Issue 105

Enforcement updates

Singapore’s data watchdog fines hotel booking platform for data breach

Singapore’s Personal Data Protection Commission (PDPC) has issued a fine of SGD 74 thousand on Commeasure Pte Ltd, a travel company which operates the travel booking website – RedDoorz, that exposed 5.9 million customers data. PDPC reported that the penalty was imposed for failing to put in place reasonable security arrangements to prevent the unauthorized access and exfiltration of customers’ personal data hosted in a cloud database. The commission considered the company’s cooperative behavior and remedial actions all the while running a travel business during the pandemic before issuing the financial penalty and have also given them 30 days to pay the fine, post which interest rates will become applicable.

Apple and Google fined by Italian competition watchdog for aggressive data acquisition practices

The competition and market authority (AGCM) has sanctioned a fine of EUR 10 million each to Google Ireland Ltd. and Apple Distribution International Ltd. for two violations of the consumer code. One for lack of information, and another for aggressive practices regarding the acquisition and use of consumer data for commercial purposes. The Authority found that both Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes and accordingly held that there is a consumption relationship between the users and the two operators. Thus, a total fine of EUR 20 million was issued by the Italian watchdog.

Trial court of Massachusetts grants class action settlement on hospital’s cookie practices

The Suffolk Superior Court in the Commonwealth of Massachusetts approved a preliminary settlement of USD 18.4 million in a class action lawsuit against Mass General Brigham Incorporated, and its partners. It is alleged that the defendants used web analytics tools to track users’ behavior on its website domains to gather information about them and sold that information to third parties, without the user’s consent. A website built specifically for potential claimants to file their claims has published the settlement notice. The final approval hearing for the settlement will take place on 18 January 2022.

Guidance updates

  • Danish Data Protection Authority released new guidance on data responsibility between private suppliers and public authorities.
  • Finland’s Office of Data Protection Supervisor publishes guidance on data breach notification practices in social and healthcare sectors.
  • New Zealand’s Office of the Privacy Commissioner released insight report on mandatory privacy breach reporting.

Regulatory updates around the globe 

  • UAE approves Federal Data Protection Law. To be effective from 2 January 2022.
  • Cabinet of Ministers of Sri Lanka have approved the draft bill on personal data protection.

China updates

  • China Academy of Information and Communication Technology issues whitepaper on personal information protection and governance for mobile apps.
  • Cyberspace Administration of China released its Network Data Security Management Regulation. Open for public comments up to 13 December 2021.
  • Ministry of Industry and Information Technology issued a notice containing a plan to strengthen network and data security assurance systems.

US updates

  • National Telecom Information Administration plans to hold listening sessions and seek comment on the intersection of privacy, equity and civil rights.
  • U.S. financial regulators have approved a new rule that requires banking organizations to report any significant cybersecurity incident within 36 hours of discovery.

EU updates

  • Irish Council for Civil Liberties filed a formal complaint against the European Commission for failing to properly monitor the application of GDPR.
  • European Data Protection Board issued guidelines clarifying the provisions on international transfer.

India updates

  • Additional Secretary of Ministry of Electronics and Information Technology, states consent framework of Aadhar will need to be examined once PDP bill is enforced. Reports Medianama.
  • Meghalaya government responds to Internet Freedom Foundation’s letter highlighting the use of facial recognition technology in the issuance of a pensioner’s life certificate on a mobile app. 
  • National Health Authority publishes Consultation Paper on Health Data Retention Policy.

News around the globe

  • Singapore and the United Kingdom announce Signing of Three MOUs in the Areas of Digital Trade Facilitation, Digital Identities and Cyber Security.
  • Meta delays Facebook and Instagram’s messaging encryption plans till 2023 over concerns regarding online crimes against children. Reports BBC.
  • Security Exchange Commission announces GoDaddy’s data breach that may have exposed more than 1.3 million email addresses of active and past users.

Big tech updates

  • Whatsapp publishes a new privacy policy for its EU users after being fined for EUR 225 million.
  • Austrian privacy activist Max Schrems accuses Irish Data Protection Commissioner of preventing him from publishing documents related to Facebook complaint. Reports Irish Times.

Read our digital newsletter here.