Hello Friends,
The executive rules under the Digital Personal Data Protection (DPDP) Act are expected to provide broad guidelines for companies on consent management, focusing on a government-issued identity card-based age verification system, while allowing companies to develop their own solutions. These rules will ensure minimal disruption for smaller entities like schools and universities, which handle children’s data by offering certain exemptions. However, according to individuals familiar with the matter, ed-tech companies are unlikely to benefit from these exemptions.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organizational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
National Center for Immediate Assistance (EKAB) fined €30,000 for GDPR violations.
The Hellenic Data Protection Authority (HDPA) imposed a fine of €30,000 on the EKAB following complaints from citizens who were denied access to their recorded telephone calls made to EKAB’s call center. The HDPA determined that EKAB failed to respond adequately to the requests, did not explain its refusal, and neglected to verify the complainants' identities, dismissing the requests as repetitive and abusive. This response violated Article 15(3) of the GDPR, which grants individuals the right to access their personal data. Additionally, EKAB was found in breach of the transparency requirements under Article 13 of the GDPR, as it failed to update its privacy policy to inform data subjects of their rights clearly.
South Korean PIPC fined Worldcoin and TFH KRW 1.4 billion for PIPA violations.
The South Korean Personal Information Protection Commission (PIPC) imposed a penalty on Worldcoin and its sister organization, Tools for Humanity (TFH). The fines were imposed for the misuse of personal data, including scanned iris data. PIPC found Worldcoin Foundation was handling sensitive personal data and improperly transferring the data to a foreign country. Both entities did not inform users about the location of the recipient countries.
HDPA fines Ministry of Citizen Protection €150,000 for GDPR violations
Greece Hellenic Data Protection Authority (HDPA) imposed an administrative fine of €150,000 on the Ministry of Citizen Protection for GDPR violations following the complaints about the new type of identity cards for Greek citizens. The HDPA found that the Ministry failed to meet its information obligations in violation of Articles 13 and 14 of the GDPR by delaying informing the data subjects for a long time and providing incorrect information on their website.
Data Breach
Star Health, one of India’s largest health insurer’s customer data was hacked.
Star Health and Allied Insurance has seen a major data leak as the private details of over 31 million customers. The stolen data included names, phone numbers, addresses, tax details, copies of ID cards, test results, and medical diagnoses of customers. A user named “xenZen” created chatbots that allowed Telegram users to request and download various documents, including policy details, claims, and even medical diagnoses. Star Health has acknowledged the breach and is currently working with law enforcement.
Hacker claims breach of Dell employee and partners' data.
A hacking forum post raised concerns over a potential Dell Technologies data breach allegedly affecting over 10,800 employees and partners and exposing sensitive internal data. The leaked information includes employee IDs, full names, employment status, and internal identification numbers. Dell has acknowledged the claims and confirmed that an investigation is underway. However, it has not been confirmed whether the breach was due to an external hacking or an internal security lapse.
Privacy in Spotlight
NOYB filed a complaint against Mozilla for its “privacy preserving” feature.
NOYB alleged in its complaint that Mozilla in its Firefox browser quietly enabled a privacy feature called “privacy preserving attribution” allowing Firefox to track user behavior on websites. The company has turned this feature on by default once individuals install its recent software update. Thus, failing to provide an opt-in option to its users. NOYB has asked the Austrian Data Protection Authority (DSB) to investigate Mozilla’s behavior.
Irish Data Protection Commission fines Meta Ireland €91 million over EU data breach.
The Irish DPC found that Meta Platforms Ireland Limited (MPIL) failed to notify it of a personal data breach concerning the storage of user passwords in plaintext (i.e. without cryptographic protection or encryption). Meta also failed to document the personal data breach. It did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing and ensure the ongoing confidentiality of user passwords.
Regulations
Vietnam MPS requests public comments on the draft Law on Personal Data Protection
The Ministry of Public Security (MPS) of Vietnam requested public comments on the draft Law on Personal Data Protection. The draft law applies to Vietnamese agencies, organizations, and individuals in Vietnam and to foreign agencies, organizations, and individuals involved in data processing in Vietnam. It has introduced the term ‘personal data protection expert’ for individuals acting as a DPO (data protection officer). It also details prohibited acts relating to personal data. The draft Law will come into effect on January 1, 2026.
The Californian AI Transparency Act is set to come into effect in January 2026.
The AI Transparency Act enters into effect on January 1, 2026. The Act does not apply to any product, service, internet website, or app that provides exclusively non-user-generated video games, television, streaming, movies, or interactive experiences. In addition, covered providers must offer users the option to include a disclosure in image, video, or audio content, or a combination thereof, created or altered by the generative AI system