Issue 134

Enforcement updates

Florida-based Carnival Cruise Line has agreed to a multistate settlement of USD 1.25 million for a 2019 data breach that involved the personal information of approximately 180,000 employees and customers nationwide. Breach notifications stated that Carnival first became aware of suspicious email activity in late May of 2019 and reported the breach, 10 months later. Along with the settlement Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices.

The local health authority Roma 1 had published names and health data of the individuals who, between 2017 and 2018, had requested access to medical documents such as medical records, disability assessments, tests, and technical reports on their website. They thus violated the provisions of GDPR and were fined EUR 46,000 by the data protection authority.

The Tagansky District Court of Moscow has decided to fine foreign internet companies- Twitch Interactive Inc., Pinterest Inc., Airbnb Inc., and United Parcel Service, Inc (UPS) for failing to store and process the personal data of Russian citizens within the Russian territory. The companies also failed to provide such data in a timely manner The Court thus decided to fine UPS, RUB 1 million and Twitch, Pinterest, and Airbnb, RUB 2 million each.

Guidance updates

  • US Department of Health and Human Services has released guidance to amp up protection of reproductive health data.
  • The German Data Protection Conference has released FAQs in relation to the use of Facebook fan pages.
  • The Office of the Privacy Commissioner of Canada has released guidance on credential stuffing attacks.

Regulatory updates

  • California Bill amending the Confidentiality of Medical Information Act and the Insurance Information and Privacy Protection Act, has entered into effect from 1 July 2022.
  • Bill to amend the Indiana Code with respect to the timeframe for notifying breaches, limiting it to 45 days, has entered into effect.
  • The Cyberspace Administration of China has requested public comments on its draft of the Standard Contract Provisions for the Exit of Personal Information, until 29 July 2022.  

EU updates

  • CJEU has ruled upon compatibility of the German provisions requiring just cause for the termination of a DPO’s with the GDPR.
  • Hessian data watchdog has approved the use of a Zoom model which can be configured and operated by the universities without violating the data protection requirements.
  • CJEU provides clarity on passenger name record directive applicable to flights between the EU and third-party countries.

India updates

  • The Indian Computer Emergency Response Team has given Virtual Private Network providers and cloud service operators until 25 September 2022, to comply with the new cybersecurity rules.
  • RBI has issued master direction on outsourcing IT services which includes data privacy measures to be adopted to reduce risks.

News around the globe

  • OpenSea has reported major email security breach after their email delivery vendor misused their employee access to download and share email addresses.
  • Hackers have claimed to put on sale the personal information of up to a billion Chinese residents, after breaching and accessing a Shanghai police database. Reports Bloomberg
  • State’s Department of Justice has launched an investigation after suffering data breach of the Firearms Dashboard Portal.

Big tech updates

  • Republican commissioner from the Federal Communications Commission urges the CEO’s of Apple and Google to remove TikTok over privacy concerns. Reports Fortune
  • Google has announced the deletion of users location history when they visit abortion clinics, domestic violence shelters and such other places where privacy is expected.

Read our digital newsletter here.