Hello Friends,
A senior lawmaker indicated that the much-anticipated administrative rules detailing India's data protection legislation are expected to be notified soon. During a recent meeting with industry representatives, MeitY sought to reassure businesses of minimal disruptions under the upcoming rules. However, experts emphasize that compliance with the Digital Personal Data Protection (DPDP) Act will be an ongoing requirement, not a one-time effort. Businesses awaiting these regulations to initiate compliance may face considerable challenges ahead, warned a privacy expert.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organizational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Irish Data Protection Commission fines LinkedIn Ireland €310 million.
The Irish Data Protection Commission (DPC) fined LinkedIn following a complaint initially made to the French DPA. The inquiry examined LinkedIn’s processing of personal data for behavioral analysis and targeted advertising of users. It was found that LinkedIn contravened Article 6 and Article 5(1)(a) of the GDPR. The DPC imposed three administrative fines totaling €310 million pursuant to Articles 58(2)(i) and 83 GDPR and ordered LinkedIn to process data in compliance with the GDPR.
USA OCR settles with healthcare authority for $90,000 following HIPAA violations.
The US Department of Health and Human Services (HHS), and Office of Civil Rights (OCR) announced a settlement with Bryan County Ambulance Authority, a provider of emergency medical services for a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. It is essential to know where the ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA.
Garante fined Selectra €80,000 for accessing former employee’s mailbox.
The Italian Garante upheld the complaint. The controller failed to inform the data subject about the retention period for the backup data. Furthermore, the internal procedure was also lacking in information about potential investigation of emails, backups or other data/devices and its potential reasons. As a result, the controller violated Article 5(1)(a) GDPR and Article 13 GDPR. Additionally, the controller didn’t justify the reasons for storing the email backup for three years after the termination of the employment and the storage period of 6 months for email access logs. There were no safeguards in place as required by Article 114 of the Italian Data Protection Code
Data Breach
Canadian Privacy Commissioner investigates federal revenue agency data breaches.
Privacy Commissioner of Canada has launched an investigation in the Canada Revenue Agency (CRA) related to cyberattacks that led to more than 30,000 privacy breaches dating back to 2020. The investigation was launched in response to a complaint. The CRA reported the breaches to the Office of the Privacy Commissioner of Canada (OPC) in May 2024. The OPC has since been engaging with the CRA to learn more about the situation and determine the next steps. The OPC has advised individuals to protect themselves by changing their passwords.
PIPC fined online retailer for PIPA violations after data breach
The Personal Information Protection Commission (PIPC) of South Korea fined Neopharm Co., Ltd KRW 105.17 million and imposed a penalty surcharge of KRW 7.2 million for Personal Information Protection Act (PIPA) violations following a data breach. An investigation revealed that a hacker accessed Neopharm's administrator account 750 times over two weeks, stealing the personal information of 293,723 individuals and sending 440,000 illegal text messages. The PIPC found Neopharm's security measures inadequate, citing violations of Articles 29 and 39-4(1) of the PIPA, including improper access rights management and delayed notification to users about the data leak.
Privacy in Spotlight
Pinterest’s personalized advertising in violation of GDPR claims NOYB.
NOYB (None of Your Business) filed a complaint in France, alleging that Pinterest violated the GDPR by processing user personal data for personalized advertising without the user’s consent. NOYB claims that Pinterest falsely claims to have a legitimate interest in processing user personal data. Tracking is turned on by default and requires users to opt out. Additionally, upon receiving an access request from a complainant, Pinterest did not provide information on recipients of the data or details on categories of data shared with third parties.
EPIC Files Complaint Urging the FTC to Investigate OpenAI’s GPTs and Third-Party APIs.
The Electronic Privacy Information Center (EPIC) filed a complaint urging the Federal Trade Commission (FTC) to investigate OpenAI for allegedly failing to meet established standards for responsible AI use and development, offering products with unsafe security, privacy, and business practices, perpetuating unfair and deceptive practices in their product development and release, and causing significant consumer harm. The complaint also states that OpenAI has collected scores of consumer data and produced unsafe AI models in order to enrich itself.
Regulations
NPC requests comments on draft Advisory Guidelines on Child-Oriented Transparency.
The National Privacy Commission (NPC) of the Philippines has released draft Advisory Guidelines on Child-Oriented Transparency, seeking public comments until November 6, 2024. These guidelines mandate personal information controllers (PICs) to adopt a child-oriented approach when processing children's data, including conducting a Child Impact Assessment as part of their Privacy Impact Assessment. PICs must implement measures such as age assurance, high-default privacy settings, and a child-friendly privacy notice. The Advisory emphasizes the importance of parental involvement in high-risk processing situations and holds PICs accountable for prioritizing children's best interests in data processing.
UK: Data (Use and Access) Bill introduced to Parliament.
The Data (Use and Access) Bill, introduced to the UK Parliament, aims to amend the UK data protection framework by establishing recognized legitimate interests for data processing, setting conditions for compatible secondary processing, and outlining new provisions for data subject access requests, cookie consent, and automated decision-making. It also sets a data protection test for international data transfers, ensuring that the protection level in third countries or international organizations is not materially lower than in the UK. The Information Commissioner's Office (ICO) and the Department for Science, Innovation and Technology (DSIT) have both responded positively to the bill.