Hello Friends,
E-commerce platforms, social media intermediaries, and online gaming platforms with significant user bases in India will soon be required to erase personal data of users three years after it is no longer needed. This directive is part of the draft rules under the Digital Personal Data Protection (DPDP) Act, released for public feedback. The government is soliciting feedback on the draft rules through the MyGov portal until February 18, 2025.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Romania: ANSPDCP fines Red & White for lack of instructions for processors.
The National Supervisory Authority for Personal Data Processing (ANSPDCP) fined Red & White 2022 Management SA RON 24,850 for violating GDPR Article 28(3) by not providing documented instructions to its processor. This followed an investigation initiated by a notification from an authorized representative of Red & White, which concerned an email sent to a large database of individuals, including the football team's supporters and others, about a funding campaign.
New York: AG reaches $450,000 settlement with companies over poor data security.
The New York Attorney General reached a $450,000 settlement with Fantasia Trading LLC, Power Mobile Life LLC, and Smart Innovation LLC for failing to protect consumer data in their eufy-branded security products. The companies did not implement end-to-end encryption, lacked proper safeguards for authorized access, failed to test security controls, and stored thumbnail images without consumer consent. The settlement requires the companies to pay penalties, establish a comprehensive software security program, appoint a security program manager, provide employee training, and implement a vulnerability management program.
Data Breach
PayPal agrees to pay $2 million to settle for a data breach.
PayPal has agreed to pay a $2 million fine to New York State for failing to comply with cybersecurity regulations. This led to a data breach in 2022 that exposed the personal information of 35,000 customers. The breach was disclosed by PayPal in 2023. The exposed data included full names, date of birth, postal addresses, social security number, and individual tax identification numbers of PayPal customers. Under the settlement, PayPal is required to pay a $2 million fine within 10 days, with no further action unless additional violations are uncovered.
DeepSeek is allegedly accidentally leaking sensitive data.
DeepSeek the Chinese AI, has been accidentally leaking sensitive data online, a cyber security company has claimed. New York-based Wiz says that it discovered the vulnerability that caused it and reported that over a million lines of data, including software keys and user chat logs were left unsecured. DeepSeek responded to the alert quickly and secured the data within an hour.
Privacy in Spotlight
Italian data privacy agency, Garante, probes China's DeepSeek AI.
The Italian data protection authority Garante has launched a compliance probe into the companies behind China's DeepSeek AI service, Belgian data protection authority received a complaint, and the European Commission will check whether the service complies with its broader tech rules. The agency said it is particularly looking into what data is collected, for what purpose, where it's being stored and if it has been used to train the AI model. The probe was triggered after consumer advocacy groups Euroconsumers and Altroconsumo wrote to Garante questioning how data are is protected and stored in China and whether it could ever be accessed by the Chinese government.
BEUC contacts enforcement authorities over Meta's latest pay-or-consent policy.
BEUC (The European Consumer Organization) raised concerns with regulators that Meta's pay-or-consent policy may infringe consumer and data protection law and the DMA, such as by using unclear terms and confusing interface designs. BEUC urges the EU to quickly conduct an in-depth investigation into whether Meta’s latest pay-or-consent mechanism in the EU complies with EU law (consumer and data protection law and the Digital Markets Act) and to take quick and effective measures if it does not.
Regulations
South Carolina Bill for consumer privacy introduced to House.
South Carolina House Bill, introduced on January 14, 2025, aims to protect consumer privacy by applying to businesses operating in the state or serving its residents, with exemptions for state agencies, financial institutions, HIPAA entities, non-profits, and personal activities. It grants consumers rights such as access, rectification, deletion, and opt-out options for data processing, targeted advertising, and sensitive data collection, with a 45-day response time for controllers. The bill mandates clear privacy notices, consent for processing sensitive data, non-discrimination for exercising rights, and detailed Data Protection Assessments for high-risk activities. Controllers cannot offer different terms based on consumer data choices, and search engines must disclose ranking parameters. The South Carolina Attorney General enforces the bill, with a 45-day cure period for violations, except in certain cases involving children or failure to delete data.
New Zealand: Privacy Amendment Bill introduced to Parliament.
The Privacy Amendment Bill (Bill 292-1) introduced to the New Zealand Parliament on September 5, 2023, proposes amendments to the Privacy Act 2020, including the addition of Information Privacy Principle (IPP) 3A and the removal of certain obligations under IPP 3. The bill, which will come into force on June 1, 2025, also revises the timeframe for agencies to respond to personal information correction requests and allows the Information Commissioner to assess foreign privacy laws. It includes provisions to protect the personal information of minors by allowing agencies to refuse access to information if it is contrary to the interests of minors under 16.