United Kingdom
EU renews adequacy decision with United Kingdom
- The EU Commission has renewed adequacy decisions for the United Kingdom confirming that its legal framework contains data protection safeguards that are essentially equivalent to those provided by the EU.
- The adoption of the renewal decisions follows the European Data Protection Board’s opinion and the Member States’ green light.
- The adequacy decision is subject to a sunset clause of six years ensuring the free flow of personal data can continue until December 2031.
Update on the November Cyberattacks against London Councils
- Westminster City Council revealed that sensitive and personal information was likely “copied and taken” during a November cyber-attack targeting a shared IT system.
- Councils Impacted: While Westminster and Kensington and Chelsea were both hit, Hammersmith and Fulham reports no evidence of compromise so far.
- Recovery is expected to take significant time, with Kensington and Chelsea warning it may take months for services to return to normal.
- The councils are working with the Met Police, the National Crime Agency, and the National Cyber Security Centre to determine the full extent of the data theft.
United States
Disney to Pay $10M over Alleged Children’s Privacy Law Violations
- Walt Disney has agreed to pay $10 million to settle claims that it violated the Children’s Online Privacy Protection Act (COPPA).
- Regulators alleged Disney failed to label certain YouTube videos as “made for children”, which caused YouTube to collect personal data and serve targeted advertisements to minors without parental consent.
- Legal filings suggest Disney was aware of these misclassification errors as early as June 2020, when YouTube manually changed labels on hundreds of Disney videos.
- Beyond the fine, Disney must establish a comprehensive compliance program to ensure future content follows data protection laws.
Cognizant Faces Multiple Class-Action Lawsuits Following Data Breach
- Cognizant’s healthcare IT subsidiary, TriZetto, suffered a major breach exposing sensitive data including Social Security numbers, financial information, and home addresses.
- Hackers reportedly had access to systems for 11 before the intrusion was discovered.
- The company is facing at least three federal lawsuits in New Jersey and Missouri, with plaintiffs alleging negligence and a failure to implement industry-standard security measures.
- As a major vendor in the healthcare IT sector, the outcome of this litigation could set new legal precedents for data protection requirements for healthcare service providers.
Europe
France’s DPA Fines Nexpublica €1.7M over GDPR Security Breach
- According to the investigation the company failed to implement sufficient security measures for its PCRM software, a user relationship management tool used in the social services sector.
- It was revealed Nexpublica was aware of “structural security problems” and vulnerabilities identified in prior audits but failed to fix them until after the breach was reported.
- The company, found in violation of Article 32 of the GDPR, was fined however the French Regulatory Authority did not order further compliance actions because the company implemented the necessary security fixes following the investigation.
International
New Zealand’s Government Orders Review into ManageMyHealth Data Breach
- Hackers have threatened to leak 400,000 stolen documents, including clinical notes, lab results, and passport details, unless a $60,000 ransom is paid.
- ManageMyHealth initially estimated that 7% of its users (roughly 126,000 people) were affected, though the hacker’s file count suggests a potentially wider impact.
- While the company knew who was affected, formal notification has been delayed by coordinating communications between GPs, the Privacy Commissioner, and Health NZ to avoid patient confusion.
- The government has labelled the incident “unacceptable” and a “wake-up call”, maintaining its policy of refusing to pay ransoms to cybercriminals.
For the latest updates on London Councils cyberattacks, EU-UK data adequacy decision, and other global data protection, cybersecurity incidents, and regulatory enforcement, visit our Data Protection News hub.
