Hello Friends,
India has proposed the Telecommunication Bill 2022 for public consultation until October 20, 2022. And GDPR is not particularly the model followed for the new draft of India’s Data Protection Bill. It is to address issues of security and consumers’ rights to data protection. This news and more, in this fortnights' Data Privacy Insights- curated privacy news from across the globe.
Enjoy reading!
Privacy Enforcement
ICO finds TikTok for Violating Protect Children’s Privacy
The U.K. Information Commissioner's Office announced a notice of intent to fine TikTok 27 million GBP for alleged U.K. data protection violations. The ICO's investigation found potential violations concerning the non-consensual processing of minors' data, unlawful processing of special category data, and insufficient transparency.
Berlin DPA Issues Fine of 525K Euro over DPO Violation
The Berlin Commissioner for Data Protection and Freedom of Information issued a 525,000 euro fine to a Berlin-based retailer for violation of data protection officer requirements under the EU General Data Protection Regulation. An investigation found an alleged conflict of interest concerning the DPO's employment status and decision-making responsibilities that violated Article 38(6) of the GDPR. The company received a warning from the regulator in 2021.
South Korea PIPC Issues KRW 100B in Big Tech Fines
South Korea's Personal Information Protection Commission announced fines totalling KRW 100 billion (approximately $71.8 million) to Google and Meta over data processing violations related to user consent. The violations against both companies stem from alleged insufficient disclosures regarding data collection and use practices and issues with default opt-in settings for user consent. Google was issued a KRW 69.2 billion (~$50 million) penalty while Meta received a KRW 30.8 billion (~$22 million) fine. Spokespeople for Google and Meta said they disagreed with the decisions while noting commitments to legal compliance along with user control and transparency.
Data Breach
American Airlines suffers Data Breach
American Airlines notified customers the company experienced a data breach over the summer. American Airlines discovered the breach on July 5 and secured the “limited number" of employee email accounts that were compromised. The company determined employees’ and customers’ personally identifiable information could have been exposed. In response, American Airlines will offer impacted customers two years of free credit monitoring. The company did not specify how many customers were affected.
Privacy in Spotlight
Danish DPA renders Decision against Google Analytics Transfer
Denmark's data protection authority, Datatilsynet, became the latest EU authority to order a halt on the use of Google Analytics for data transfers to the U.S. without supplementary measures. Denmark's decision follows those of Austria, France, and Italy, with Dataltilsynet noting the shared view represents "a pan-European attitude among the supervisory authorities" and a "crucial" step toward a harmonized approach. Datatilsynet advised Danish businesses to "assess whether their possible continued use of the tool is within the framework" of the EU General Data Protection Regulation.
Lawsuit accuses Facebook of Inserting Tracking Code into in-app Browser
In a federal class-action lawsuit, Meta, the parent company of Facebook, is accused of tracking smartphone users through its in-application browser. The lawsuit, filed Sept. 15 in the U.S. District Court for the Northern District of California, alleged the company collected users’ data by inserting a tracking code into websites users visit when using Facebook's browser. The company has yet to respond to the lawsuit.
Regulations
Minister discusses Potential Framing for India’s Data Protection Bill Redraft
Indian Minister of State for Electronics and Information Technology Rajeev Chandrasekhar discussed potential aspects of the country's reworked data protection bill. Particularly on the topic of regulating data flows, Chandrasekhar said India will not use the EU General Data Protection Regulation as "our peer or our framework for comparison," adding that India's next draft data protection bill will have to "figure out whether the weightage is on adequacy, privacy, or ease of doing business."
India proposes Telecom, Online Messaging Bill
Indian Parliament published the draft Telecommunication Bill 2022, which aims to regulate digital communications. The bill allows the government to view all online communications in cases of perceived national security or public safety concerns while giving agencies immunity from potential lawsuits stemming from such intervention. The legislation also addresses spam messages, proposing consent requirements and a "Do Not Disturb" registry. The government opened a public consultation on the bill through October 20.
New York to consider Children’s Privacy Legislation
State Senate Andrew Gounardes, D-N.Y., introduced a children's privacy bill to the New York Senate that mirrors the recently-passed California Age-Appropriate Design Code Act. Senate Bill 9563, the New York Child Data Privacy and Protection Act, covers minors aged 17 and under and would require data protection impact assessments, privacy-by-default settings, and limits on children's data practices. The bill also calls for a ban on targeted advertising against children
Indonesian Law Maker Pass Data Protection Bill
Indonesian lawmakers passed a long-awaited data protection bill into law on Sept. 20. Indonesia is the fourth most populous nation in the world. The law includes fines of up to 2% of a company's annual revenue, the potential confiscation of assets, and a stipulation that individuals could be imprisoned for up to six years for falsifying personal data or up to five years for collecting personal data illegally. The bill also authorizes the president to create an oversight body to enforce the law. Indonesia Communications Minister Johnny Plate said the development "marks a new era in the management of personal data in Indonesia."
Tanzanian Parliament expected to receive Personal Information Protection Bill
Tanzania’s Personal Information Protection Bill is expected to be read in Parliament for the first time by the end of September, according to Information, Communications, and Information Technology Minister Nape Nnauye. Nnauye said once the bill passes in Parliament, it is expected to be signed into law by President Samia Suluhu Hassan. The bill was crafted in response to online services selling citizens’ personal data without their consent.
Michigan Lawmakers introduce Comprehensive Privacy Bill
State Sen. Rosemary Bayer, D-Mich., and fellow Senate Democrats introduced Senate Bill 1182, the Michigan Personal Data Privacy Act. The bill would cover businesses that hold data on more than 100,000 consumers and on those holding data on more than 25,000 consumers while generating 50% gross revenue from data sales. Notable provisions include consumer opt-outs for data sales and targeted advertising, a data broker registry, a 30-day right to cure, and a private right of action with 30 days of notice. The bill was referred to the Senate Committee on Energy and Technology.
For more details on our Data Privacy, Data Security & Compliance Services, contact us at info@riskpro.in