India: Privacy Laws In The State Of California And India

1. INTRODUCTION

The Personal Data Protection Bill, 2019 (the "PDP Bill") and the California Consumer Privacy Act of 2018 (the "CCPA") have been formulated with the primary intention of protecting the privacy rights of individuals with respect to their personal data. In this regard, both the legislations provide for comprehensive data protection measures to be adopted by different organizations.

The CCPA has been brought into effect on January 01, 2020 whereas the PDP Bill is still under consideration of the Indian government and is likely to be finalized later this year. Both the PDP Bill and the CCPA have been formulated largely on the principals of the General Data Protection Regulation of the European Union, which is currently one of the most comprehensive and unified data protection legislations in the world. Although both the legislations i.e. the PDP Bill and the CCPA are principally similar to each other, there are substantial differences between them pertaining to the scope and applicability, rights pertaining to individuals, grounds of processing and certain other provisions.

While the PDP Bill does not have the force of law yet, it is a significant legal development and with the CCPA coming into effect, it is increasingly relevant to examine the data privacy compliance challenges for companies doing business in India and California.

2. KEY CONSIDERATIONS

2.1. Scope and Applicability

PDP Bill: The PDP Bill is applicable to the processing¹ of personal data: (a) where the personal data has been collected, disclosed, shared or processed in any manner within India; and (b) where the processing has been undertaken by the government, by any Indian company, by any Indian citizen or any person or body of persons that has been incorporated under the Indian laws. Further, the PDP Bill shall also apply to processing undertaken by a data fiduciary or a data processor not located within the territory of India: (a) if such processing is in connection with any business that is carried out in India or if the there is any systematic activity of offering goods and services to data principals within India (ii) in connection with any activity that involves profiling of data principals within the territory of India.²

CCPA: The CCPA is applicable to only for-profit entities that carry out business in the State of California, collect personal information of the consumers (discussed below) and determine the purposes and means of processing such personal information and satisfy any of the following conditions: (a) it has annual gross revenue in excess of $ 25 million; (b) it annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; (c) it derives 50% or more of its annual revenue from selling consumers' personal information. Further, the CCPA does not apply to collection/selling of personal information with respect to a commercial conduct that takes place outside California (i.e. if the business collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information was collected while the consumer was in California is sold).³

In light of the above, it seems that scope and territoriality of the PDP Bill is broader as compared to the scope and territoriality of the CCPA, bringing a larger number of organizations within its ambit. Further, as stated above, the CCPA is only applicable to for-profit entities whereas the PDP Bill will also be applicable to government bodies and non-profit making organizations.

2.2. Processing and Selling of Personal Information under CCPA

Under the CCPA, the term 'collecting'⁴ has been defined to include buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer and the term 'selling'⁵ has been defined to include selling, renting, disclosing, releasing, disseminating, making available transferring or otherwise communicating personal information for monetary or other valuable consideration. Under the CCPA, some of the obligations are applicable to collection of personal information and some specifically apply to selling and/or sharing of personal information unlike the PDP Bill, which has uniform application with respect to processing of personal data (subject to additional compliances with respect to sensitive personal information). For example, the right to opt out (i.e. the right granted to consumers under the CCPA) is only available with respect to selling or sharing of personal information.

2.3. Personal Data/Personal Information and Sensitive Personal Data/Information

Both the PDP Bill and the CCPA provide broad definitions of personal data/personal information (the terminology being different under both the legislations). The PDP Bill provides for two other categories of personal data called the 'sensitive personal data' wherein additional compliances have been prescribed (such as data localization or cross-border transfer conditions) and 'critical personal data' with stricter compliance requirements. The CCPA makes no such distinction and the provisions therein are uniformly applicable to kinds of personal information.

The PDP Bill extends to publicly available data. Personal information under the CCPA does not cover publicly available data that is lawfully made available from federal, state, or local government records, if that data is used for a purpose that is compatible with the purpose for which the data is made available in the government records. Further, the PDP Bill classifies 'health data' and 'genetic data' as sensitive personal data thereby providing a higher level of protection to the same as compared to the other personal data. However, the CCPA excludes from its ambit amongst certain other data, certain categories of medical information as well as data related to one's health collected as part of clinical trials (to the extent that the same is regulated by other legislations).⁶

2.4. Grounds for Processing Personal Data

The PDP Bill provides specific grounds basis which personal data may be processed, i.e. (a) with consent; (b) or for performance of specific functions of the state ; (c) wherein processing is necessary under law; (d) for compliance with any judicial order/judgment; (e) to respond to any medical emergency involving a threat to life or health; (f) to provide medical treatment or health services to any individual during any threat to public health; or (g) to undertake any measure to ensure safety, or provide assistance o during any disaster or breakdown of public order. In contrast, the CCPA does not provide for any express grounds basis which personal information may be processed.

2.5. Data Principals and Consumers

The PDP Bill defines 'data principal' to mean any natural person whose personal data is being referred.⁷ On the other hand, the CCPA defines 'consumer' to mean a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 01, 2017, however identified, including by any unique identifier⁸. The term consumer seems to be comparatively narrower to the term data principal as a consumer has been defined to include only Californian residents, thereby further tightening the scope of the CCPA. Nevertheless, the rights of data principals/consumers are fairly similar under the PDP Bill and the CCPA.

(a) Right to correction: The right to correction of personal data/information has been provided under both the legislations.

(b) Right to access: Both the CCPA and the PDP Bill provide the data principal/consumer with the right to access to his/her personal information which has been collected. However, the CCPA only permits consumers to request for its personal information that has been collected in the last 12 months prior to the request, making it easier for businesses to provide the required personal information to the consumer. Further, the deadline to respond to such requests is restricted to a period of 45 days from the date of receipt of the request (which may be extended for a period of another 45 days. Further, businesses are not required to share such personal information more than twice in 12 months. The PDP Bill goes a step ahead to recommend that the right to access in one place, the identity details of the data fiduciaries with whom their personal data has been shared.

(c) Right to be forgotten/Right to opt out: The PDP Bill grants data principals the right to ask organizations to erase or delete personal data, once the purpose of processing is complete. However, under the CCPA, the right of consumers to erasure is limited to sale of his/her personal information, enforceable against business and indirectly against third parties (as defined under CCPA). Under the CCPA, consumers can only opt-out of the sale of personal data, and not the collection or other uses that do not fall under the definition of selling. The exercise of the right to opt-out does not impact other uses of the information and is limited to selling of such information. Further, under the CCPA, if a business sells consumers' personal information, the information pertaining to the right of the consumers to opt out must be provided to the consumers under the privacy notice. Further, a business is also required to provide clear and conspicuous link on its homepage titled as "Do not sell my personal information" which will enable consumers to opt-out of the sale of consumer's personal information. Additionally, the CCPA provides that any third party that received personal information pursuant to their selling, can only further sell that personal information if consumers are provided "explicit notice" and the opportunity to opt-out of this subsequent selling. The abovementioned compliance may prove to be cumbersome for certain organizations as they may not have the required process in place for providing the abovementioned link.

(d) Right to data portability: The CCPA does not expressly provide the consumer with the right to data portability with respect to its personal information as is provided under the PDP Bill wherein data principals have been given the right to transfer their personal data from one data fiduciary to another. However, it may be assumed that consumers have the right to data portability as part of their right to access personal information under the CCPA.

(e) Right against discrimination: The CCPA states that consumers shall not be discriminated because of the exercise of their rights provided under the CCPA. Similarly, the PDP Bill states that the provision of any goods or services or the quality thereof, or performance of any contract, or the employment of any legal right or claim shall not be made conditional on the consent giving by the data principals to the processing of any personal data, not necessary for the purpose.

(f) Right to be informed: Under the CCPA, the consumer has the right to be informed if there is any breach of their personal data. Whereas under the PDP Bill, the data principals have the right to be informed of such breaches only if the authority established under the PDP Bill deems appropriate to inform the data principals about the same.

2.6. Data fiduciary and Data Processor (Business and Service Provider)

'Data fiduciary' under the PDP Bill bears similarity with 'business' under the CCPA. Similarly, the term 'data processor' under the PDP Bill bears similarity with 'service provider' under the CCPA. However, a 'service provider' under the CCPA, who processes the information on behalf of the business, is required to be a for-profit organization, which is not the case under the PDP Bill.

Further, under the PDP Bill, the data fiduciary has an overall responsibility of complying with the provisions of the PDP Bill, with the processor who processes personal data on behalf of the data fiduciary also having some of the obligations. However, under the CCPA it has been stated that a business that discloses personal information to a service provider shall not be held liable if the service provider receiving the personal information uses it in violation of the restrictions provided under the CCPA, provided that at the time of disclosing the personal information to the service provider, the business does not have actual knowledge or reason to believe that the service provider intends to commit such violations. Further, the CCPA also states that likewise the service provider will be liable if it uses the personal information received from businesses in violation of the CCPA.

2.7. Offences and Penalties

Both the PDP Bill and the CCPA provide for the imposition of monetary penalties for non-compliances with the respective legislations. Having said that, the nature of penalty, the manner of imposition of penalty and the amount of penalty is considerably different under both the legislations. Under the CCPA, depending upon the nature of the violation, the penalty of up to $ 2,500 for each violation and $ 7,500 for each intentional violation may be imposed.⁹ The PDP Bill imposes different penalties for different violations ranging from INR 5,000 to INR 15,00,00,000. Further, the PDP Bill also imposes monetary penalty for certain violations based upon the turnover of the entity. Additionally, the PDP Bill also provides for imprisonment for violation of certain provisions which is not the case under the CCPA. Further, the PDP Bill imposes liability on the directors of a company or the officers in charge for the conduct of the business of the company at the time of commission of the offence, which seems to be a draconian measure in comparison to other international legislations.

2.8. Other key considerations

As provided under the PDP Bill, the CCPA: (a) does not make it mandatory of organizations to formulate a privacy policy; (b) there is no classification under the CCPA with respect data fiduciary and significant data fiduciaries (who are subjected to more onerous responsibilities such audits, maintenance of records, data protection impact assessments, appointment of data protection officers, user account verification), making it considerably easier for organizations to comply with the provisions of the CCPA.

3. INDUSLAW VIEW

The PDP Bill and the CCPA although principally similar to each other with the common intent of protecting the privacy rights of individuals pertaining to their personal data, have certain considerable differences. From the plain reading of both the legislations, the PDP Bill seem to be far more over-reaching than the CCPA. The CCPA is only applicable to certain profit-making organizations (as detailed above under paragraph 2.1), thereby relieving other small organizations including start- ups from complying with the provisions of the same. Further, the PDP Bill has more stringent compliance requirements with respect to processing of sensitive personal data, which may prove to be burdensome for certain organizations processing sensitive personal data.

Having said the above, few of the provisions under the PDP Bill and the CCPA are unclear, which may be an issue from an implementation perspective. For example, under the scope and territoriality of the PDP Bill and the CCPA, the term "in connection with business that is carried out in India" (under the PDP Bill) and "doing business in the State of California" (under the CCPA), is very vague in nature and lacks specificity and therefore it is advisable that such terms are specifically defined or explanation for the same are provided under the concerned legislations.

Footnotes