Hello Friends,
On October 14, 2024, MEITY held a meeting with representatives from the National Informatics Centre, industry, civil society, and legal experts. During the meeting, MEITY urged organizations, including both industry and public bodies, to begin adapting their systems and building capacities in line with the new law, without waiting for the Rules to be formally notified. Officials emphasized that the Rules will not supersede the provisions of the Act, and there will be no surprises in them. Therefore, it is advisable for organizations to proactively align their systems with the Act's requirements to avoid delays and ensure compliance once the Rules are introduced.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organizational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
ICO fines two companies a total of £150,000 for direct marketing violations.
The Information Commissioner’s Office (ICO) has fined two Manchester-based financial and debt management companies a total of £150,000 for sending over 7.5 million spam text messages to people. Both Quick Tax Claims Limited, a company focusing on PPI tax refunds, and National Debt Advice Limited, a debt counselling advice service, first came to the attention of the ICO in May 2023 when several complaints were sent.
CNIL fined COSMOSPACE €250,000 for excessive sensitive personal data retention.
The CNIL fined COSMOSPACE for excessive personal data retention, collection of sensitive data without a valid consent, and systematic recording of telephone calls. COSMOSPACE systematically recorded all telephone calls made between clairvoyants, customers, and switchboard operators. The company considered that such recordings were justified to monitor the service quality for training purposes and to safeguard human life. The restricted committee concluded that these purposes did not justify recording all calls completely and systematically COSMOSPACE retained its customers’ data for six years from the end of the commercial relationship, to send commercial prospection communications.
AEPD fines Energya VM Energy Management for unlawful processing of personal data.
The Spanish data protection authority (AEPD) fined Energya VM Energy Management €5 million for GDPR violations after an investigation revealed that Nivalco, a company contracted by Energya VM, used deceptive practices to process personal data. The AEPD's investigation began following police reports of alleged crimes by energy supply companies. Energya VM failed to conduct a risk analysis and ensure GDPR compliance in data processing by Nivalco. Consequently, Energya VM must now conduct a risk analysis, apply GDPR-compliant technical and organizational measures, and ensure that sales pitches comply with the GDPR.
Data Breach
FTC announces settlement with Marriott and Starwood Over Multiple Data Breaches
The Federal Trade Commission requires Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program to settle charges that the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide. Marriott and Starwood also agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number.
Tully's Coffee announces unauthorized access to personal and credit card information
Tully's Coffee Japan Ltd. disclosed a security breach that occurred on May 20, 2024, resulting in the leak of 92,685 personal data records and 52,958 credit card details from its online store users. The breach, caused by an exploited vulnerability, affected users registered or making card payments between October 1, 2020, and May 23, 2024. Tully's Coffee has since reported the incident to the Personal Information Protection Commission and is cooperating with the Tokyo Metropolitan Police Department, while also committing to enhance its security and monitoring systems.
KVKK reports a data breach at Kilis 7 Aralık Üniversitesi affecting 2,747 individuals.
The KVKK highlighted that Kilis 7 Aralık Üniversitesi had notified them of the data breach. The source of the violation and how it occurred has not yet been determined, but data confidentiality is affected by the violation as a result of unauthorized access. The group of people affected by the breach is 2,747 including, students, customers, and potential customers. The personal data affected by the breach includes the TR ID number, name, surname, address, and telephone number in the Horizontal Transfer Table, Sports Registration Table, Artificial Turf Reservation Table, and Formation Tables.
Privacy in Spotlight
New York and Californian Attorneys General file lawsuits against TikTok.
The New York Attorney General and California Attorney General co-led a bipartisan coalition of 14 attorneys general in filing lawsuits against the social media platform TikTok for misleading the public about the safety of its platform and harming young people’s mental health. TikTok also violates the Children's Online Privacy Protection Act (COPPA), a federal law designed to protect children’s data on the internet. TikTok actively collects and monetizes data on users under 13 years old, in violation of COPPA, and does so without parental consent. While TikTok claims to only allow users over the age of 13 to access all of its features, TikTok’s deficient policies and practices have knowingly permitted children under the age of 13 to create and maintain accounts on the platform.
LinkedIn suspends collecting Hong Kong users’ data for GenAI.
LinkedIn’s latest privacy policy update allows its generative artificial intelligence models to be trained on users’ data and content by default. The Hong Kong PCPD said that LinkedIn had responded to its inquiries over a default opt-in setting for Hong Kong users’ data. Professional networking platform LinkedIn has suspended collecting Hong Kong users’ data for its generative artificial intelligence (AI) model after the city’s privacy watchdog raised concerns about the practice by the Microsoft-owned site.
Regulations
EDPB opens consultation on guidelines for processing of personal data based on legitimate interest.
The European Data Protection Board (EDPB) released guidelines concerning the processing of personal data under Article 6(1)(f) of the GDPR and has opened them for public comment until November 20, 2024. These guidelines clarify the conditions and methodology for processing personal data based on legitimate interests, emphasizing that it should not be a 'last resort' or unduly extended. They outline three steps: identifying a legitimate interest, proving the necessity of processing, and conducting a balancing exercise between the controller's interests and the data subject's rights and freedoms.
EU Council adopts Cyber Resilience Act on security requirements for digital products.
The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components. The new law introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states. The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. Finally, the new law will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.