The Delhi government recently told the High Court that one major reason behind its 2017 decision is to save and secure students from sexual abuse and bullying in view of a plea filed by Delhi Parents Association and Government School Teachers Association on installing [CCTV]( cameras inside classrooms in all state-run schools.

**Key points** - New legislation (called the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (the New Australian Privacy Laws) was introduced into the Australian Federal Parliament on 26 October 2022 and passed both Houses of Parliament two days later. The New Australian Privacy Laws enact significant changes to the Australian Privacy Act 1988 (Cth) (the Act). Partner, Robyn Chatwood and solicitor, Malcolm Liu explain the implications below. - Companies in breach of the Australian Privacy Act now face maximum penalties that are the greater of: - $50 million AUD; - Three (3) times the value of the benefit derived by the company from the breach; or - 30% of the company’s adjusted turnover (if the value of the benefit cannot be derived) - The Office of the Australian Information Commissioner can require a person or company to provide information or documents and answer questions, and has the power to issue infringement notices on those that fail to comply. - So long as foreign entities carry on business within Australia, they will be within the ambit of the Privacy Act - there will be no longer be a threshold for foreign entities to hold or collect personal information within Australia before the Australian Privacy Act applies to their activities.

TSA is now testing the facial recognition tech in some domestic airports in the U.S., such as those in Los Angeles and Washington.\ Despite the criticisms it received, the Transportation Security Administration still wants to use the tech at U.S.-based airports.\  The security agency even confirmed that it wants to expand facial recognition tech across the United States

Elon Musk’s Twitter is offering brands generous incentives to advertise on the social media platform, in a bid to boost business after the billionaire’s approach to content moderation prompted many major marketers to curb spending. In one email sent to advertising agencies, a copy of which was seen by the Financial Times, Twitter said that it was launching its “largest advertiser incentive ever” in December, offering additional impressions if brands spent a certain amount. According to the email, Twitter will match the spending of those who pay at least $500,000 with a cap of $1 million per advertiser. Those spending $350,000 will receive “50 percent value add”—meaning they receive additional impressions worth half of what they spend. A $200,000 investment grants advertisers a “25 percent value add,” or extra impressions worth a quarter of what they spend. Another email sent to a separate agency, also seen by the FT, contained that same offer for US brands, as well as slightly different offers for brands in the UK and the rest of the world, for example.

Ireland's privacy watchdog has asked Twitter to provide information about a data scraping incident that saw the profile details — including emails and phone numbers — of millions of Twitter users leaked online.

There may be some concerns around exempting the public sector from the draft Digital Personal Data Protection Bill, 2022, Ralf Sauer, Deputy Head, DG Justice and Consumer’s Unit for International Data Flows and Protection, European Commission said on Thursday, while outlining some basic commonalities that the Bill has with Europe's General Data Protection Regulation (GDPR). He also said that certain provisions of the Bill need more clarity even as Sauer outlined that an international transfer regime is a necessary element of a data protection law.

White House hacked, Google links spyware, Android app fake accounts
Russian-backed Killnet claimed triple denial-of-service (DDoS) attacks against Elon Musk’s Starlink, the White House, and the Prince of Wales as punishment for their support of Ukraine against the Russian invasion. Killnet claimed it took down Starlink on Nov. 18, when customers complained on Reddit that they couldn’t log in to their accounts. Trustwave researchers found evidence to support the Russian-backed hackers’ claims in collaboration with other groups, including Anonymous Russian, Radis, and Halva. Killnet boasted it was able to run “30 minutes of a test attack” on the White House website on Nov. 17. The Prince of Wales’ site was attacked on Nov. 22, and warned that the NHS healthcare system would be next, with future threats on the London Stock Exchange and the British Army.

Welcome to our November 2022 review of data breaches and cyber attacks. We identified 95 security incidents throughout the month, accounting for 32,051,144 breached records. Almost half of that figure comes from two incidents. The first was a data breach at Twitter, in the latest PR disaster for the social media giant. Reports emerged late last week that user records were stolen using an API vulnerability that has since been fixed. The second was a cyber attack on the Russian scooter-sharing service Whoosh, which was discovered after customers’ data was put up for sale on the dark web. As always, you can find the full list of data breaches and cyber attacks below, divided into their respective categories.

Irish Supervisory Authority announces decision in Facebook “Data Scraping” inquiry
**Origin of the case** The Irish Supervisory Authority, SA commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. **Key Findings** The scope of inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept). **Decision** The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on Meta Platforms.

European Central Bank officials alleged on Wednesday that bitcoin is “rarely used for legal transactions,” is fuelled by speculation and the recent erosion in its value indicates that it is on the “road to irrelevance,” in a series of stringent criticism (bereft of strong data points) of the cryptocurrency industry as they urged regulators to not lend legitimacy to digital tokens in the name of innovation. The value of bitcoin recently finding stability at around $20,000 was “an artificially induced last gasp before the road to irrelevance – and this was already foreseeable before FTX went bust and sent the bitcoin price to well down below $16,000,” wrote Ulrich Bindseil and Jürgen Schaaf on [ECB’s blog](

- Cybersecurity firm Kaspersky has predicted an increase in metaverse-based criminal activities in 2023 - The firm sees the lack of data protection rules in the virtual world as a major security threat - Kaspersky forecasted the metaverse to be a $50 billion market in the next four years Respected cybersecurity firm Kaspersky has indicated that metaverse-based crimes are likely to increase in 2023 due to inadequate data protection rules in the virtual world. Although the firm acknowledged the low number of metaverse platforms, it said this is bound to change in coming years, giving cybercriminals more places to look for victims. Kaspersky sees in-game items as a target for criminals in the digital world.

The European Data Protection Supervisor (EDPS) and the European Union Agency for Cybersecurity (ENISA) sign a Memorandum of Understanding (MoU) which establishes a strategic cooperation framework between them. Both organisations agree to consider designing, developing and delivering capacity building, awareness-raising activities, as well as cooperating on policy related matters on topics of common interest, and contributing to similar activities organised by other EU institutions, bodies, offices and agencies (EUIBAs).

The French data protection watchdog on Tuesday fined electricity provider Électricité de France €600,000 for violating the European Union General Data Protection Regulation (GDPR) requirements. The Commission nationale de l'informatique et des libertés (CNIL) [said]( the electric utility breached European regulation by storing the passwords for over 25,800 accounts by hashing them using the [MD5 algorithm]( as recently as July 2022.

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products w
On 15 September 2022, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (1) (‘the Proposal’). The EDPS welcomes the Proposal and fully supports its general objective to improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.

Right on time for its annual post-Thanksgiving re:Invent festivities in Las Vegas, AWS last night announced its “AWS Digital Sovereignty Pledge” — and before you click away, let me just point out that this is definitely more important than the prosaic name implies. As nations across the globe introduce legislation that governs how and where businesses can keep data on their local users, the large clouds either have to offer attractive solutions or run the risk of having their customers move to local clouds. Microsoft, with Purview, and Google, with Dataplex, also offer data governance tools, but none of them have gone quite as far as AWS in making digital sovereignty a core pillar of their cloud strategy.

The European Drone Strategy 2.0, adopted today by the Commission, sets out a vision for the further development of the European drone market. It builds on the EU's safety framework for operating and setting the technical requirements of drones, which is the world's most advanced. The new Strategy lays out how Europe can pursue large-scale commercial drone operations while offering new opportunities in the sector.

The European Commission has today adopted the [European Drone Strategy 2.0](, which sets out a vision for the further development of the European drone market. It builds on the EU’s safety framework for operating and setting the technical requirements of drones, which is the world’s most advanced. The new Strategy lays out how Europe can pursue large-scale commercial drone operations while offering new opportunities in the sector, according to a Commission press release.

Microsoft is finding itself in an increasingly precarious situation in the European Union (EU), where a working group of German data protection regulators has come to the conclusion that the American company has not been able to resolve any of the compliance issues it raised relating to the cloud-based Microsoft 365 productivity suite. In September, the local Data Protection Authority (DPA) for the Hesse state in central Germany banned the use of Microsoft 365 in its schools due to worries about privacy infringement. The DPA said it collects data from users' software, in a clear violation of the EU's General Data Protection Regulation (GDPR) rules.

The Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. The new directive, called ‘NIS2’, will replace the current directive on security of network and information systems (the NIS directive).