Data Rights under GDPR, CCPA, CPRA and India PDPB 2019

Data Rights

The Article has been contributed by Mr Adhit Kulkarni, Final Year Student, D.E.S Law College, Pune with inputs from Data Secure.

 Introduction

Data rights, provided by various data privacy regulations or data protection acts enacted by in various countries across the globe, give authority and control over the personal data of the individual. The data rights are very powerful and can be defined as the following:

  1. The right to access
  2. The right to change or rectification
  3. The right to delete or erasure
  4. The right to portability of data
  5. The right to know who is collecting the data
  6. The right to know the location of the data and it’s processing destination
  7. The right to know who has access to it
  8. The right to know the purpose of processing the data and the time frame

In the light of the above defined principles of data rights, we would like to evaluate different data rights embedded for the protection of personal information in the EU GDPR, CCPA, CPRA and India PDPB 2019.

Who is Protected?

CCPA:

 Consumers, defined as California residents that are either:[1]

  • In California for other than a temporary or transitory purpose.
  • Domiciled in California but are currently outside the State for a temporary or transitory purpose.

Consumers include:

  • Customers of household goods and services.
  • Business-to-Business transactions.

EU GDPR:

 Data subjects, defined as identified or identifiable persons to which personal data relates.[2]

  1. What Information is Protected?

CCPA:

  • Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.
  • The statutory definition includes a list of specific categories of personal information.
  • Personal information does not include certain publicly available government records.
  • The CCPA also excludes certain personal information covered by other sector specific legislation from its coverage scope.

 

 EU GDPR:

  • Personal data is any information relating to an identified or identifiable data subject.
  • The GDPR prohibits processing of defined special categories of personal data unless a lawful justification for processing applies.[4]

India PDPB 2019:

The PDPB protects data about or relating to a natural person which is:

  • directly or indirectly identifiable,
  • having regard to any characteristic, trait, attribute or
  • any other feature of the identity of such a natural person, whether online or offline, or
  • any combination of such features with any other information, and
  • any inference drawn from such data for the purpose of profiling.

The PDPB also applies to—

  • the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India;
  • the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;
  • the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—
  • in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
  • in connection with any activity which involves profiling of data principals within the territory of India.[5]

Right To Opt-out of Personal Information Sales:

CPPA:

  • Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses.
  • Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage.
  • Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.[6]

EU GDPR:

  • The GDPR does not include a specific right to opt-out of personal data sales. However, the GDPR does contain other rights a data subject may use to obtain a similar result in certain circumstances.
  • For example, it does permit data subjects, at any time, to:
  1. Opt-out of processing data for marketing purposes.
  2. Withdraw consent for processing activities.
  • This allows data subjects to opt-out of third-party sales that support marketing purposes or rely on consent for their legal processing basis.[7]

CPRA:

  • A consumer shall have the right, at any time, to direct a business that sells or shares personal Information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.
  • A business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 6 years of age, unless the consumer, In the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian. In the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.[8]

Minor’s Rights:

CCPA:

  • The CCPA prohibits selling personal information of a consumer under 16 without consent. Children aged 13 – 16 can directly provide consent.
  • Children under 13 require parental consent. Importantly, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.[9]

EU GDPR:

  • The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13.
  • The person with parental responsibility must provide consent for children under the consent age. Children must receive an age appropriate privacy notice. Children’s personal data is subject to heightened security requirements.[10]

India PDPB 2019:

  • The PDPB mandates that before processing any personal data of a child, it shall be mandatory to verify his/her age and obtain the consent of his parent or guardian, in such a manner as may be specified by future regulations. Such regulations will be based on:
  1. the volume of personal data processed;
  2. the proportion of such personal data likely to be that of child;
  3. possibility of harm to child arising out of processing of personal data; and
  4. such other factors as may be prescribed.
  • The guardian data fiduciary shall be barred from profiling, tracking or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.[11]

Right of Disclosure or Access:

 CCPA:

  • Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information.[12]

EU GDPR:

  • Data subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing.[13]

India PDPB 2019:

The data principal shall have the right to obtain from the data fiduciary—

  • confirmation whether the data fiduciary is processing or has processed personal data of the data principal;
  • the personal data of the data principal being processed or that has been processed by the data fiduciary, or any summary thereof;
  • a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal.

Data principals have the right to confirm if the data fiduciary is processing or has processed their personal data, to access the types of personal data and details about the processing activities. Data fiduciaries must respond clearly and concisely so the average person will understand.[14]

CPRA:

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

  • The categories of personal information it has collected about that consumer.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting, Elf-Selling, or sharing personal information.
  • The categories of third parties to whom the business discloses personal information.
  • The specific pieces of personal information it has collected about that consumer.[15]

Right of Data Portability:

CCPA:

  • In response to a request for disclosure, a business must provide personal information in a readily usable format to enable a consumer to transmit the information from one entity to another entity without hindrance.[16]

EU GDPR:

The GDPR includes a new right to data portability to:

  • Receive a copy of the personal data in a structured, commonly used and machine readable format.
  • Transmit the personal data to another data controller (including directly by another data controller where possible).[17]

India PDPB 2019:

Where the processing has been carried out through automated means, the data principal shall have the right to receive the following personal data in a structured, commonly used and machine-readable format—

  • the personal data provided to the data fiduciary;
  • the data which has been generated in the course of provision of services or use of goods by the data fiduciary; or
  • the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained[18]

Right to Deletion / Erasure (The Right to be Forgotten)

CCPA:

  • A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions.
  • The business must also instruct its service providers to delete the data.[19]

EU GDPR:

  • Data subjects have the right to request erasure of personal data under six circumstances (the right to be forgotten).
  • Data controllers must also take reasonable steps to inform any other data controllers also

processing the data.[20]

India PDPB 2019:

The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure—

  • has served the purpose for which it was collected or is no longer necessary for the purpose;
  • was made with the consent of the data principal under section 11 and such consent has since been withdrawn; or
  • was made contrary to the provisions of this Act or any other law for the time being in force.

The above provisions shall be enforced by an Adjudicating officer appointed through the provisions of the PDPB. Any data subject whose disclosure is seemingly restricted shall have the right to appeal the order of the Adjudicating Officer.[21]

CPRA:

  • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. A business that collects personal information about consumers shall disclose the consumer’s rights to request the deletion of the consumer’s personal Information.
  • A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information shall delete the consumer’s personal information from its records, and notify any service providers or contractors to delete the consumer’s personal information from their records, and notify all third parties to whom the business has sold or shared such personal information, to delete the consumer’s personal information, unless this proves impossible or Involves disproportionate effort.[22]

Right of rectification

CCPA:

The CCPA does not offer the Right of Rectification.

EU GDPR:

The GDPR grants data subjects the right to:

  • Correct inaccurate personal data.
  • Complete incomplete personal data.[23]

India PDPB 2019:

  1. The data principal shall where necessary, having regard to the purposes for which personal data is being processed, subject to such conditions and in such manner as may be specified by regulations, have the right to—
  • the correction of inaccurate or misleading personal data;
  • the completion of incomplete personal data;
  • the updating of personal data that is out-of-date; and
  • the erasure of personal data which is no longer necessary for the purpose for which it was processed.
  1. Where the data fiduciary receives a request in relation to the parameters mentioned above, and the data fiduciary does not agree with such correction, completion, updation or erasure having regard to the purposes of processing, such data fiduciary shall provide the data principal with adequate justification in writing for rejecting the application.
  2. Where the data principal is not satisfied with the above justification provided by the data fiduciary, the data principal may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal.
  3. Where the data fiduciary corrects, completes, updates or erases any personal data, such data fiduciary shall also take necessary steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure, particularly where such action may have an impact on the rights and interests of the data principal or on decisions made regarding them.[24]

CPRA:

  • A consumer shall have the right to request a business that maintains inaccurate personal Information about the consumer to correct such inaccurate personal Information, taking into account the nature of the personal Information and the purposes of the processing of the personal Information. A business that collects personal information about consumers shall disclose the consumer’s right to request correction of Inaccurate personal Information.
  • A business that receives a verifiable consumer request to correct inaccurate personal Information shall use commercially reasonable efforts to correct the Inaccurate personal Information, as directed by the consumer.[25]

Right to Restrict Processing:

CCPA:

The CCPA does not offer the Right of Rectification, other than the right to opt-out of personal information sales.

EU GDPR:

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.[26]

India PDPB 2019:

The PDPB does not offer the Right of Rectification.

Right to Object to Processing:

CCPA:

The CCPA does not offer the Right to Object to Processing other than the right to opt-out of personal information sales.

 EU GDPR:

The GDPR gives the right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.[27]

India PDPB 2019:

The PDPB does not offer the Right to Object to Processing other than the right to opt-out of personal information sales.

Right to Object to Automated Decision-Making:

CCPA:

The CCPA does not offer the Right of Object to Automated Decision-Making.

EU GDPR:

Data subjects have the right to not be subject to automated decision making, including profiling, which has legal or other significant effects on the data subject, subject to certain exceptions.[28]

India PDPB 2019:

The PDPB does not offer the Right of Object to Automated Decision-Making.

Data Rights specific to CPRA:

Right to Know What Personal Information is Sold or Shared and to Whom:

A consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:

  • The categories of personal Information that the business collected about the consumer.
  • The categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal Information was sold or shared, by category or categories of personal information for each category of third party parties to whom the personal information was sold or shared.
  • The categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom It was disclosed for a business purpose.[29]

Right to Limit Use and Disclosure of Sensitive Personal Information:

  • A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.

Right of No Retaliation Following Opt-Out or Exercise of Other Rights:

A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, Including, but not limited to, by:

  • Denying goods or services to the consumer.
  • Charging different prices or rates for goods or services, Including through the use of discounts or other benefits or Imposing penalties.
  • Providing a different level or quality of goods or services to the consumer.
  • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.[30]

Conslusion

 The data rights as enshrined in various Global Privacy Regulations like EU GDPR, CCPA, CPRA and India PDPB 2019 provide the data subjects or the data principals a legal right to demand information about themselves from various companies and organisations that are processing the personal data.

The data rights transfer the power of Privacy in the hands of the individuals where it truly belongs.

While writing the blog, we have used the following sources:

We at Data Secure(www.datasecure.ind.in)  can help you to understand Privacy and Trust while dealing with data and provide Privacy Training and Awareness sessions to improve upon the knowledge of Privacy what you already know.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in.

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution

  • [1] Cal. Civ. Code § 1798.140(g) and Cal. Code Regs. tit. 18, §17014; Practice Note, California Privacy and Data Security Law: Overview: CCPA Scope (6-597-4106).
  • [2] Article 4(1); Practice Note, Overview of EU General Data Protection Regulation: Identifiability (W-007-9580).
  • [3] Cal. Civ. Code §§ 1798.140(o) and 1798.145(c)-(f).Boxes, Categories of Personal Information Under the CCPA and Information Excluded From the CCPA’s Personal Information Definition.Practice Note, California Privacy and Data Security Law: Overview: Personal Information under CCPA (6-597-4106).
  • [4] Articles 4(1) and 9(1).Practice Note, Overview of EU General Data Protection Regulation: Personal Data and Data Subjects (W-007-9580) and Special Categories of Personal Data (W-007-9580).
  • [5] Section 2,3: Data Protection Bill, 2019
  • [6] Cal. Civ. Code §§ 1798.120 and 1798.135(a)-(b).
  • [7] Practice Note, Overview of EU General Data Protection Regulation: Processing for Direct Marketing Purposes (W-007-9580) and Lawfulness of Processing (W-007-9580).
  • [8] Section 9: CPRA, 2019
  • [9] Cal. Civ. Code § 1798.120(c)-(d). Practice Note, California Privacy and Data Security Law: Overview: Consumer Rights Under the CCPA (6-597-4106).
  • [10] Article 8(1). Practice Note, Overview of EU General Data Protection Regulation: Children’s consent (W-007-9580).
  • [11] Section 16: Data Protection Bill, 2019
  • [12] Cal. Civ. Code §§ 1798.100(d), 1798.110, 1798.115. Practice Note, California Privacy and Data Security Law: Overview: Consumer Rights Under the CCPA (6-597-4106).
  • [13] Article 15. Practice Note, Data Subject Rights Under the GDPR: Personal Data Access Right (W-006-7553).
  • [14] Section 17: Data Protection Bill, 2019
  • [15] Section 7: CPRA, 2019
  • [16] Cal. Civ. Code §§ 1798.100(d) and 1798.130(a)(2). Practice Note, California Privacy and Data Security Law: Overview: Consumer Rights Under the CCPA (6-597-4106)
  • [17] Article 20. Practice Note, Data Subject Rights Under the GDPR: Data portability right (W-006-7553).
  • [18] Section 19: Data Protection Bill, 2019
  • [19] CCPA Cal. Civ. Code § 1798.105. Practice Note, California Privacy and Data Security Law: Overview: Consumer Rights Under the CCPA (6-597-4106)
  • [20] Article 17. Practice Note, Data Subject Rights under the GDPR: Personal data erasure right (”Right to be forgotten”) (W-006-7553).
  • [21] Section 20: Data Protection Bill, 2019
  • [22] Section 5: CPRA, 2019
  • [23] Article 16. Practice Note, Data Subject Rights under the GDPR: Personal Data Rectification Right (W-006-7553).
  • [24] Section 18: Data Protection Bill, 2019
  • [25] Section 6: CPRA, 2019
  • [26] Practice Note, Data Subject Rights under the GDPR: Data Processing Restriction Right (W-006-7553).
  • [27] Article 21. Practice Note, Data Subject Rights under the GDPR: Data Processing Objection Right (W-006-7553).
  • [28] GDPR Article 22. Practice Note, Data Subject Rights under the GDPR: Automated DecisionMaking Objection Right (W-006-7553).
  • [29] Section 8: CPRA, 2019
  • [30] Section 11: CPRA 2019

Leave a Reply

Your email address will not be published. Required fields are marked *