Hello Friends,
Industry stakeholders have voiced concerns during consultations on the Digital Personal Data Protection Rules, which the Centre aims to finalize by April. A key point of contention is a clause that would potentially restrict certain data from being transferred or stored outside India based on recommendations from a government-appointed committee. Major tech companies and industry bodies have flagged this data localization requirement, along with issues regarding verifiable parental consent. These organizations are advocating for a balanced regulatory approach that protects privacy without hindering innovation. The extensive consultation process, which concluded earlier this month, allowed stakeholders to express these reservations directly.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
South Korea: PIPC fines ClassU KRW 60.8M for data security violations.
The Personal Information Protection Commission (PIPC) fined ClassU Co., Ltd. KRW 60.8 million for violations of the Personal Information Protection Act (PIPA) after an investigation revealed that ClassU stored personal information without access restrictions or encryption. The PIPC found that ClassU allowed multiple unauthorized persons to access the database and store sensitive information on a publicly accessible developer platform. Consequently, ClassU was required to take corrective measures to enhance data security.
Croatia: AZOP fines company €12,000 for DPO appointment violations.
The Personal Data Protection Agency (AZOP) fined a company €12,000 for violating GDPR regulations by not publishing the DPO's contact details and appointing a DPO with conflicting tasks. The investigation was part of the EDPB's coordinated enforcement action on DPO appointments. AZOP emphasized the importance of easily accessible DPO contact information and proper qualifications for DPO appointments.
Data Breach
UK: ICO fines DPP Law Ltd £60,000 over data security failures following cyber attack.
The Information Commissioner's Office (ICO) fined DPP Law Ltd £60,000 for failing to implement appropriate data security measures following a cyber attack in June 2022. The attack, which used brute force to access an administrator account, resulted in the theft of 32GB of data and the posting of client information on the dark web. DPP Law reported the breach 43 days after the incident, violating the UK GDPR's requirement to notify within 72 hours. The ICO found that DPP Law's inadequate account management and delayed notification constituted violations of Articles 5(1)(f), 32(1), 32(2), and 33(1) of the UK GDPR.
US: Hackers steal 1.6 million patient records in major healthcare breach.
In October 2024, Laboratory Services Cooperative (LSC), a U.S.-based nonprofit lab testing provider serving reproductive health clinics, including Planned Parenthood, across 31 states, suffered a major data breach. Hackers gained unauthorized access to LSC’s network, stealing sensitive personal, medical, and financial information of approximately 1.6 million individuals, including patients and employees. The compromised data included names, addresses, Social Security numbers, medical records, lab results, insurance details, and payment information. The breach affected individuals in multiple states, such as Alaska, Hawaii, Idaho, Indiana, Kentucky, Washington, and others. LSC discovered the breach the same day but notified affected individuals starting April 10, 2025, after a thorough data review. The nonprofit has since enhanced its cybersecurity measures and is offering free credit monitoring and identity protection services to those impacted
Privacy in Spotlight
Google Hit with Lawsuit Over Data Collection on School Kids.
Google was hit with a privacy lawsuit alleging unauthorized data collection on K-12 school children through its “Workspace for Education” platform, used by nearly 70% of U.S. schools. The complaint, filed in the U.S. District Court for the Northern District of California, claims Google collects extensive personal data beyond traditional education records, including creating unique digital fingerprints via hidden tracking in its Chrome browser. This tracking allegedly persists even when cookies are disabled. Plaintiffs argue Google failed to obtain parental consent, relying instead on school personnel, who lack the authority to consent on behalf of parents. The suit accuses Google of using this data for commercial purposes and selling it to third parties. Google denies the allegations. No lab or physical location is involved in this case.
Privacy Concerns Over Amazon Alexa’s Voice Recording Storage.
Amazon had announced last month that starting March 28, 2025, all voice recordings from Alexa devices will be automatically uploaded and stored in Amazon’s cloud, removing the previous option for users to keep recordings only on their devices. This change aims to support new generative AI features integrated into Alexa+, which rely on cloud processing. However, this raises significant privacy concerns as users no longer have the choice to opt out of cloud storage, potentially exposing sensitive voice data to prolonged retention and AI training use. Although Amazon claims it prioritizes privacy and offers tools to delete recordings post-processing, critics worry about the extent of data profiling and commercial use. No specific lab or physical location is mentioned in the report.
Regulations
New Zealand: Parliament introduces Customer and Product Data Bill.
The New Zealand Parliament introduced and passed the Customer and Product Data Bill, which became the Customer and Product Data Act upon receiving royal assent on March 28, 2025. This Act establishes a framework for access to and sharing of customer and product data between businesses, granting consumer data rights in designated sectors. It sets out obligations for data holders, including providing data to customers or accredited requestors and operating reliable electronic systems for data services. The Act also details enforcement powers, including fines for non-compliance, and specifies that data requests under the Act are not subject to the Privacy Act 2020's information privacy principle 6.
Austria: Administrative Court issues decision interpreting circumstances for refusing complaints under GDPR.
The Austrian Administrative Court issued a decision on April 9, 2025, interpreting the circumstances under which data protection authorities can refuse to process complaints as excessive under the GDPR. The case involved a complainant who had filed over 77 complaints in two years, leading the data protection authority to refuse processing based on resource constraints and a lack of fundamental need for protection. The Federal Administrative Court annulled this refusal, instructing the authority to continue proceedings. The Administrative Court emphasized that refusals must be reasoned, appropriate, necessary, and proportionate, considering all relevant circumstances.