Navigating Global Privacy Regulations: A comparative analysis of GDPR, CCPA, and India’s IT framework

INTRODUCTION

In the present digital age, protecting personal data has become an increasingly important issue for all individuals as well as corporations across the globe. Information and data of individuals as well as corporations are used as a commodity all over the world, leaving almost no room for privacy of data. Therefore, governments and organisations around the world have implemented stringent and comprehensive privacy laws to safeguard individuals’ rights and prevent the misuse of personal information. The European Union’s General Data Protection Regulation, 2016 (“GDPR”) [1], California’s Consumer Privacy Act, 2018 (“CCPA”) [2], and Information Technology Act, 2000 (“IT Act”) [3] are some of the most thorough privacy laws in the world.

In this article, we will analyse these laws and explore their similarities and differences. Through this analysis, we hope to provide a deeper understanding of the importance of privacy laws and their impact on our digital lives.

1. SCOPE OF REGULATION

The scope of regulation of privacy law has become increasingly important with emerging laws that safeguard personal information to battle out cases of data breach and privacy violation. While CCPA was the primary legislation governing consumer protection for the residents of California, it has been amended in the year 2020 by the introduction of the California Privacy Rights Act (“CPRA”) [4] to address the shortcomings in the CCPA and further strengthen the privacy rights of California residents. The CPRA applies to any for-profit business that has (i) gross revenue of at least $25,000,000; or (ii) buys, sells, or shares personal information from 1,00,000 or more consumers or households for commercial purposes; or (iii) it makes at least half of its yearly profits from the sale of its customer personal information [5].

Similarly, the GDPR was introduced in the European Union (“EU”) region in the year 2018. It applies to both:

• “controllers”, who as per the act refer to, decision makers in relation to any data as they decide the manner and purpose of processing the data [6]; and

• “processors”, who as per the act refer to, personnel who process personal data on behalf of the controller [7].

In other words, a controller is the one who decides what data will be collected, why will it be collected, and how will it be used. For example, if you provide your personal data to a company to purchase a product, the company is the controller of your personal data. The company decides what personal data it needs to collect from you, why does it need such data (for example it may be to process your payment and deliver the product), and how will it use that data (for example it may be to send you any marketing material). One of the major highlights of GDPR is that it applies not only to entities based in the EU region but also to those outside the EU region who process the data of EU residents to offer goods or services within the EU or monitor the behaviour of individuals in the EU. Whereas, in India, the IT Act governs the collection, receipt, possession, processing, or dealing with sensitive personal information by body corporates in India or anybody acting on their behalf. Further, the protection under CCPA is extended only to consumers who are natural persons being residents of California, however, GDPR protects data subjects who are also natural subjects with no residency or citizenship conditions.

2. KEY DEFINITIONS

Personal Information: The definition of ‘personal information’ under the aforesaid statutory regulations are insignificantly different to each other. As per the CCPA, the definition of ‘personal information’ includes information relating to households [8] along with any information that relates to an identity of an individual, the GDPR has provided illustrations of identifiable information such as name, identification number [9], and location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. However, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 [10] (‘SPDI Rules‘) has included within its definition of ‘personal information’ a very general and conducive definition as it includes within its ambit any information which can be either directly or indirectly be used  [11] to identify such person. The aforesaid definition is general definition which in its own ambit includes all forms of information Additionally, CCPA does not apply to aggregate or deidentified consumer information which means information on a group or category of consumers or information that cannot be reasonably identified and information that is publicly available. Further, GDPR only includes publicly available information while excluding anonymised data from the protection domain.

With the development and inventions around the global market the dependency on personal identifiable information has increased. The aforesaid definition of ‘personal identifiable information’ have conclusively provided a more inclusive and modern approach vide their definition which has now become a standard or industrially acceptable definition providing the local privacy regulatory bodies with a reference point for amendments as well as introduction of a vast and modern privacy laws.

Sensitive Information: GDPR and SPDI Rules have defined ‘sensitive information’ in a very similar nature. They have classified ‘sensitive information’ as “special categories of personal data” and “sensitive personal data” respectively, while CCPA does not distinctly define or categorise sensitive data or information. However, CCPA includes government-issued identifiers as sensitive information which is not explicitly mentioned in GDPR. GDPR includes trade union membership as a special category of personal data, which is unique and uncommon for the other two statutory legislations. SPDI Rules under the IT Act specifically mention a person’s password [12] as sensitive information, which is not mentioned in either CCPA or GDPR. However, it is pertinent to note that the main difference between personal and sensitive information is that personal information refers to any information that can be used to identify an individual, while sensitive information is a specific category of personal data that requires extra protection due to nature and potential to cause harm and discrimination of the specific person sharing such information.

Parties: The organisations responsible to fulfil the obligations that include but are not limited to lawful processing, transparency, data subject rights, data protection impact assessments, data breach notification, data protection by design and by default among many others are referred to as “Controllers” under GDPR, which bears similarity with “businesses” under CCPA and “Body corporates” under the IT Act. Whereas the body acting on behalf of the organisations shall be termed as a “processor” under GDPR that details its exhaustive obligations than CCPA provides for the “service provider”. However, the common requirement across all the statutory legislations is that of a written legal contract between the two parties before the disclosure of any personal information. The legal contract aforementioned allows for a distinct benefit of classification of obligations and liabilities of two parties and additionally provides information to the data providers regarding how their data is handled by any organisation.

3. CONSENT

Organisations collect, store, process, and transmit personal information of the individuals only after due permission or through an assent mechanism known as consent. In the modern day technologically developed world, this mechanism provides the individual the ultimate protection against the misuse of their data. However, the purpose of consent as per the privacy regulations mentioned herein shall be unilaterally connected to the business activity that an organisation carries out while being reasonably essential and limited. The manner of taking consent as prescribed under the privacy laws have standard rules and procedure. Primarily, organisations need to provide a clear and conspicuous request or notice to individuals to inform them about the categories and purposes of collection and use of personal information. Then, it is the role of the individual to ensure that he/she communicates his/her agreement to the processing of personal data relating to him or her through a statement or by clear affirmative action.

4. DATA SUBJECT RIGHTS

A data subject’s privacy rights are essential to protect their personal information from unauthorized access, use, and disclosure. Privacy rights ensure that individuals have control over their personal data and can make informed decisions about how their data is collected, processed, and shared.

The privacy legislations mentioned in this article provide certain similar rights which are as follows:

• Right to Information: This is a right to know/be informed provided to a data subject regarding information relating to key pieces of information in relation to their data that would have shared with any Controller. The Controller has to provide such aforesaid information in a clear and easily understandable format, such as through a privacy notice or data protection statement;

• Right to Deletion: The right to delete/erasure is wherein data subjects have the right to have their personal data erased in certain circumstances, such as if the data is no longer necessary for the purposes for which it was collected;

• Right to Withdraw: This right to opt-out and withdraw consent allows data subjects to take control over the processing of their personal data and withdraw their consent to the processing of their data at any time;

• Consent Rights: The right to opt-in refers to the right of the data subjects to explicitly give their consent to the particular type of processing of their personal data; and

• Right to Correction: The right to correct/rectification to the data subjects to request inaccurate incomplete information be corrected.

Apart from the aforementioned rights, there are certain additional rights expressly provided by a particular jurisdiction. CCPA provides the following additional rights:

• Right to non-discriminatory Treatment: This means that individuals cannot be discriminated against based on the exercise of their privacy rights; and

• Right to limit use and disclosure: This allows individuals to restrict or limit the use and sharing of their personal data.

Similarly, the GDPR provides for the right to access, data portability and object automated individual decision-making, including profiling as well as placing restrictions on processing. As part of remedial measures, GDPR also provides for the right to complain with a supervisory authority and the right to effective judicial remedy against a supervisory authority and/or controllers or processors along with recognising the right to compensation and liability.

5. PRIVACY POLICY

A privacy policy is important document for all organisation in any given industry because it informs individuals about how their personal data will be collected, used, and protected by an organization. It helps to establish trust and transparency between the organisation and its users/customers. A privacy policy should be drafted in a clear and plain language and in a concise, transparent, intelligible, and easily accessible form.

As per GDPR and SPDI Rules a body corporate/controller/ organisation shall include the following information in their privacy policy:

• type of information collected;

• the purpose of collection and usage of such information;

• policy on disclosure and third parties; and

• reasonable security practices and procedures applied.

The CCPA has an exhaustive list of disclosure requirements that businesses shall disclose under their privacy policy. This list includes:

• A description of a consumer’s rights pursuant and two or more designated methods for submitting requests;

• A list of the categories of personal information which it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision;

• The most closely describe the personal information collected;

• The categories of sources from which consumers’ personal information is collected;

• The business or commercial purpose for collecting, selling, or sharing consumers’ personal information; and

• The categories of third parties to whom the business discloses consumers’ personal information.

6. LEGAL ENFORCEMENT

Authority

The supervisory authorities play a crucial role in enforcing privacy laws and ensuring compliance. They provide guidance, investigate complaints, and can impose penalties for violations, thereby promoting accountability and trust in the data processing activities of organizations. Therefore, the Attorney General (“AG”) under CCPA, National Data Protection Authorities (“DPA”) under GDPR, and Adjudicating Officer (“AO”) under the IT Act and SPDI Rules have been provided with distinguished enforcement and regulatory powers. While the GDPR provides for investigatory and corrective powers in cases of a data breach while ensuring independence in exercising their duty, the CCPA gives exhaustive powers such as creating regulations concerning CCPA and the right to start investigations against any non-compliance from businesses.

Penalties of non-compliance

In the case of GDPR, any breach of its provisions may result in a petition for judicial relief where a claim can be for both material and non-material damages. The fines are issued by the DPA based on the violation that has occurred that may be either: (i) 2% of global annual turnover or €10 million, whichever is higher; or (ii) 4% of global annual turnover or €20 million, whichever is higher subject to certain conditions that describe the infringement.

While in the case of CCPA, the fines issued by the court may be up to (i) $2,500 for each violation, or/and (b) $7,500 for each intentional violation, but this can cause the imposition of several penalties due to the absence of a maximum limit. However, under the IT Act, it has to be seen that the disclosure of personal data was brought with the intention of causing wrongful loss or gain to the person concerned and without the consent of the person concerned or in breach of contract. The local courts then imposes a penal liability on the offender punishable with imprisonment up to 3 years or a fine up to 5 lacks rupees or both.

CONCLUSION

Navigating global privacy regulations can be a challenging task for organizations. With the introduction of GDPR, CCPA, and the IT Act and subjective rules thereunder, businesses are required to comply with stringent regulations aimed at protecting individuals’ data. While the laws share many commonalities, there are also significant differences that companies must be aware of when conducting business across borders. Organizations must take a proactive approach to ensure they are compliant with relevant regulations, protect individuals’ privacy rights, and avoid potential legal and financial consequences. As privacy regulations continue to evolve, companies need to stay informed and up to date on the latest developments to maintain compliance and build consumer trust.

END-NOTES

1. General Data Protection Regulation, 2016 O.J. (L 119/1) (EU).
2. Cal.Civ.Code, §§ 1798.100–1798.199 (West 2021)
3. Information Technology Act, 2000, No.21, Acts of Parliament, 2000 (India)
4. California Privacy Rights Act, S.B.123, 2019-2020 Reg.Sess. (Cal. 2020)
5. California Civil Code Section 1798.140 (3)
6. General Data Protection Regulation, art. 4(7), 2016 O.J. (L 119/1) (EU)
7. General Data Protection Regulation, art. 28, 2016 O.J. (L 119/1) (EU)
8. California Civil Code , Section 1798.140(b)
9. General Data Protection Regulation, art. 4(1), 2016 O.J. (L 119/1) (EU)
10. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E) (Apr. 11, 2011), India Code, (MEITY)
11. SPDI Rules 2011, Rule 2(i) (India)
12. SPDI Rules 2011, Rule 3 (India)

Author: Akarsh Deep, Associate. (assisted by Mahek Agarwal)

Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at info@samistilegal.in