Privacy>Weekly : Newsletter 2.0!
Hello there,
Welcome to Privacy>Weekly! You’ve joined a growing community of professionals, students, and curious minds who read on Privacy Updates twice a month. (We promise we are working on to make this each week!)
Here’s what to expect:
Privacy>Weekly : Newsletter 02 covers key privacy news and developments from the period of May 1st to May 15th, 2025. It covers various data privacy and cybersecurity incidents, including the signing of the "Take It Down Act" against deepfakes, a major cyber-attack on Marks & Spencer, and numerous data breaches affecting schools, hospitals, and other organizations, along with related fines and investigations. It also features job postings and a privacy glossary.
News Flash!
Trump Signs 'Take It Down Act' to Curb AI Deepfakes and Online Exploitation (Link here)
President Donald Trump, joined by First Lady Melania Trump, has signed the Take It Down Act into law, targeting the non-consensual distribution of intimate images, including AI-generated deepfakes. The law criminalizes the publication or threat to publish such images without consent and mandates platforms to remove offending content within 48 hours. Backed by bipartisan support, the legislation marks a rare federal step into regulating online content. While hailed by supporters as a win for privacy and child safety, digital rights advocates warn of potential overreach, censorship, and due process concerns.
M&S Cyber-Attack to Cost £300M, Online Disruptions to Continue Until July (Link here)
Marks & Spencer has confirmed that online services will remain partially down until July following a sophisticated cyber-attack over Easter weekend, with profits expected to take a £300 million hit. The attack, traced to the hacking group "Scattered Spider," disrupted online orders and click-and-collect services. CEO Stuart Machin said the retailer took proactive steps, taking its website offline to protect customer data and invoking a continuity plan.
London Council Reprimanded After Data Breach Exposes 6,500+ Personal Records (Link here)
The London Borough of Hammersmith and Fulham has been formally reprimanded by the ICO after leaving sensitive data on 6,528 individuals—2,342 of them children—publicly accessible for nearly two years. The breach occurred in 2021 when a Freedom of Information response published via WhatDoTheyKnow.com included an Excel file with 35 hidden workbooks containing personal details. Among the exposed were looked-after children, including unaccompanied asylum seekers. While the ICO noted no evidence of misuse, it criticized the council’s internal controls and urged better staff training and sign-off protocols. The case underscores the critical need for public bodies to handle FOI disclosures with greater care.
UK Post Office to Pay Hundreds After Data Breach of Horizon Scandal Victims (Link here)
The Post Office has agreed to compensate hundreds of former sub-postmasters after inadvertently publishing their names and addresses online—many of whom were already victims of the Horizon IT scandal. Payouts of £5,000 or £3,500 will be made depending on whether the individual lived at the leaked address, with higher sums possible in “special cases.”
The breach, disclosed in June 2024, affected 555 individuals and triggered an ICO investigation. Freeths, the law firm representing most of the affected, confirmed 348 clients have already received interim payments.
41 Alberta Schools Under Investigation Over PowerSchool Data Breach (Link here)
Alberta’s Information and Privacy Commissioner (OIPC) has launched 41 investigations into schools affected by the December 2024 PowerSchool data breach, which compromised the personal information of students across North America. The breach exposed sensitive data—including names, birthdates, contact details, medical and guardian information—prompting extortion attempts against at least 31 Alberta schools. The U.S.-based PowerSchool system, widely used in Canada and the U.S., notified Alberta officials earlier this month of threat actors leveraging stolen data for ransom demands. The OIPC investigations will determine if the affected institutions met their privacy obligations. Albertans are urged to remain cautious of phishing scams and unsolicited messages that may exploit breached information.
Italy Fines Replika AI Developer €5 Million for Data Privacy Violations (Link here)
Italy’s data protection authority has fined Luka Inc., the U.S.-based developer of the Replika AI chatbot, €5 million (approx. $5.64 million) for serious violations of European Union data protection laws. Replika, launched in 2017, offers users AI-powered “virtual friends” to support emotional well-being. However, the Italian watchdog Garante found that the app lacked a legal basis for processing users' personal data and failed to implement age verification, exposing minors to potential risk. These breaches led to the suspension of Replika’s operations in Italy in February 2023.
Garante has also opened a separate investigation into the legality of Replika’s AI model training methods under EU data privacy standards, reflecting growing scrutiny over generative AI platforms. Replika has yet to respond publicly to the fine or the ongoing investigations.
Dior Faces Fine in Korea for Failing to Report Data Breach to Authorities (Link here)
Dior has come under scrutiny in Korea for not properly reporting a data breach that exposed Korean customers' personal information. Although Dior notified the Personal Information Protection Commission (PIPC), it failed to report the incident to the Korea Internet & Security Agency (KISA), as required by law. The breach, discovered on May 7, involved customer contact details and purchase preferences but no financial data. Despite occurring at Dior’s global headquarters, Korean law mandates notification when domestic users are affected. KISA has contacted Dior Korea about the oversight, and Dior may face fines up to 30 million won ($21,180) if formal charges are filed.
Privacy Glossary:
Sensitive personal data or information: Sensitive personal data or information of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Privacy jobs this month :
Location: Bengaluru, India
Job Function: Data Privacy, Data Governance and Data Ethics, Compliance
Location: Bengaluru, India
Line of Service: Legal
Years of Experience Required: 8 years
Location: Bengaluru, India
Line of Service: Privacy Compliance
Help us Grow
We know how valuable your time and attention are, and it means a lot that you spend a few minutes each day staying informed with us.
Now we’re asking for your help: How do we get more Privacy Professionals to do the same? How do we get this newsletter in front of hundreds every month? We’d love to hear your ideas.
Thanks for reading—see you soon!
Curation team : Kaustubh Shakkarwar Gauri Gupta and others!