Menu

“Balancing Privacy and Protection: A Comparative Analysis of the GDPR and CCPA in Safeguarding Consumer Rights”

Publications, Research paper

ABSTRACT 

Data breaches occur frequently in the modern world. Companies that hold personal data actively share it with marketers and other businesses for their own gain. As a result, the residents bear the consequences of the infraction. In compliance with the General Data Protection Regulation (GDPR), numerous countries have enacted laws safeguarding personal information. California has also enacted legislation to safeguard customers’ rights over personal data. The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are compared in this study. Studies show that the General Data Protection Regulation (GDPR) is a comprehensive framework that may be used to ensure data security worldwide. It includes all relevant clauses and articles that need to be used in that specific order. Its adaptability to new advancements and technologies is further facilitated by its dynamic character. However, there is a need to do a border-based comparative analysis and broaden the study’s scope. Future studies could look at the laws other developing nations have in place to protect personal data in light of the GDPR. 

KEYWORDS 

User, Data Breach, Data Protection, Privacy and Personal Data.

RESEARCH METHODOLOGY 

This study will examine the text, implementation, and effects of the CCPA and GDPR on consumer protection using a comparative legal analysis methodology. Aside from scholarly articles, legal databases, and case studies, information will also be acquired through expert interviews regarding data privacy law. This study will look at key provisions, enforcement strategies, and consumer outcomes under both laws.

REVIEW OF LITERATURE 

  • Europe passed its first data protection laws in the 1970s, as far as is known. Later, in order to compute and secure personal data, Sweden passed the Data Act. In order to address difficulties with data transparency, use of unlawful means, access and rectification, data quality, and security in the digital realm, the Fair Information Practice Principles (FIPPs) were developed in the United States. All the same, FIPPs was unable to make a big impact in the US.
  • Georgiadis et al. Carried the research to determine big data analytics issues pertaining to personal data security. By using theme analysis to a thorough literature study of 159 papers, they were able to identify nine Privacy Touch Points (PTPs) that indicate important risks. Next, the privacy impact assessment (PIA) techniques were investigated for these PTPs. The study concluded with recommendations for a comparison review of national data protection legislation against GDPR standards, after evaluating GDPR’s risk-reducing techniques.
  • A study in Croatia was carried out by Skendōić, A. Et al. To compare and contrast the GDPR with the 1995 Data Protection Directive. They discovered that identifiers including a person’s phone number, GPS location, first and last name, MAC address, personal ID, biometric information, and other pertinent information related to their identification are examples of personal data. Additionally, it was found that state-enforced laws and corporate activities are harmonized by the General Data Protection Regulation (GDPR). 
  • The GDPR regulations and the Court of Justice must also be coordinated. Furthermore, a corporation may forfeit up to 20 million euros, or 0.5 to 4% of its yearly worldwide turnover, if it is determined that it violated the GDPR. Additionally, it was clarified that the Croatian Personal Data Protection Agency would oversee the General Data Protection Regulation (GDPR) and that decisions would be made with the agency’s permission. There were other rights discussed as well, such as the Right to Forget. In the end, it was decided that the GDPR does not apply to data belonging to legal entities or entrepreneurs operating on their behalf.
  • When Grundstrom et al. Looked into data access in the insurance sector, they found little information about how businesses get personal information. They discovered thirteen GDPR compliance issues in four categories—proliferation, protection, procedure, and privacy—through qualitative study. The study’s narrow focus on the insurance industry highlights the need for more extensive empirical research. They suggested assessing national and regional GDPR compliance in relation to data access.
  • Papaioannou et al. Investigated the relationship between memory institutions, cultural heritage, and the GDPR in relation to the management of Big Personal Data. The major objective of the study was to find similar risk factors for GDPR adoption. It was determined that comprehensive compliance procedures must be put in place by enterprises handling the data of EU persons in order to protect individual rights. Since they are guardians of personal data, institutions that conserve memory and cultural heritage must to take extra care to comply with GDPR. The GDPR has given these companies the opportunity to modernize their data management practices, which might afford them a competitive advantage.
  • Hu, P., & Wei, Q.’s second study, which examined the features and effects of GDPR, discovered that it has a major impact on the protection of personal data. Specifically, it offers all the safeguards needed for efficient data protection to complying enterprises. People now have significant protection under the GDPR, and there are limitations on the rules that processors and controllers can use to communicate information. Protecting national sovereignty over information and bolstering the information domain are the objectives. It also conforms to modern information technology.
  • Natural individuals should have control over their personal data, according to Bârsan, M. M., who focused on protecting natural persons with regard to processing personal data and its free circulation. Through its numerous clauses, the General Data Protection Regulation (GDPR) keeps bolstering the rights of data subjects. Determining the rights of data subjects is the main objective of this study. In order to lessen the harm done to data subjects, the article emphasizes the necessity for adequate security and lays forth specific limitations on data controllers. Both technical and managerial measures exist. Furthermore, this ensures that the data processing decrease to a minimum. Sometimes the cost of security is very expensive, requiring the user to pay the data controller a sizeable sum.
  • In a published study, Sealey examines the effects of new data privacy regulations on consumers, highlighting enhanced subject rights, greater accountability, and improved enforcement strategies. The GDPR has strengthened individual control over personal data by clarifying complex legal areas in response to growing consumer concerns about data collection and storage. Despite the challenges posed by advanced data processing technologies, previous regulations have been replaced by the GDPR, which gives consumers more power and ensures consistent implementation across the European Union. The broader applicability of the GDPR is also highlighted in the report, allowing individuals to assert their rights whenever their data is handled.
  • A study on Korean companies that store personal data was carried out by Lee, J., and Lee, E. Y. J. In accordance with the Personal Information Protection Act (PIPA). The purpose of the study was to determine how the GDPR might affect academic journals with a Korean focus. The study found that, in contrast to enterprises and trade associations that receive complaints and maintain personal data, some significant components of GDPR were disregarded in academic publications. Furthermore, they investigated whether or not EU citizens who are contributors and reviewers are subject to the GDPR requirements. The study also showed that the goal of GDPR is to preserve a feeling of balance between the important interests of free speech and information flow and the requirement to secure personal data.
  •  Basarudin, N. A., & Raji, R. A. Discuss what the data controller needs to take into account to ensure that the personal data is being profiled in compliance with the legislation. Many people are concerned that the profiling process violates their privacy and personal information. The study used the doctrine-based legal technique as a means of legal recourse for the defense and protection of online data subjects through a review of the GDPR and international instruments. The investigator suggested employing design-based security during the profiling technique due to the lack of accessibility of system operations for human comprehension.
  • According to Warikandwa, T.’s research study, in order to address the growing cybercrimes in the global financial services business that put customers’ personal information at risk. Financial services custodians now need to address relevant rules and regulations in order to reduce the incidence of cybercrimes involving the sharing of personal data, due to the increasing number of these crimes. In this regard, the majority of African nations do not currently have laws protecting personal data in place. Adherence to regulatory frameworks pertaining to the protection of personal data is crucial. This study examined the applicability of South Africa’s Protection of Personal Information Act 4 of 2013 in safeguarding the private information of financial services industry participants. The article went on to address the provisions of the GDPR and the Protection of Personal Information Act.
  • Ieviņa, Ž. Discussed the importance of anonymizing personal data and removing it under the GDPR. Many data controllers desire to retain personal data even after the processing purpose for which it was intended has been completed. The study’s goal was to look into how, in the context of the personal data life cycle, the GDPR handles anonymous data and erasure. Some individuals think that once personal information is declared anonymous, it may be deleted; however, this theory is disproved since anonymized data can be used for purposes such as big data analysis and artificial intelligence.
  • According to Dumitrescu, R. M.’s analysis, the GDPR gives the data exporter the ability to function as a controller as well as a processor. That leads to an anomaly. GDPR permits the transfers to be carried out without prior authorization; yet, ad hoc or administrative agreements between public or supervisory authority are required to obtain the guarantees. The fulfilment of requirements that superseded reasonable interests is imperative. 
  • Usprcova, S. According to a report, the Republic of Macedonia’s official archives should be safeguarded by harmonizing national personal data protection laws with European regulations. The archives need to be secured against unauthorized access and theft. Therefore, in order to secure historical data, all applicable GDPR stipulations should be included.

INTRODUCTION

California has enacted several laws and guidelines to safeguard its people. Adopting legislation protecting personal data is one of these actions; it serves to stop illegal use and data breaches. By providing a thorough Personal Data Protection law that conforms with the General Data Protection Regulations (GDPR), these regulations aim to empower the general population. By adhering to these guidelines, people can ensure that their private information is protected and that there is a legitimate channel for lodging complaints regarding data theft breaches.

The California Consumer Privacy Act (CCPA) was passed by US politicians as a law to protect the privacy of personal data. The articles of the GDPR are linked to several sections of this Act. As a result, it is regarded as the most precise and trustworthy regulation in California for protecting personal information. On January 1st, 2020, it became operative after being approved in 2018.The purpose of this law’s enactment was to guarantee Californians’ belief in the protection of fundamental human rights. The MPs believed that imposing accountability measures on data holders would strengthen the security of already-existing privacy. It encompasses the companies’ intent to hold data and its subsequent transmission or use for marketing purposes. Ensuring the analysis and improvement of data systems was another noticeable component.

On the other side, the European Union established the GDPR, which is a set of regulations for data protection. The protection of personal data, which includes all forms of personal information including name, address, and phone number, is one of the key components of the GDPR. Every State that is a member of the European Union is subject to the GDPR. It protects citizens’ and businesses’ rights to data. The GDPR’s regulations are quite clear and simple to put into effect.

CCPA and GDPR

CCPA

The primary goal of the CCPA is to provide Californians the power to control how personal data is gathered and utilized. With some restrictions, the law protects personal data that can be used to identify, characterize, or connect to a consumer or household. 

Organizations are allowed to process data by default under the CCPA, but they also have to provide customers with an obvious way to opt out of having their personal information sold or shared. This option is usually provided by banners or “do not sell my personal information” links. Penalties for breaking the CCPA may be enforced by the state court and can reach up to $7,500 for willful violations and $2,500 minor infractions.

To preserve customer privacy, companies are encouraged by the CCPA to put strong data protection policies in place. In addition to helping with CCPA compliance, establishing thorough data security protocols increases customer loyalty and trust. Businesses can lower their risk of data breaches and unauthorized access by prioritizing data privacy, which shields sensitive information from possible misuse or exploitation. Organizations are encouraged to adopt ethical data protection policies and a culture of accountability by regulations such as the CCPA.

Despite being a California privacy regulation, many organizations nationwide are subject to it. The CCPA may be applicable to you if you are an organization on the east coast collecting data from consumers in California or if your business is situated in California and collecting consumer data. It is applicable to for-profit companies who gather personal customer information, operate in California, and satisfy one or more of the following requirements: 

  1. Annual Gross Revenues: 

The company brings in more than $25 million in gross revenues each year.

  1.  Purchasing, Receiving, or Selling Personal Information: 

Every year, the company purchases, receives, or sells the personal data of at least 50,000 Californians, their homes, or their gadgets. 

  1. Revenue from Personal Information:

 The company gets at least half of its yearly income from the sale of personal data about Californians.

These standards are intended to encompass larger companies and those that are substantially involved in the gathering and exchange of personal data, while typically leaving out smaller companies and those that do not rely as much on these data practices.

GDPR

A comprehensive data protection law known as the General Data Protection Regulation (GDPR) was put into effect by the European Union on May 25, 2018. The 1995 Data Protection Directive, a collection of guidelines that member states might utilize as a model for their own legislation, was replaced by it. However, the GDPR creates a uniform norm across the EU and becomes operative immediately as legislation in each and every EU member state.

The GDPR’s primary goals are to: 

  1.  Strengthen Privacy and Safeguard Personal Data:

 By bringing all EU regulations under one roof, it seeks to empower individuals to take control of their personal data and streamline the legal landscape for global trade. 

  1. Individuals’ Rights: 

The General Data Protection Regulation (GDPR) grants people a number of important rights, such as the right to know how their personal data is used, the right to access and rectify that data, the right to be forgotten, the right to restrict processing, the right to data portability, the right to object, and rights regarding automated decision-making and profiling.

  1. Organizational Obligations:

 To prevent the loss or leakage of customers’ personal information, organizations must put in place appropriate data protection measures. This entails getting consent before processing data, notifying people about data breaches, managing cross-border data transfers safely, and monitoring compliance among data processors. 

  1. Data Protection Officers (DPOs):

 To supervise GDPR compliance, some firms are required to designate a Data Protection Officer. 

  1.  Penalties for Non-Compliance:

 A firm that violates the GDPR may be fined up to 4% of its yearly worldwide sales or €20 million, whichever is higher. 

Since GDPR established a precedent, other countries all over the world have been influenced to enact comparable rules and regulations.

Organizations both inside and outside the EU that provide goods or services to EU citizens or keep an eye on their behavior are subject to GDPR. Its reach is wide and encompasses both the public and private sectors. The following are the primary categories that must adhere to GDPR: 

  • European Union-Based Organizations: 

Regardless of where the data processing occurs, all organizations and entities that are based in the EU and handle personal data as part of their operations are required to abide by GDPR. Although the protection of individual privacy rights is the goal of both the CCPA and GDPR, the primary distinction between the two laws is how broadly they apply.

  • Non-EU Organizations That Target EU Residents are Subject to the CCPA:

 If a non-EU organization processes data for the purpose of providing free or discounted goods or services to EU citizens, or if it tracks EU citizens’ movements, it has to abide by the General Data Protection Regulation (GDPR). This includes businesses that monitor the online activity of EU citizens in order to target advertisements. 

  • Controllers and Processors: 

‘Controllers’ and ‘processors’ of data are distinguished under GDPR. While a processor handles processing personal data on behalf of the controller, the controller decides the means and objectives of processing personal data. Regulations under the GDPR apply to both. 

  • Public Authorities:

 The GDPR applies to all public entities that are based in the EU.

Comparative Analysis

  • GDPR applies to all organizations, regardless of location, processing the data of EU residents, while the former is specifically applicable to enterprises operating in California and handling the data of California residents. 
  • Individuals have important rights regarding their personal data under the CCPA and GDPR. The details of these rights and the methods by which they are upheld vary, nevertheless. For instance, the CCPA does not expressly address the extra rights provided by GDPR, such as the right to object to processing based on legitimate interests and data portability. 
  • Similar steps must be taken in order to comply with the CCPA and GDPR, including upholding transparent privacy policies, offering channels for people to assert their rights, and putting in place suitable security measures. Nonetheless, every legislation has different specific requirements and enforcement strategies, so firms must carefully customize their compliance efforts to account for these differences. 
  • In terms of data privacy law, the CCPA and GDPR are essential. Although the goals of both laws are to uphold individuals’ right to privacy and to make companies answerable for managing personal data responsibly, their applicability, specifications, and methods of enforcement are different. Businesses functioning in a more connected and data-driven world must comprehend the differences between GDPR and California privacy laws in order to ensure compliance and uphold customer trust.
  • Rules under the CCPA apply to companies that handle sensitive data. Additionally, it gives customers more privacy rights and safeguards. The CCPA improves consumer rights to privacy in a number of ways: 
  1. CCPA demands more openness; grants customers wide access to their personal data.
  2. Gives them the option to refuse data collection.
  3. Places new limitations on the ways in which covered businesses may gather, use, and sell customers’ personal data. 
  • The goal of both the GDPR and the CCPA is to get user consent for GDPR cookies. However, they go about it very differently. 
  • The CCPA gives consumers of its data the ability to ask companies to remove their personal data or to choose not to have it sold to outside parties. 
  • In May 2018, the GDPR went into force in each of the 27 EU member states.
    GDPR specifies how companies must handle consumer information on their websites and mobile applications. According to GDPR, a variety of attributes, including name, email address, location, wearable data, IP address, and more, are considered personal information. 
  • The GDPR gives the user, or data subject, the authority to determine how companies use their personal data. It is your responsibility as a business to obtain user consent prior to collecting any personal data of a Data Subject.

SUGGESTIONS 

Incorporating data privacy regulations from emerging economies can improve the comparison study and offer a worldwide perspective on standards and practices. Update the study often to take big data analytics and artificial intelligence (AI) breakthroughs into consideration. Take a close look at case studies of effective CCPA and GDPR navigation to concentrate on compliance and execution. Examine customer awareness and how it affects behaviour and trust. Evaluate the efficacy of enforcement strategies and compile a variety of stakeholder perspectives from companies, attorneys, and consumer advocacy organizations.

 CONCLUSION

In conclusion, it can be said that the General Data Protection Regulation (GDPR) is an extensive document that may be used to provide protection for personal data. It contains every pertinent clause and article that is applicable.
Moreover, because of its dynamic character, it can adapt to new developments and technological advancements. But the study’s purview must be increased, and a comparative analysis based on geographic boundaries must be carried out. Future directions can entail examining national laws pertaining to the protection of personal data in developing nations in light of the GDPR.

Author

Jill Kataria

Pravin Gandhi College of Law, Mumbai