Hello Friends,
The Indian government is set to amend the Aadhaar Act to align it with the Digital Personal Data Protection (DPDP) Act, 2023, aiming to enhance user privacy and data protection. Union IT Minister Ashwini Vaishnaw has directed the Unique Identification Authority of India (UIDAI) to prioritize this harmonization, focusing on user consent, data minimization, and purpose-specific data usage. The forthcoming amendments will address gaps such as the lack of clear definitions for personal data and inadequate provisions for data erasure upon consent withdrawal. Additionally, a new Aadhaar app featuring facial recognition for authentication has been introduced to modernize and secure identity verification processes.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Spain: AEPD fines Vodafone €200,000 for processing data unlawfully.
The Spanish data protection authority (AEPD) fined Vodafone España €200,000 for GDPR violations after a complaint revealed unauthorized SIM card duplication and fraudulent transactions. Vodafone's failure to adhere to security protocols and lack of a legal basis for processing personal data led to the breach of Article 6(1) of the GDPR. The AEPD's decision highlights the importance of following security measures and legal requirements in data processing.
USA: HHS reaches $600,000 settlement with PIH Health for HIPAA violations.
The U.S. Department of Health and Human Services reached a $600,000 settlement with PIH Health for HIPAA violations following a phishing attack that compromised the personal health information of 189,763 individuals. The OCR found PIH Health failed to comply with several HIPAA requirements, including conducting a risk analysis and notifying affected individuals and the media within 60 days of the breach. As part of the resolution agreement, PIH Health must implement a corrective action plan to address security risks, revise policies, and train employees on HIPAA compliance.
Data Breach
International: ICO and OPC call for protections for 23andMe customer data.
The Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have issued a joint letter urging the protection of 23andMe's customer data during its bankruptcy proceedings, emphasizing compliance with UK GDPR and PIPEDA. They are investigating a data breach at 23andMe and have issued provisional findings and a Notice of Intent to fine the company £4.59 million. The ICO and OPC stress the importance of safeguarding sensitive information, such as genetic data, and require any potential buyer to adhere to strict data protection laws. A Consumer Privacy Ombudsman has been appointed to oversee data protection during the proceedings.
South Korea: SK Telecom registers more than 24 million users in the USIM Protection Service after data breach.
Following a significant data breach detected on April 18, SK Telecom has enrolled over 24 million users in its USIM Protection Service to safeguard against potential misuse of compromised SIM data. Additionally, more than 1 million subscribers have replaced their SIM cards, with 7.8 million reservations pending. The breach, involving malware infiltration of the company's home subscriber server, prompted SK Telecom to suspend new subscriber sign-ups and offer free SIM replacements. The company is addressing SIM card shortages and has initiated automatic enrollment in the protection service to enhance security measures.
Privacy in Spotlight
TikTok hit with €530M fine after illegally sending users’ data to China
The Irish Data Protection Commissioner fined TikTok €530 million for unlawful data transfers of EEA users' personal data to China, violating GDPR. The inquiry revealed TikTok's failure to ensure equivalent data protection standards and transparency in its EEA Privacy Policy. TikTok's remote access transfers did not meet GDPR requirements, and inaccurate information was initially provided regarding data storage in China. TikTok must comply with GDPR within six months or face suspension of data transfers to China.
Nigeria fines Meta $220 million for Facebook and WhatsApp data misuse
Nigeria’s Competition and Consumer Protection Tribunal has upheld a $220 million fine against Meta Platforms, parent company of Facebook and WhatsApp, for violating data protection and consumer rights laws. The penalty, initially imposed in 2023 by the Federal Competition and Consumer Protection Commission (FCCPC), followed a joint investigation with the Nigeria Data Protection Commission that uncovered unauthorized data sharing, discriminatory practices, and abuse of market dominance. Meta, denying wrongdoing, must comply with the ruling by the end of June 2025. The company has threatened to withdraw Facebook and Instagram from Nigeria, a move criticized by regulators as an attempt to pressure authorities
Regulations
EU: EDPB adopts opinion on six-month extension of UK adequacy for data transfers.
The European Data Protection Board (EDPB) adopted Opinion 06/2025 on May 5, 2025, regarding the six-month extension of the UK adequacy decisions under the GDPR and LED, set to expire on June 27, 2025. This extension allows the European Commission to evaluate the updated UK legal framework pursuant to the Data (Use and Access) Bill. The EDPB clarified that the Opinion does not address the level of protection for personal data in the UK, but ensures that data transferred from the EEA to the UK continues to benefit from adequate protection until December 27, 2025.
Virginia: Bill on social media and minors signed by the Governor.
Virginia's Senate Bill 854, signed on May 2, 2025, regulates minors' use of social media platforms by prohibiting addictive feeds and limiting usage to one hour per day, effective January 1, 2026. The bill defines a minor as anyone under 16 and outlines obligations for controllers and processors, including age verification and parental control over time limits. It prohibits using age determination data for other purposes and ensures no degradation of service quality due to usage limits. The bill does not grant special control over minors' data or accounts to controllers or processors.