A Comparative Analysis of DPDPA, GDPR, and CCPA

Generative AI
CyberRisk
November 24, 2023

Introduction

Over recent years, nations worldwide have introduced their personal data protection laws, drawing inspiration from GDPR and CCPA. The Digital Personal Data Protection Act (DPDPA) in India joins the league. In this blog, we delve into a comprehensive comparison of three major data protection regulations: DPDPA (India), GDPR (EU), and CCPA (California).

Understanding the Landscape

As businesses operate globally, the roles of Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) become pivotal. These roles ensure adherence to data protection standards, maintaining customer trust, and avoiding penalties. Recognizing the differences and similarities in these regulations is essential for businesses operating across multiple jurisdictions. The data protection landscape varies across jurisdictions, with three prominent regulations—DPDPA (India), GDPR (EU), and CCPA(California)—exhibiting distinct characteristics.

Data Protection Regulations

Data Protection Regulations Comparison

Parameter

DPDPA (India)

GDPR (EU)

CCPA (California)

Scope

Applies to digital personal data within India and extends outside India in certain cases. It does not apply to non-digital data, data processed for personal or domestic purposes, or data made publicly available by a data principal or any other person under a legal obligation.

Applies to all EU member states and organizations outside the EU dealing with EU data subjects.

Applies to businesses that collect the personal information of California residents and meet certain criteria.

Key Provisions

Significant Data Fiduciaries, consent requirements.

Data minimization, accuracy, storage limitation, integrity, confidentiality, accountability.

Opt-out of sale of personal data, opt-out of targeted advertising.

 

Data Fiduciaries and Data Processors

Defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used under the law to refer to a data controller. A data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data." The data fiduciary is initially liable for violations by data processors.

Defines a data controller as the entity that determines the purposes and means of processing personal data, and a data processor as the entity that processes personal data on behalf of the controller.

Does not distinguish between data controllers and data processors. Instead, it refers to businesses, service providers, and third parties.

Consent for Data Processing

The DPDPA hinges on consent as grounds for processing personal data, although additional narrowly defined or situation-based legal grounds are also available. The consent for the processing of personal data must be "free, specific, informed, unambiguous, and unconditional with a clear affirmative action".

Consent must be freely given, specific, informed, and unambiguous. It must be given by clear affirmative action.

Does not require consent for data collection, but consumers have the right to opt out of the sale of their personal information.

Individual Rights

Access, erasure, correction, notice, grievance redressal.

Access, rectification, erasure, restriction, portability, objection, automated decision-making.

Access, deletion, data portability, correction, third-party disclosure information.

Security Safeguards

Encryption, anonymization, pseudonymization, firewalls, access controls, audits.

Confidentiality, integrity, availability, resilience, timely restoration.

Reasonable security procedures and practices.

Codes of Practice

Adherence to codes of practice issued by the Data Protection Board.

Encourages establishment of codes of conduct.

Not specifically mentioned but requires clear and comprehensive privacy policies.

Data Protection Officer

Mandatory appointment for certain data processors and significant data fiduciaries (SDFs).

The DPO must be based in India and report to the entity’s governing body.

Mandatory appointment for controllers and processors processing personal data on a large scale or processing sensitive data.

The DPO should be able to perform his/her duties independently.

Does not specify an obligation to appoint a DPO.

CISO Responsibilities

·       Ensure strict data protection measures to avoid penalties.

·       Ensure data is collected lawfully, used for its intended purpose, and kept to a minimum.

·       Ensure transparency and clear communication with users regarding data handling.

·       May also be entrusted with the role of a Data Protection Officer (DPO) if it’s not a significant data fiduciary (SDF).  but this could lead to conflicts of interest and power.

·       Ensure adequate protection of digital information assets and develop security strategies.

·       Provide guidance to the enterprise's information security organization.

·       The CISO can't typically assume the role of a DPO due to potential conflicts of interest and power. The DPO role requires independence and direct reporting to the highest levels of management.

·       Understand the types of data businesses store, how it is stored, and how to access it should a customer ask to know more about it or delete it.

·       Be informed of the legal expectations and up to speed with protocols for security incidents.

·       Shift focus to business-driven security rather than purely technical aspects.

·       Ensure compliance with CCPA regulations.

Fines for Non-Compliance

INR 10,000 (USD 120) to INR 250 Crores (USD 30M) depending on the violation.

Up to €20 million or 4% of global annual turnover, whichever is higher.

Up to $2,500 per unintentional violation, and $7,500 per intentional violation.

Exemptions

The DPDPA provides broad exceptions for government entities, while also exempting processing for specific purposes, such as activities that are in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, and prevention of incitement to commit crimes.

GDPR provides exemptions for the data processing conducted by individuals purely for personal/household activities, by law enforcement for prevention, investigation, detection, or prosecution of criminal offenses, and by EU or member state governments for matters of public security, defence, and State security.

CCPA does not apply to certain medical information, personal information collected, processed, sold, or disclosed according to federal law, and personal information collected or sold as part of a transaction in which the consumer is a business.

Conclusion

These regulations highlight the global trend toward comprehensive data protection, each addressing specific nuances and reflecting regional priorities. The Indian DPDPA, EU GDPR, and CCPA each have their own unique requirements and provisions that impact the roles and responsibilities of DPOs and CISOs. While there are similarities in scope, individual rights, security safeguards, codes of practice, key provisions, and fines for non-compliance, there are also significant differences that organizations must be aware of to ensure compliance with each regulation.