Hello Friends,
The implementation of the Digital Personal Data Protection (DPDP) Act is moving forward, with inter-ministerial consultations on the draft rules completed on Tuesday, including approval from the home ministry. The Ministry of Electronics and Information Technology (MeitY) has released the draft rules for public feedback, paving the way for their notification and phased rollout. Stakeholders will be able to provide feedback and suggestions. The draft rules are aligned with the principles of the DPDP Act and are designed to be simple, adaptable, and flexible.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Netherlands: AP fines Coolblue €40,000 for use of cookies without consent.
The Dutch Data Protection Authority (AP) fined Coolblue B.V. €40,000 for GDPR violations related to improper cookie consent practices. The AP's investigation, initiated in 2019, found that Coolblue's cookie banner did not allow users to give consent as required by the GDPR, with pre-checked boxes for cookie use from April to June 2020. Despite being notified in November 2019, Coolblue failed to rectify the issue, leading to the fine for violating Articles 5(1)(a) and 6(1)(a) of the GDPR.
Cyprus: Commissioner fines State Health Services Organization following a breach.
The Commissioner for Personal Data Protection in Cyprus fined the State Health Services Organization €46,500 for GDPR violations after 13 data breach notifications, involving the loss of medical records and AEDD registration forms. Each incident affected a different patient and constituted a breach of data availability. The organization failed to ensure data security, demonstrate GDPR-compliant processing, maintain an appropriate level of security, and notify the Commissioner in a timely manner. Penalties included fines for each lost medical record and AEDD form, a reprimand for potential missing patient files, and an order to inform patients and establish an AEDD form handling procedure.
Data Breach
Atos database breached by ransomware group.
Atos SE, a French technology company, said a ransomware group called Space Bears claimed to have compromised an Atos database. Atos cybersecurity team is actively investigating the situation but its initial analysis had shown “no evidence of any compromise or ransomware affecting any Atos/Eviden systems in any country, and no ransom demand has been received to-date”. In an updated statement issued on Friday, Atos said the ransomware group’s allegations are “unfounded”, but it did confirm that the cybercriminals may have obtained some data pertaining to the company.
UN aviation agency investigating reports of possible data breach
The United Nations' civil aviation agency is investigating reports of a "potential information security incident" following a claim that tens of thousands of its records had been stolen. The Canada-based International Civil Aviation Organization (ICAO) said in a brief statement posted on its website that the potential security breach was possibly tied to "a threat actor known for targeting international organizations." ICAO confirmed to Reuters in a follow-up email that the investigation was related to a claim reportedly made on a hacker forum on Jan. 6 that 42,000 records had been stolen from the agency. It did not elaborate.
Privacy in Spotlight
Italy Garante fines OpenAI for GDPR non-compliance in management.
The Italian data protection authority, Garante, fined OpenAI OpCo, LLC €15 million for GDPR non-compliance in the management of ChatGPT, citing violations such as inadequate legal basis for data processing, lack of transparency, and insufficient age verification. The decision followed an investigation initiated in March 2023, which also referenced the European Data Protection Board's Opinion 28/2024. OpenAI was ordered to conduct a six-month information campaign on ChatGPT's data protection implications and user rights. The Garante also referred the case to the Irish Data Protection Commission, the lead supervisory authority since OpenAI established its European headquarters in Ireland.
NOYB filed a complaint against Ryanair over alleged GDPR violations.
None of your Business (NOYB) filed a complaint against Ryanair DAC with the Italian data protection authority (Garante) for alleged violation of the General Data Protection Regulation (GDPR). NOYB stated, among other things, that Ryanair forces users to create a permanent account before booking a flight. Additionally, all new account owners must go through a mandatory verification process and Ryanair nudges them to use a pre-selected biometric facial recognition process to verify their account. If users don't want their biometric data processed, Ryanair requires them to send a handwritten signature and a copy of their government ID. Considering the above, NOYB alleges that Ryanair violated Articles 5(1)(c), 5(1)(b), 6, 9, and 12 of the GDPR.
Regulations
Delaware DPDPA enters into effect.
The Delaware Personal Data Privacy Act (DPDPA) became effective on January 1, 2025, applying to businesses in Delaware handling significant volumes of consumer data, with exemptions for certain entities and data types. It defines key terms, establishes consumer rights for data access, correction, deletion, and portability, and sets out obligations for data controllers, including consent revocation mechanisms and prohibitions on processing without consent. Controllers must conduct Data Protection Impact Assessments for high-risk processing and maintain clear privacy notices. The Act is enforced by the Delaware Attorney General and does not allow for private lawsuits.
India MeitY publishes draft Digital Personal Data Protection Rules
The draft Digital Personal Data Protection Rules aim to safeguard citizens' rights for the protection of their personal data. These rules seek to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act), in line with India's commitment to create a robust framework for protecting digital personal data. India’s model strikes a unique balance between fostering innovation and regulation to protect personal data. Unlike restrictive global frameworks, these rules encourage economic growth while prioritizing citizen welfare.