Hello Friends,
The Ministry of Electronics and Information Technology (Meity) is ready with the much-awaited rules of the Digital Personal Data Protection (DPDP) Act after multiple re-drafts over the past several months. A source indicated that the rules would be ‘’published’’ by the end of this month. However, the notification of the DPDP rules could spill over to 2025 as a consultation process would be required after the rules are published.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
South Korea: PIPC fines two universities after personal information leaks
The Personal Information Protection Commission (PIPC) fined Soonchunhyang University KRW 193 million and Kyungsung University KRW 42.8 million for personal information leaks due to cybersecurity breaches. Soonchunhyang University's main homepage was hacked, leading to the leak of over 500 individuals' personal information, while Kyungsung University's integrated information system was similarly compromised, affecting 2,000 students. Both universities failed to install critical security patches from October 2017 and did not have adequate security measures like Web Application Firewalls in place. The PIPC ordered corrective measures including the installation of intrusion prevention and detection systems, application of security patches, and encryption of personal data.
UODO fines company and its processors PLN 363,411 for GDPR violations.
The Polish Data Protection Authority (UODO) fined a company PLN 353,589 and its data processors PLN 9,822 for GDPR violations following a ransomware attack that compromised customer and employee data. The UODO's investigation found that an employee's disabling of antivirus software led to the breach, and the company's subsequent actions, including defective notification and inadequate response to UODO's comments, were non-compliant. The company and processors failed to implement and verify appropriate technical and organizational measures for data security, violating several GDPR articles. The UODO ordered the company to adapt its processing operations to comply with the GDPR.
Data Breach
57 Million Retail Customers Exposed In Massive Data Breach.
The site Have I Been Pwned reports that a data breach has exposed the personal information of 56,904,909 accounts belonging to customers of Hot Topic, Torrid, and Box Lunch. Linked to a hacker known as “Satanic,” the breach impacted approximately 54 million email addresses and lightly encrypted credit card information for 25 million users.
Massive data breach exposed 800,000 insurance customers' personal information.
In a report to the Maine attorney general's office, Landmark revealed it spotted unusual activity in its systems prompting it to disconnect affected systems and block remote access to its network. Landmark brought in a specialized third-party cybersecurity team to help secure its systems and run a thorough investigation to understand the extent of the breach. But while they were looking into it, the hackers managed to break back into Landmark’s system on June 17, 2024. The cybersecurity team’s findings showed data was both encrypted and stolen from Landmark's systems. According to the investigation, hackers may have gained unauthorized access to the personal details of impacted individuals, which could include full name, address, Social Security number, tax ID, driver’s license or state-issued ID number, passport number, bank details, medical info, health insurance policy number, date of birth and details about life and annuity policies.
Privacy in Spotlight
South Korean PIPC fines Meta $15.6 million for sharing user data with advertisers.
Meta was allegedly found to be sharing Facebook users’ sensitive information to advertisers without their consent. The country’s Personal Information Protection Commission (PIPC) said the social media giant compiled “advertising topics” based on individual users’ Facebook activity and profiles, and offered them to advertisers. About 4,000 used the data, according to the agency. Because the compiled data included topics deemed sensitive by the PIPC — such as religious affiliations, same-sex marital status and whether a user is a North Korean defector, for example — Meta’s conduct allegedly violated the country’s Personal Information Protection Act (PIPA), according to a Korean government press release.
Amazon Confirms Employee Data Was Exposed Through MOVEit Breach.
Amazon has confirmed that employee data was compromised through a third-party property management vendor. The breach, revealed by a threat actor known as "Nam3L3ss," exposes the continuing ripple effects of one of last year's most devastating supply chain attacks. The exposed Amazon dataset includes employee work contact information, email addresses, desk phone numbers, and building locations. Amazon has confirmed that customers are not affected by this breach. The data involved in the incident with the third-party vendor included only Amazon employee contact details.
Indian CCI fines Meta Rs. 213 crore over Whatsapp’s 2021 privacy policy update.
The Competition Commission of India (CCI) imposed a fine of Rs 213 crore on Meta Platforms and ordered WhatsApp to implement specific remedies within a defined timeline, including a five-year ban on sharing user data with other Meta companies for advertising purposes. The 2021 policy update by WhatsApp on a 'take-it-or-leave-it’ basis compels all users to accept expanded data collection terms and sharing of data within the Meta group without any opt-out. WhatsApp is required to provide all users in India, including those who accepted the 2021 update, with an opt-out option through in-app notifications. Meta is said to appeal against CCI’s decision.
Regulations
Botswana Data Protection Act was published in the Official Gazette.
The Data Protection Act 2024 in Botswana extends the Act's scope to include automated and non-automated processing of personal data, with exceptions for personal or household activities. It applies to data controllers outside Botswana if their activities involve Botswana, and binds the State with certain exceptions. The Act introduces rules for sensitive data processing, additional conditions for lawful processing, rights such as data portability and restrictions on automated decision-making, mandates DPIAs, sets requirements for DPOs, and increases fines to BWP 50 million or 4% of annual turnover.
Chile Constitutional Court approves Data Protection Act.
Chile’s Constitutional Court approved the Data Protection Act, setting consent-based data processing standards. Providing data protection principles, rights of data subjects, obligations for entities processing personal data, data breach notification requirements, as well as the establishment of a Data Protection Agency, the Act now awaits publication by Decree of the President.