement
Illinois Federal Judge overturns $228M damages award in first BIPA Case
U.S. District Court Judge Matthew Kennelly in Illinois vacated USD 228 million in damages awarded in the first-ever Biometrics Information Privacy Act case. Rail workers alleged that BNSF Railway collected their biometric information without informed consent. The judge upheld the verdict that the company violated the BIPA but said damages were discretionary under the law and ordered a new trial so a jury could determine the appropriate fine
South Africa IR fines the Department of Justice for PIPA Violations
South Africa's Information Regulator issued a ZAR5 million fine to the Department of Justice and Constitutional Development for failing to comply with an enforcement notice issued by the agency after allegedly circumventing elements of the Protection of Personal Information Act. The DoJ&CD had until 9 June to provide the IR with documentation that licenses for Trend Anti-Virus, SIEM, and the Intrusion Detection System were renewed.
Data Breach
Breach of Multinational Health Care Provider impacts 11M People
Multinational healthcare provider HCA Healthcare announced it sustained a data breach affecting more than 11 million patients in the U.K. and U.S. Per the HCA breach notice, an unauthorized party obtained a list of information pertaining to patients and made it available on an online forum. The list of more than 27 million lines of data reportedly contained information used in emails to patients and appointment reminders. HCA officials said the data contains personally identifiable information but does not feature clinical or payment data.
Wellington Law Firm says Client, Firm Data potentially exposed in ‘Cyber Incident’
Mahony Horner Lawyers in Wellington warned a cyber incident may have exposed firm and client data, including client driver's licenses and passports from within the last three years. The firm said the data would most likely be used for attempted financial fraud. At present we remain of the understanding that the information has not been used — however we now believe there is a real risk that it could ultimately be leaked, it said.
Client Data exposed in Employement Training Agency Breach
Prince Edward Island's employment training agency SkillsPEI said the data of 5,600 clients may have been exposed in a breach. The agency said personally identifiable information was exposed via an email sent to a recipient outside the government network. P.E.I. Department of Workforce, Advanced Learning, and Population Executive Director of Workforce Mary Hunter said the breach was identified on 13 June and risk to client information was contained within the first 48 hours.
Regulations
EU-US Adequacy Decision Finalized
The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework is poised to face a legal challenge. An FAQ published by the European Commission covers details of the framework, including criteria to assess adequacy, limitations, and safeguards to data access by U.S. intelligence agencies, the framework's new redress mechanism and how individuals can use it, and more.
India’s Draft DPDP Bill would lower Consent Authorization to age 14
The Indian government could be empowered to lower age restrictions regarding authorizing consent online to 14, according to a draft version of the proposed Digital Personal Data Protection Bill. However, under the draft provision, a company seeking consent from a user to process their data would be required to "demonstrate that it uses the information in a 'verifiably safe' manner.
China finalizes Generative AI Rules
New rules finalized by the Cyberspace Administration of China governing generative artificial intelligence will take effect on 15 August. The regulation will apply to generative AI technology that is available to the general public and require providers to conduct security assessments to ensure the security of user information
AEPD issues new Cookie Guidance
The AEPD updated its guide on the use of cookies to reflect the latest directives issued by the European Data Protection Board. The guidance addresses the use of deceptive patterns by various advertising technology companies.