Browsing: Penalties

In one of the most significant recent enforcement actions in the cybersecurity and data protection space, Uber Technologies Inc. was fined €290 million (approximately $324 million) in August 2024 by the Dutch Data Protection Authority (DPA). The penalty highlights serious concerns around international data transfers, user privacy, and regulatory compliance under the General Data Protection Regulation (GDPR). What Happened? The case revolves around Uber’s handling of personal data belonging to European drivers. According to the Dutch DPA, Uber transferred sensitive personal information of drivers from the European Union (EU) to the United States without implementing adequate safeguards required under GDPR.…

India’s market regulator, Securities and Exchange Board of India (SEBI), has imposed a monetary penalty of ₹10 lakh on Anand Rathi Share and Stock Brokers Ltd. after identifying cybersecurity-related compliance deficiencies during an inspection of the brokerage firm. The regulatory action follows a review conducted by SEBI to assess whether the company was complying with the cybersecurity and cyber resilience framework that applies to market intermediaries operating in India’s securities market. These rules require brokers and financial institutions to maintain strong IT security controls, monitor their systems for potential threats, and ensure proper reporting of cybersecurity incidents. During the inspection…

The California Privacy Protection Agency has fined the digital ticketing platform GoFan $1.1 million for violating state privacy laws after the service collected and sold personal data from high school students using the platform to attend school events. GoFan, operated by PlayOn Sports, is widely used by schools to sell digital tickets for events such as football games, theater performances, and school prom. Students and parents typically use the platform to purchase and display digital tickets for entry to these events. Privacy Violations According to regulators, GoFan required users to accept certain conditions before they could complete their ticket purchases.…

UK Privacy Regulator Imposes £14.47 Million Fine on Reddit The United Kingdom’s data protection regulator has fined social media platform Reddit £14.47 million ($19.6 million) after finding that the company failed to adequately protect children’s personal data and did not implement sufficient age-verification safeguards. The penalty was issued by the Information Commissioner’s Office (ICO) following an investigation into how the platform processed personal data belonging to underage users. Investigation Reveals Weak Age-Verification Controls According to the regulator, Reddit did not deploy strong mechanisms to determine whether users accessing its platform were minors. As a result, children were able to access…

India’s Digital Personal Data Protection Act (DPDP Act), 2023 has introduced one of the strictest penalty frameworks for data breaches in the country’s legal history. For companies handling personal data, a breach is no longer just a technical failure—it is now a serious financial and legal risk. This article explains exactly how much fine a company can face, when penalties apply, and how regulators decide the amount. Maximum Penalty Under the DPDP Act Under the DPDP Act, companies (referred to as Data Fiduciaries) can face penalties of up to: ₹250 crore for a single instance of non-compliance This is not…

Two former cybersecurity professionals in the United States have pleaded guilty in a federal court to conspiring with a ransomware group involved in cyber extortion attacks against American companies. The individuals admitted to participating in activities that helped deploy ransomware, encrypt victim networks, and demand ransom payments from targeted organizations. As part of the criminal case, both individuals now face potential prison sentences of up to 20 years each under U.S. federal law. Sentencing is scheduled to take place in 2026. The case is being treated as a significant enforcement action against individuals involved in cybercrime, particularly due to the…

India has notified the Digital Personal Data Protection Rules, 2025, bringing into force the enforcement and penalty framework under the Digital Personal Data Protection Act, 2023. The Rules empower the Data Protection Board of India to examine violations of the Act and impose financial penalties on entities that fail to comply with legal obligations related to personal data protection. Serious violations — including failure to implement required security safeguards, failure to report data breaches, or violation of core compliance requirements — can attract penalties of up to ₹250 crore. Other categories of non-compliance, such as procedural failures related to consent,…