INTRODUCTION
Rapid developments in personal data protection and data privacy are taking place all over the world. Not only in the United States, but also in regions like the European Union (hereinafter referred to as “EU”), comprehensive and rigid data protection legislations are being enacted.
Several large scale data breach and misuse of personal data have caused injury to millions of people in recent times. Such incidents has shed some light on the dire need of regulating data protection and data privacy.
The want of transparency was also felt when data was shared and sold to third parties, often without the consent or knowledge and awareness of the user. The frequent occurrence of such events prompted legislators and law-makers all over the world to come up with enhanced data protection laws with emphasis on privacy, consent, transparency and security.
LAWS GOVERNING DATA PRIVACY WORLDWIDE
There are several laws which govern the privacy regulations in different jurisdictions worldwide. While most nations legislate and execute their own regional or national data privacy and data protection laws, a few of them have been widely recognised over time as model benchmark laws on which other individual States might rely to lay the foundation of their own national laws.
These landmark laws contain the basic and elementary provisions fundamental to any privacy regulation that would render it effective and impactful. The following are the three laws that are widely referred to when it comes to data privacy laws worldwide:
- General Data Protection Regulation (hereinafter referred to as “GDPR”)
- California Consumer Protection Act (hereinafter referred to as “CCPA”)
- Lei Geral de Proteção de Dados, also commonly known as General Personal Data Protection Law (hereinafter referred to as “LGPD”)
In this article, we will discuss briefly the characteristics of each of these laws and their regulatory key features along with a comparison of their similarities and differences.
AN OVERVIEW OF THE GLOBAL DATA PRIVACY LAWS
A. Chief Elements of Data Privacy
Data privacy is based on certain principles that are drafted into the privacy laws to achieve desirable outcomes. The international laws governing privacy usually incorporate the following principles:
- Notice- Issuing advisory to visitors, readers and users of the policies to protect their personal and private information in public spaces.
- Free Will- The users must be provided the choice and the consent with regard to collection, storage, use and management of their personal information.
- Restrictions on access- The access and use of information by the authorized persons has to be ensured by putting in place appropriate security protocols.
- Security- Proper precautions and security measures must be taken to rule out the possibility of any unauthorized access to the data.
- Enforcement- Compliance of the service, site, application etc. with the law and regulations must be ensured in order to attain desired results.
B. Primary Laws regulating Data Privacy around the Globe
- General Data Protection Regulation (GDPR)
In 2018, the introduction of GDPR was seen as the most advanced step in the process of making laws on data protection and privacy. It is such a data privacy regulation which affects every institution that possesses the personal data of EU citizens, including biometric data.
The objective was to provide the citizens of the EU with an increased level of control regarding their personal data. This objective would be achieved through a stringent regulatory framework to ensure that Personal Identifiable Information (hereinafter referred to as “PII”) is not only gathered under strict legal conditions but also a strong fool-proof system for its protection by the data controllers (those who collect and manage data) is in place.
Additionally, data privacy has been recognized as a fundamental right. The right of an individual to collect, access, port or delete data about himself has been recognized. The individual also has the right to object to the use of his data.
- California Consumer Privacy Act (CCPA)
The United States lacks a singular federal law for the protection of data privacy. Several states have enacted and amended their own laws for regulation and protection of data in their own jurisdiction. The CCPA is the most advanced state law in recent times addressing the protection of online data.
This law applies exclusively to consumers which fulfil the criteria of being a natural person and a California resident. The elements which constitute the definition of a “California Resident” is at the moment still developing, partly by lawsuits, and there are several complexities which need to be addressed in that regard, for instance, whether part-time college students would be covered under the Act.
However, this does not imply that the Act is essentially restricted to the transactions being conducted within the geographical boundaries of the state of California, in the sense that whether or not a Company has headquarters or an office in California is irrelevant as long as the Company is conducting business which involves the residents of California.
The following rights are provided to the consumers by the CCPA-
- The right to have the knowledge about what personal information a business collects from them and how it is being used or shared.
- The right to know whether and to whom their personal information is being sold and/or disclosed.
- The right to delete the personal information that has been collected from them.
- The right to have the option to refuse the selling of their personal information.
- The right against discrimination for exercising their CCPA rights.
- The Companies must also give notices to the consumers explaining their privacy policies. The CCPA is applicable to several kinds of businesses.
“Businesses” has been defined under CCPA as entities that are private and for-profit and meet the following requisites:
- Collect “personal information”
- Determines the means by which it processes that personal information
- Does business in California
It must also have a certain annual gross revenue in order to fall under the “Business” as defined by CCPA .
In other words, this enactment bestows on California residents the right to access every information that a Company has on them and allows them to have a full list of all third parties that possess such information.
- Lei Geral de Proteção de Dados (LGPD)
Brazil’s LGPD was structured directly after the GDPR and is almost identical with regard to scope and applicability. However, the imposition of financial penalties for non-compliance are less harsh compared to the GDPR.
C. Similarities and Difference- GDPR and CCPA
While the core differences in the GDPR and CCPA can be seen from the basic foundation and characteristics of the Legislation as explained above, there are significant differences in the penalties and standards imposed by both the enactments. A few of them are mentioned as follows:
Civil Penalties and Consumer Damages: In GDPR, the maximum is set at 20 million Euros or 4% of global annual revenues. However, no limitation has been specified with respect to damages to impacted customers. In CCPA, the Civil penalties can be imposed to the extend of $7,500 per violation, with no maximum. Imposes a minimum of $100 and a maximum of $750 per impacted consumer per incident.
However, both regulations make significant damages a real possibility.
Organizational Data Privacy Standards: The GDPR makes it a requirement to appoint Data Protection Officer in specific situations, consider data privacy when a new initiative is being undertaken (Data Protection by Design), perform risk assessments of their systems used in data processing and to document the legal basis on which data is processed. This provision is not applicable to the CCPA.
Incident Response: The GDPR lays down another requirement which is not provided in the CCPA, namely, that the organization has to notify breach in personal data to the Data Protection Authorities (hereinafter referred to as “DPA”) and in some case, even have to communicate the same to the people affected by the breach.
Transparency: The GDPR enumerates provisions regarding notification to the data subjects pertaining to the personal data and the elements collected, the uses of such data and purpose of collection, retention period of the data, parties with whom the data is shared, and their rights.
The CCPA also has a requirement to notify regarding the resident-related data to be collected and with an emphasis on the purchase or sale of personal data.
AMLEGALS REMARKS
While the enforcement of these comprehensive data privacy laws will certainly be a leap in the progress and development of data protection around the world, there is a need to regularly review and amend such laws in order to achieve their objectives.
Policies and procedure, processes, systems and controls must be updated to ensure compliance and monitoring in order to prevent any circumvention of the current laws. Current and new employee curriculums must be updated and created in order to train employees regarding the new data processing systems with a pre-determined timeline for execution.
Additionally, training sessions must be conducted to inform employees regarding regulatory compliance efforts. The laws will only be permanently effective in the long-term when they are molded to suit the regulation of new innovations.
– Team AMLEGALS assisted by Mr. Subham Bhowal (Intern)
For any queries or feedback, please feel free to get in touch with chaitali.sadayet@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply