A Comparative Study of Data Privacy Laws: PDPB, GDPR & CCPA
In May 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. A month later, the Governor of California signed the California Consumer Privacy Act (CCPA) into law. With reports that the draft Personal Data Protection Bill, 2019 is likely to be tabled before the Indian parliament in the budget session early next year, we decided to do a comparative study of the three data privacy laws.
- While the three laws in question broadly cover the same surface area, no one law is consistently more unyielding or permissive as compared to the others—positions vary with specific provisions—for example, the PDPB allows more latitude than GDPR when it comes to the collection of personal data but completely tightens the noose on data localisation requirements.
- Notwithstanding the significant degree of convergence between the three data privacy laws at a high-level, compliance with one law does little to prepare a multinational corporate entity for compliance with the other laws.
- There is a case to be made for enhanced interoperability and harmonisation between data protections regimes—and greater cooperation between regulators—to help lower barriers to international data transfers, simplify compliance and protect individuals’ rights.
- PDPB has the most comprehensive data categorisation of its peers—(a) personal data - that can be collected and processed both manually and automatedly, (b) sensitive personal data - that has an elastic definition and must be stored in India but can be transferred outside India for processing with the permission of authorities, (c) critical personal data - a class of data recognised only by PDPB that must be stored and processed in India and may be transferred outside India only in the most exceptional circumstances, and (d) non-personal data - that can be accessed by the government for “evidence-based policymaking”.
- Data protection requirements, by their nature, impose compliance burdens on regulated entities—registering with data protection authorities, creating privacy-by-design policies, conducting data protection impact assessments, appointing data protection officers, adhering to security safeguards and breach protocols, and implementing grievance redressal mechanisms.
It might seem unfair to compare the compliance burden between regimes, untethered from context, but there are clear variations between them as shown in Table 5.
- Government and public authorities play a key role in the implementation of data protection laws. For instance, GDPR puts national data protection authorities (DPAs) and the EDPB in charge of issuing non-binding guidelines while leaving limited areas of GDPR to national law. PDPB relies heavily on the discretion and sustained involvement of the central government (twenty direct references in the bill) and DPA (twenty-four direct references in the bill) to form policy, impose additional requirements, and offer exemptions.
- When the Privacy Bench of the Supreme Court of India declared privacy as a fundamental right, it also prescribed a three-fold test for subjecting privacy to reasonable restrictions—legal authorisation, legitimate objective, and proportionality to the stated objective.
The GDPR enumerates the specific grounds when necessary and proportionate measures may be undertaken to restrict the rights of individuals.
However, the PDPB grants a blanket exemption to agencies of the central government. Whether in service of national security or in support of the investigation of a legal offence, agencies walk the tightrope when balancing surveillance and data protection.
- Other than surveillance, personal data might also be processed without consent to meet court orders, medical emergencies and in the employment context. The penalties associated with non-compliance are prohibitive across the board—PDPB seeks to impose criminal liability upon a wilful breach with administrative fines going up to USD 2 mn or 4% of a group of companies’ annual global revenue. Though GDPR does not stipulate direct criminal liability but it can impose administrative fines to the tune of 20 mn euros or 4% of a group of undertakings’ annual global revenue.
References and Additional Reading
- The Personal Data Protection Bill, 2019
- The General Data Protection Regulation
- The California Consumer Privacy Act
- IAPP: Indian Personal Data Protection Bill, 2019 vs GDPR
- IAPP: CCPA and GDPR Comparison Chart
- CIS: Divergence Between the GDPR and Personal Data Protection Bill, 2019
- Ikigai Law: Comparative Analysis: GDPR and Personal Data Protection Bill, 2019
- UNCTAD: Data Protection Regulations and International Data Flows: Implications for Trade and Development
- Mondaq: Justice K.S Puttaswamy (Retd.) v. Union of India and Others
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)