United Kingdom
Online Safety Act: Ofcom’s Crackdown on Pornography Sites
- The UK’’s Office of Communication has launched formal investigations into 22 more pornography sites, collectively receive over eight million unique monthly UK visitors.
- The investigations aim to ensure the sites have highly effective age checks in place to protect children, as required by the UK’s Online Safety Act.
- These investigations were prioritized based on the risk of harm the sites posed and a significant increase in their user numbers.
- If sites are found to be non-compliant, Ofcom can impose fines up to £18 million or 10% of qualifying worldwide revenue, and in serious cases, can seek a court order for “business disruption measures”, such as requiring payment providers, advertisers, or internet service providers to withdraw their services.
Hundreds of Parents Outraged after School Data Breach
- A school in Birmingham mistakenly sent a spreadsheet containing the private details of all children in years 7 to 11 to all parents on a mailing list.
- Details included the pupils’ names, year groups, tutor groups, dates of birth, sex and parental contact numbers.
- The school apologised for making the error and said they had immediately reported it to the school trust’s DPO.
United States
Disney Settles with FTC for Violating Children’s Online Privacy
- The Federal Trade Commission (FTC) settled a case with Disney, resulting in a $10 million penalty. The settlement requires Disney to change how it labels YouTube videos for underage viewers.
- Disney was accused of violating the Children’s Online Privacy Protection Act (COPPA) by mislabelling videos intended for children under 13 as “Not Made for Kids” (NMFK).
- Mislabelling not only led to the improper collection of children’s data, which is a direct violation of COPPA, but also potentially exposed them to inappropriate content and disabled protective features like personalized ads and comments.
- In addition to the $10 million penalty, the settlement requires Disney to create an internal review program to ensure videos are correctly labelled.
US places $11 Million Bounty on Ukrainian Ransomware Mastermind
- A US District Court has indicted Ukrainian national Volodymyr Viktorovich Tymoshchuk for his role in administering the LockerGoga, MegaCortex, and Nefilim ransomware operations.
- Tymoshchuk is accused of managing attacks against over 250 U.S. companies and hundreds of organizations globally. The attacks, which occurred between late 2018 and late 2021, caused significant financial losses and business disruption.
- International law enforcement, including the FBI, Europol, and Ukrainian agencies, collaborated on the case.
- Tymoshchuk faces multiple charges, including conspiracy to commit computer fraud and intentional damage to protected computers. The US Department of State is offering a reward of up to $11 million for information leading to his arrest or conviction.
Europe
European Commission Proposes Adequacy for EU-Brazil Data Transfers
- The European Commission drafted a decision to recognize Brazil’s data protection framework as “essentially equivalent” to the EU.
- The decision is supported by several key findings – Brazil’s constitution and the General Data Protection Law enshrine data protection as a fundamental right, mirroring many GDPR principles. ANPD, Brazil’s supervisory authority, is highlighted for its independence and strong enforcement powers. Moreover, individuals have strong data rights.
- The ANPD is also reviewing the EU’s data protection framework to establish a reciprocal adequacy decision, creating a two-way flow of data.
- If adopted, the decision will allow personal data to be transferred from the EU to Brazil without requiring additional safeguards and make Brazil the 17th jurisdiction to receive an adequacy decision.
France’s Data Protection Regulator Has Issued a €325 Million Fine to Google
- The fine addresses two main issues – Unconsented Ads in Gmail and Improper Cookie Placement. Additionally, Google was found to have influenced users to choose the personalized, more data-intrusive ad option over a generic one.
- The illicit cookie placement impacted about 74 million people in France, and around 53 million had received the Gmail ads.
- The fine is accompanied by an order for Google to stop placing ads between emails in Gmail and to become compliant with cookie placement rules within six months, or face additional fines of €100,000 per day.
- CNIL, France’s data protection watchdog, also fined Shein’s Irish subsidiary for placing cookies on users’ devices before they could even interact with the cookie consent banner.
International
Estonian Company Faces Fine for Data Protection Failures
- Estonia’s Data Protection Inspectorate (DPI) has fined Allium UPI 3 million euros based on its failure to properly secure information collected in its Apotheka loyalty program as required by the GDPR, leading to a data breach in 2024.
- The company’s reckless attitude towards its customers’ data put the privacy of more than 750,000 people, including children and other vulnerable groups, at risk.
- Allium’s security deficiencies included a lack of multifactor authentication, multiple users sharing a single administrator account with the same password, inadequate activity log monitoring, and insecure storage of database backups. The company also had poorly defined roles and responsibilities for personnel handling data protection.
- The company was fined based on the scope and sensitivity of the breach, the number of affected individuals, and its annual turnover. Allium has 15 days to appeal the decision.
