Hello Friends,
The Information Technology Industry Council (ITI), representing global tech giants like Apple, Google, Amazon, Meta, and OpenAI, has urged the Indian Government to delay the implementation of the Digital Personal Data Protection (DPDP) Rules, 2025, raising concerns over the stringent rules regarding processing children's data, including age verification and parental consent, government access to data, data breach reporting timelines, etc. It is likely that the push for delay is to safeguard their operational flexibility and save compliance costs.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Poland: UODO fines Poczta Polska and Minister of Digitalisation for GDPR violations.
The Polish data protection authority (UODO) fined Poczta Polska SA and the Minister of Digitalisation for GDPR violations, with penalties of PLN 27.1 million and PLN 100,000, respectively. The violations stemmed from the unlawful transfer and processing of personal data from the PESEL database for an attempted organisation of presidential elections by mail during the Covid-19 pandemic, without the necessary legal framework. The UODO's decision was based on findings that both parties processed personal data without a legal basis, breaching the lawfulness principle of the GDPR.
Greece: HDPA fines National Bank of Greece €220,000 for GDPR failures.
The Hellenic Data Protection Authority (HDPA) fined the National Bank of Greece €220,000 for GDPR violations, specifically for not responding promptly to data access requests as per Articles 15, 12, and 25. The decision, based on complaints from 2022 to 2023 about delayed responses to electronic fraud incidents, highlighted the bank's failure to inform data subjects of delays and provide information on data recipients. The HDPA's findings indicated systemic issues with the bank's internal procedures, resulting in the fine and an order to improve data request handling.
California: CPPA fines Honda $632,000 for CCPA violations
The California Privacy Protection Agency fined American Honda Motor Co., Inc. $632,000 for CCPA violations, including requiring excessive personal information from consumers to exercise privacy rights, denying requests by imposing verification, and sharing data with ad tech companies without proper contracts. The CPPA's investigation, which began on July 31, 2023, found that Honda's practices from July 1, 2023, to September 23, 2023, did not comply with CCPA regulations. Honda is now required to implement corrective measures, such as simplifying opt-out requests, allowing authorised agents to submit requests without direct consumer confirmation, and improving user experience and contract management.
Data Breach
Spain: AEPD fines FSEOM €70,000 for data security failures.
The Spanish data protection authority (AEPD) fined FUNDACIÓN DE LA SOCIEDAD ESPAÑOLA DE ONCOLOGIA MÉDICA (FSEOM) €70,000 for a GDPR violation after a data breach involving patient data, which was reduced to €42,000 due to voluntary payment and acknowledgement of responsibility by FSEOM. The breach compromised patients' contact and health information, and the AEPD's investigation concluded that FSEOM failed to implement sufficient security measures as required by Article 5(1)(f) of the GDPR.
Denmark: Digitaliseringsstyrelsen reports OiSTER to police for data breach.
The Danish Agency for Digital Government (Digitaliseringsstyrelsen) reported OiSTER to the police for a data breach that occurred between June 17 and June 26, 2024, where 246,748 customers' personal data was exposed on 118.dk due to inadequate security measures during a system update. Digitaliseringsstyrelsen recommended a fine of DKK 750,000 for the violation of personal data security rules and the Telecommunications Act.
Privacy in Spotlight
Norway: NOYB files a complaint against OpenAI over an alleged violation of the data accuracy principle.
None of Your Business (NOYB) filed a complaint with Norway's Datatilsynet against OpenAI for allegedly violating the GDPR's data accuracy principle. The complaint arose after ChatGPT generated a false criminal story about a Norwegian user, potentially harming their private life. NOYB's complaint requests that OpenAI delete the inaccurate output, adjust its AI to ensure accuracy, and that Datatilsynet limit the processing of the individual's data and impose a fine on OpenAI.
Switzerland: FDPIC concludes preliminary investigation into Grok AI.
The Swiss Federal Data Protection and Information Commissioner (FDPIC) completed a preliminary investigation into Twitter International Unlimited Company's AI system, Grok, after concerns arose about the processing of X (formerly Twitter) users' data for training the AI. Twitter complied with the FDPIC's request for transparency and provided an opt-out option for users since July 16, 2024. The FDPIC found Twitter to be in compliance with the Federal Act on Data Protection 2020 (FADP) and emphasised the shared responsibility of Twitter and X users in managing personal data usage.
EU: Commission publishes draft extension of UK adequacy decision.
The European Commission has published a draft technical extension for the UK's adequacy decision under the GDPR and LED, which would extend the current adequacy period by six months beyond its expiration on June 27, 2025, to December 27, 2025. This extension is to allow the Commission to assess the impact of proposed amendments in the UK's Data (Use and Access) Bill to the UK GDPR and Data Protection Act 2018. Both Implementing Decisions 2021/1773 (GDPR) and 2021/1772 (LED) originally provided a four-year period of adequacy for the UK, ensuring an adequate level of protection for personal data transferred from the EU.
Regulations
EU: EDPB outlines cooperation procedure for controller and processor BCRs approval.
The European Data Protection Board (EDPB) released a document on March 19, 2025, detailing the cooperation procedure for the approval of Binding Corporate Rules (BCRs) for controllers and processors. The document, adopted on March 13, 2025, includes criteria for identifying the BCR lead supervisory authority based on factors like the location of the group's European headquarters and the company with delegated data protection responsibilities. The approval process involves several phases, including a BCR lead review, co-review, cooperation, BCR session, and an EDPB opinion phase, culminating in the BCR lead's final decision. The approved BCR must be translated into the languages of all supervisory authorities involved in the transfers.
South Korea: Bill amending PIPA passes National Assembly.
The South Korean National Assembly passed an amendment to the Personal Information Protection Act (PIPA) on March 13, 2025, following approval by the National Assembly Political Affairs Committee on February 24, 2025. The amendment, developed with the Personal Information Protection Commission (PIPC), mandates foreign business operators processing personal information to establish a domestic corporation, appoint a local representative, and ensure management and supervision by the overseas headquarters. Domestic corporations are also required to oversee their local representatives' duties, which must be detailed in their personal information processing policies. The bill awaits signature and publication in the Official Gazette to become law.