What are the various legislations, and what do they mean?
Under GDPR, a data subject is any individual whose personal data is processed, and is not specifically required to hold EU residency or citizenship, and is located within or outside the EU. The obligations to protect information falls under the purview of “controllers,” whether their activity is for profit or not is irrelevant. Regardless of size, or whether they are private or public law entities – as long as they determine the means and purposes of processing activities. Most obligations also apply to “processors” which process personal data on behalf of controllers.
A “consumer” who has rights under CCPA is any “natural person who is a California resident.”
The obligation for ensuring proper collection and processing of a consumer’s data apply only to an organization that is for-profit, does business in California, has annual gross revenue over $25 million, derives 50% or more of its annual revenues from selling consumers’ personal information. Obligations also apply to any entity that controls or is controlled by the business.
Under PIPEDA, personal information is any “information about an identifiable individual,” essentially any data obtained in the course of commercial activity.
Any private entity in Canada that collects personal information while engaged in commercial activity is required to comply with PIPEDA. It is applied to every Canadian province unless a province has enacted its own privacy laws. However, even if a company is located in those provinces, if in the course of their business personal data crosses borders, then PIPEDA may apply to that information.
Collection and Processing
The GDPR applies to the “processing of personal data” regardless of the type of operation, except if the processing is conducted through non-automated means that are not part of a filing system, and if the processing is conducted by a natural person for purely personal or household activity.
CCPA specifically excludes from its scope of application collecting and sharing of some categories of personal information, such as medical information, information collected as part of clinical trial, sale of information to or from consumer reporting agencies, and personal information from the Gramm-Leach-Bliley Act, Driver’s Privacy
PIPEDA doesn’t cover certain personal data, such as those handled by federal government organizations listed under the Privacy Act, by provincial or territorial governments and their agents, and business contact information such as an employee’s name, title, and business address.
Data processes excluded from PIPEDA include individual collection, use or disclosure of personal information solely for personal purposes, and an organization’s collection, use or disclosure of personal information solely for journalistic, artistic, or literary purposes.
The GDPR provides a data subject with the right to be informed, right of access, right of rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights about automated decision making and profiling. The application of these rights, however, can vary depending on the data subject’s request. For instance, the right to erasure only applies if consent is withdrawn and there is no legal ground for processing
The CCPA provides a consumer with the right to notice, right to access, right to opt-out (or opt-in), right to request deletion, and right to equal services and prices. Exceptions in these rights, such as the right of access which is only applicable to personal information collected in the 12 months prior the request.
Under PIPEDA, an individual has the right to know (about the company that collects their information and why they’re collecting it), right to access, and right to challenge the accuracy of their personal information.
Data Processing and Storage Standards
According to the Data Portability section of GDPR, the data must be made available in a structured, commonly used, machine-readable, and interoperable format that allows the individual to transfer the data to another controller.
This right applies to personal data that a data subject has given to a data controller, when the processing is carried out by automated means, and where the processing is based on the individual’s consent or for the performance of the conduct.
Personal data must also be processed in a manner that “ensures appropriate security of the personal data, including protection against accidental loss, destruction or damage, and using appropriate technical or organisational measures.”
Under CCPA, where a business responds to an access request “electronically,” it is required, to the extent technically feasible, to provide the information in a portable readily useable format that allows the consumer to transmit this information to another entity without hindrance.
Unlike GDPR, the Right to Data Portability and Right to Access is combined in CCPA. This right also contains no limitation, meaning that it applies to all data collected by a business (including anything from analytics data, marketing data, to profiling data and communication data such as captured mobile SMS and recorded voice calls).
Suitable to the sensitivity of the information, an organization must adopt security safeguards to protect the personal information in its custody and control against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Methods of protection must include physical, organizational and technological measures.
Enforcement Fines and Penalties
A data protection authority in the EU can directly issue Administrative fines. Depending on the violation that occurred, the penalty may be up to either 4% of global annual turnover or €20 million, whichever is higher.
Non-compliance with CCPA results in Civil Penalties, which means that a court issues them. Depending on the violation, the penalty may be up to USD2,500 for each violation and USD7,500 for each intentional violation. The CCPA, however, does not provide a maximum amount, which may result in the imposition of several penalties for each violation.
The penalties for non-compliance with PIPEDA can reach up to CAD100,000 for each violation. The fine can be imposed in three circumstances:
- if an organization dismisses, suspends, demotes, disciplines, harasses or otherwise disadvantages an employee who acted as a “whistleblower”;
- (ii) if an organization does not retain personal information that is subject of a request for as long as necessary to allow the individual to expend any recourse that they may have;
- (iii) if a person obstructs the federal Privacy Commissioner in the investigation of a complaint or in conducting an audit.