Hello Friends,
Industry stakeholders have voiced concerns during consultations on the Digital Personal Data Protection Rules, which the Centre aims to finalize by April. A key point of contention is a clause that would potentially restrict certain data from being transferred or stored outside India based on recommendations from a government-appointed committee. Major tech companies and industry bodies have flagged this data localization requirement, along with issues regarding verifiable parental consent. These organizations are advocating for a balanced regulatory approach that protects privacy without hindering innovation. The extensive consultation process, which concluded earlier this month, allowed stakeholders to express these reservations directly.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Norway: Datatilsynet announces supervision of UDI
On March 18, 2025, the Norwegian data protection authority (Datatilsynet) announced that it had started an investigation into the Norwegian Directorate of Immigration’s (UDI) use of pan-European information systems. In particular, Datatilsynet outlines that on March 20, 2025, it will examine whether personal data is being processed in accordance with the Personal Data Act and rules that apply to the Visa Information System (VIS).
Belgium: DPA fines telecommunications company €100,000 for delay in responding to access request
The Belgian Data Protection Authority fined a telecommunications company €100,000 for not responding promptly to a client's GDPR access request, which was later reduced to €5,000 by the Markets Court. The initial delay was 14 months, and the fine was imposed for violating Articles 12(2), 12(3), and 15 of the GDPR. The Markets Court's reduction was based on the incident being isolated, due to negligence, and the company's subsequent corrective actions.
Data Breach
UK: ICO fines Advanced £3.07M for data security failures following ransomware attack
The UK Information Commissioner's Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million for failing to implement sufficient data security measures, violating the UK GDPR. This decision followed a ransomware attack in August 2022, where hackers accessed personal information of 79,404 individuals, including sensitive details of 890 home care recipients, through a system lacking multi-factor authentication. The ICO's investigation highlighted deficiencies in MFA deployment, vulnerability scanning, and patch management. Although initially proposing a £6.09 million fine, the ICO reduced the penalty after considering Advanced's cooperation with authorities and efforts to mitigate the attack's impact.
UK: ICO issues 23andMe with notice of intent to fine £4.59M over data breach
The UK Information Commissioner's Office (ICO) issued a notice of intent to fine genetic testing company 23andMe £4.59 million following a data breach reported in October 2023. The ICO, in a joint investigation with the Office of the Privacy Commissioner of Canada, determined that 23andMe must maintain high security standards for sensitive genetic data under UK GDPR. The fine and enforcement notice is provisional, pending 23andMe's representations, including affordability considerations. The ICO is also monitoring 23andMe's Chapter 11 bankruptcy filing, emphasizing that UK GDPR protections still apply to the company.
Privacy in Spotlight
TikTok faces a fine of over $553 million for illegally shipping EU data to China
TikTok's owner, ByteDance Ltd., may face a privacy fine exceeding €500 million ($553 million) for illegally transferring European users' data to China. Ireland’s Data Protection Commission, the lead EU regulator for the company, is expected to issue the penalty this month after discovering that TikTok violated the EU's General Data Protection Regulation by sending data to China for access by engineers. This fine could be the third largest issued by the Irish watchdog, following penalties against Amazon and Meta. The regulator will also instruct TikTok to halt unlawful data processing in China.
Amazon loses court fight against record $812 million Luxembourg privacy fine.
Amazon lost its fight against a fine handed out by Luxembourg’s privacy regulator four years ago as a court sided with the watchdog, according to a statement on the regulator’s website. The fine, for violating EU privacy laws, was handed out by the regulator in 2019. The country’s administrative court sided with the regulator, affirming the penalty on March 18 related to GDPR breaches. Amazon is now considering a further appeal to the court ruling.
Regulations
EU: Commission expert group publishes B2B data sharing and cloud computing contracts
The European Commission Expert Group released a report on April 2, 2025, detailing model contractual terms (MCTs) and standard contractual clauses (SCCs) for B2B data sharing and cloud computing contracts. These non-binding, voluntary terms are designed to facilitate data access and use between various parties, including data holders, users, and third-party recipients, without affecting existing rights and obligations under the Data Act, GDPR, or other laws. The MCTs cover four distinct scenarios of data sharing, while the SCCs provide six standard clauses addressing general contract structure, switching and exit processes, termination, security, non-dispersion, liability, and non-amendment for use in data processing service agreements.
Mexico: Law on protection of personal data by private parties published in official gazette
Mexico's Federal Law on the Protection of Personal Data Held by Private Parties, published on March 20, 2025, regulates the processing of personal data by private entities, excluding credit reporting companies and personal use data collectors. It defines consent, personal data, sensitive personal data, and ARCO rights, and mandates principles for data processing, including the necessity of consent. The law requires security measures to protect data and allows data transfer with consent, barring certain exceptions. The Secretariat of Anti-Corruption and Good Governance enforces the law, with the power to impose sanctions and imprisonment for violations.
EU: CJEU clarifies lawfulness of processing personal data of legal entity representative
The Court of Justice of the European Union (CJEU) ruled on Case C-710/23 that the disclosure of personal data of individuals representing legal entities is lawful under the GDPR. The case arose when an individual requested information from the Ministry of Health, which redacted personal details from Covid-19 test certificates. The CJEU found that such data is considered personal data, and its communication is lawful even if for identifying the person acting on behalf of a legal entity. The court also stated that public authorities must balance public access to documents with personal data protection and may need to consult the individuals concerned before disclosure, unless it's impossible or requires disproportionate effort.