Data Privacy Newsletter – Understanding Privacy Laws Across Jurisdictions : May 2024
Introduction
India’s dedicated Data Privacy legislation, the Digital Personnel Data Protection Act, 2023 (DPDPA), marks a significant milestone in the country’s regulatory landscape. Building upon our previous newsletters, where we explored topics such as consent, rules and the foundational aspects of the Digital Personal Data Protection Act, 2023 – in this edition, we embark on a comparative journey, unravelling how the DPDPA intersects with two established global frameworks: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA).
Following is a Comparative study between DPDPA, GDPR and CCPA:
| S.No. | Key Functions | GDPR | CCPA (as amended by CPRA) | DPDPA |
| 1 | Applicability | Applies to all organizations whether based in EU or outside the EU that process the personal data of EU residents. | Applies to businesses that collect personal information from California residents, regardless of whether the business is based in California or not. | Applies to organizations that process digital personal data of individuals based in India. It also applies to organizations that are based outside of India and process digital personal data as part of offering goods or services to individuals in India. |
| 2 | Key terminologies | The basic concepts like “data processing,” “data controller /data fiduciary” “data processor”/” service provider” and “data subjects” are largely consistent between the GDPR and DPDPA. | Businesses that meet one of the following requirements are require to comply with the CCPA as amended by CPRA:
Sell, selling, sale, or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating orally, in writing, by any means, a consumer’s personal information to a third party for monetary or other valuable. |
Significant Data Fiduciary: (SDF) Organizations/Data Fiduciary that process substantial volumes personal data or sensitive personal data.
Consent manager: An organization/platform that facilitates individuals to provide, manage, review and withdraw their consent. |
| 3 | Personal Data | ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); such as a name, an identification number, location data, or an online identifier.
Special categories of personal data: |
“Personal information” under the CCPA is similar to personal data under the GDPR and means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. | Personal data under the DPDPA is similar to GDPR and does not include any other category based on sensitivity of personal data as under the GDPR. |
| 4 | Grounds of Processing |
|
CCPA as amended by CPRA permits businesses to process personal information when such processing is necessary for a business purpose and is backed by appropriate notices. |
|
| 5 | Data Processing of children | Parental consent for processing the personal data of children under 16 (or a higher age as defined by member states) is required. | Parental consent for processing the personal data of children under 13 is required. | Parental consent for processing the personal data of children under 18 is required. Restrictions for processing personal data of children if processing is related to targeted advertisement/ behavioural monitoring/ impacting the mental well-being. |
| 6 | Rights of Data Subject/ Principal/Consumer |
|
|
|
| 7 | Compliance Obligations | Organizations (data controller and data processor) have certain obligations:
|
The obligations imposed by the CCPA are substantially different than those under the GDPR.
|
DPDPA requires organizations to adhere to similar obligations set out under the GDPR with additional obligations associated with privacy notice (22 regional languages), consent mechanism, grievance redressal mechanism. |
| 8 | Data Breach | Data Controller to notify to relevant supervisory authorities and affected individuals (in certain circumstances) within 72 hours of becoming aware of the data breach. | Business is required to notify the Attorney General if the single breach involves more than 500 California resident’s personal information. Notification to California residents is required to be done irrespective of risk to the individuals. | Data Fiduciary requires to notify to the individual and data protection board of India upon becoming aware of the data breach.
Cyber security incidents are to be reported within 6 hours to CERT-IN. |
| 9 | Penalties | There are two tiers of administrative fines based on the type of non-compliance that can be levied:
|
$2,500 for each violation;
$7,500 for each intentional violation, or violations involving the personal information of consumers under the age of 16 years of age. |
Penalties from 50 crores to 250 crores can be levied for non-compliance. However, as compared to GDPR penalties cannot be capped to the turnover of an organisation. |
| 10 | Cross border Personal Data Transfers | Legal cross border data transfer mechanism
|
Similar to the GDPR, the CCPA allows data transfer, if the recipient entity is required to provide the same level of privacy protection by the law.
The CCPA does not specifically address data transfer mechanisms. However, such data transfers may be justified under certain legal grounds, such as business purpose, identifying and repairing errors, and any internal lawful use similar to which the consumer provided the information. |
Cross-border personal data transfers are permitted unless government restrictions apply. |
Conclusion
Given the evolving global data privacy landscape, the expansion of businesses across borders, stringent penalties, and rapid technological advancements, mere compliance with local data privacy laws will no longer suffice. Organizations must implement a global data privacy compliance framework to meet these requirements without disrupting their business operations.
