Introduction:
In a world in which data can be easily obtained, manipulated and spread out, data protection legislations and regulations play a great role in regulating the data shared and obtained as well. The Digital Personal Data Protection Act of 2023 (DPDPA) of the Indian legislation which is yet to be enforced in the country has been the talk of the town ever since it has been updated in the official Indian Gazette. In this column, we will take a look into the similarities and differences of the DPDPA with reference to the other data protection legislations that are followed across the globe such as California Consumer Privacy Act of 2018 (CCPA) of California, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) of United States of America, Fair Credit Reporting Act of 1970 (FCRA) of United States of America, Telephone Consumer Protection Act of 1991 (TCPA) of United States of America, Personal Data Protection Act of 2012 (PDPA) of Singapore and Malaysia and Personal Data Protection Law of 2021 (PDPL) of United Arab Emirates and Saudi Arabia are to be analyzed and discussed upon in this column.
DPDPA AND CCPA:
The California Consumer Privacy Act of 2018 of the United States of America is a provincial legislation that is particularly applicable in the state of California. The CCPA generally focuses on the protection and privacy of Consumer’s data who are residents of the Californian province. To highlight the differences that exist between DPDPA and CCPA, firstly, CCPA focuses on a broader aspect of Consumer data privacy whereas DPDPA narrows down itself in focusing only on the Digital data protection of the citizens. Another most basic difference that lies between both the legislations is that DPDPA is a national legislation and CCPA is a State or Provincial legislation, which means that the reach of the act is limited when it comes to CCPA but is broader on DPDPA’s aspect. The notion of consent also plays a great role when it comes to setting a difference between CCPA and DPDPA. CCPA does not require consent for data collection, but consumers have the right to opt out of the sale of their personal information whereas DPDPA hinges on consent as grounds for processing personal data, although additional narrowly defined or situation-based legal grounds are also available. The consent for the processing of personal data must be "free, specific, informed, unambiguous, and unconditional with a clear affirmative action"[1]. With regard to the exceptions provided by The DPDPA provides broad exceptions for government entities, while also exempting processing for specific purposes, such as activities that are in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, and prevention of incitement to commit crimes whereas the CCPA does not apply to certain medical information, personal information collected, processed, sold, or disclosed according to federal law, and personal information collected or sold as part of a transaction in which the consumer is a business. The DPDPA differentiates between data fiduciary and data processor. It defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used under the law to refer to a data controller. A data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data." The data fiduciary is initially liable for violations by data processors. Whereas CCPA Does not distinguish between data controllers and data processors. Instead, it refers to businesses, service providers, and third parties. Focusing on the similarities that exist between CCPA and DPDPA, both the legislations emphasize on similar aspect when it comes to the rights provided to the citizens like Access, erasure, correction, notice, grievance redressal, data portability and third-party disclosure information. Both the DPDPA and CCPA have great level of penalties of non-compliance with DPDPA limiting with INR 10,000 (USD 120) to INR 250 Crores (USD 30M) depending on the violation and CCPA with up to $2,500 per unintentional violation, and $7,500 per intentional violation. These are some of the similarities and differences that lie between California’s CCPA and India’s DPDPA.
DPDPA AND CAN-SPAM:
To give a brief introduction about the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) of United States of America, it is a Federal statute that is applicable in the jurisdiction of United States of America. It was enforced in the year 2003 and it focuses on all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. What matters is the “primary purpose” of the message. To determine the primary purpose, remember that an email can contain three different types of information:
Commercial content – which advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose;
Transactional or relationship content – which facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction; an
Other content – which is neither commercial nor transactional or relationship.
When it comes to the differences that lies between CAN-SPAM and DPDPA, Firstly, CAN-SPAM limits its application to electronic mail messages, especially commercial in nature but DPDPA applies to all forms of digital personal data including electronic message formats as well. Moreover DPDPA focuses on collecting, processing, storing and transfer of the said digital data whereas CAN-SPAM focuses on professional conversations that takes place through any form of mail which is officially registered under the business’ name. In regards to consent, DPDPA requires the consent of the Principal of the personal data to process the data provided whereas in the case of CAN-SPAM Act, there is no role of consent when it comes to sending a commercial mail, but still people have an opt-out option when it comes to the receiving of commercial mail from any entity under the CAN-SPAM Act. CAN-SPAM focuses on fraudulent marketing practices and non-solicited mails received (Spam) whereas DPDPA focuses on providing more rights to the citizens like Right to Access to their data, Right to erase or rectify their incorrect data, Right to denial of processing of personal data etc. To focus on the similarities that is possessed by both these legislations, both CAN-SPAM and DPDPA have regulatory boards to regulate and levy liability over any non-compliant action. The CAN-SPAM has its regulatory board, Federal Trade Commission (FTC) and the DPDPA has its regulatory board, Data Protection Board (DPB) of India. To highlight another similarity that lies between both the statutes, is that, both legislations has its own perfunctory penalties for non-compliance respectively. Under the CAN-SPAM Act, each separate email in violation of the law is subject to penalties of up to $51,744, and more than one person may be held responsible for violations and in DPDPA, penalties for non-compliance or mishandling of personal data can lead up to INR 10,000 (USD 120) to INR 250 Crores (USD 30M) depending on the violation. Another similarity that lies between both the legislations is that, both statutes demand a transparent nature in the eyes of the Federal or the Central Government. While this might raise a question of privacy, especially in the Indian law after the ruling of the case judgement, Justice. K. Puttaswamy vs. Union of India (2017-2018), it is advisory that the process of how data is processed, used and maintain should be transparent. These are some of the differences and similarities that lie between India’s DPDPA and United States of America’s CAN-SPAM.
DPDPA AND FCRA
To give a brief idea about the Fair Credit Reporting Act of 1970, it is a federal legislation which is applicable in the jurisdiction of the United States of America. The Act protects information collected by consumer reporting agencies such as credit bureaus, medical information companies and tenant screening services. Information in a consumer report cannot be provided to anyone who does not have a purpose specified in the Act. The Act is linked to other statutes like The Fair and Accurate Credit Transactions Act, Credit CARD Act and The Dodd-Frank Act. To highlight the differences that exist between these legislations is that, firstly, the nature of data that they collect altogether. The FCRA focuses on the data which is related to the information on the credit that is obtained by the citizens whereas DPDPA focuses on the broader personal data which also includes credit-related information as well. Another difference that is to be observed is that the FCRA was passed in the year of 1970, to adapt and regulate the economy and moderate the credit-reporting practices of that time, whereas, the DPDPA is approved by the Parliament in the year 2023, yet to be enforced in the country, with a span of 53 years from FCRA, it focuses on the contemporary and modern issues like Big Data, Online Privacy, Cybercrimes etc. that the country faces with the relevance to the traditional aspects of the legal practice and order regulation in the country. Some similarities that could be noted between both legislations is that, firstly, the amount of rights which are given to individuals. While DPDPA focuses on giving rights like Right to access the provided data, Right to rectify and erase the provided data and right to deny the processing of the provided personal data, FCRA also provides a similar set of rights to its citizens like Right to access their credit reports, Right to correct information in their credit reports and Right to deny the publishing of credit reports for public access. Secondly, both FCRA and DPDPA has its own regulatory board to moderate and regulate the usage of the law and levying liabilities in case of non-compliance. FCRA has its regulatory authority i.e. Federal Trade Commission (FTC) whereas DPDPA has its regulatory authority mentioned as Data Protection Board (DPB). Another similarity that can be discovered between both the legislations is the notion of consent and transparency. The DPDPA gives great priority to obtaining the consent of the involved party and the FCRA requires obtaining consent to access the credit-reports of the clients for non-permitted purposes. When it comes to the transparency clause, DPDPA focuses on processing of data by data fiduciaries under the supervision of the Government, although it has been a subject of discussion in the matter of right to privacy, it has been advisory that the Government will take effective measurements so that the data of the country’s citizens are protected. Another factor to focus on is that the penalty clause. Both legislations provide hefty penalty when it comes to non-compliance. DPDPA penalizes INR 10,000 (USD 120) to INR 250 Crores (USD 30M) depending on the violation whereas FCRA provides $5,000 as penalty if found to be in non-compliance with the regulations and guidelines of the Act. These are some of the differences and similarities which are highlighted with reference to India’s DPDPA and United States of America’s FCRA.
DPDPA AND TCPA:
To provide a basic understanding about the Telephone Consumer Protection Act of 1991 (TCPA) is a Federal legislation with its jurisdiction restricted to the United States of America. The law restricts telemarketing certain phone calls, text messages, and facsimiles. It also places restrictions on the use of automatic dialling systems and artificial or pre-recorded voice messages. Collections’ actions by phone are also regulated under the Act. The Telephone Consumer Protection Act (TCPA) was signed into law in 1991 and became one of two key federal rules, the other being the Telemarketing Sales Rule (TSR), covering telephone communications in the United States. The main objective of the TCPA is to protect its citizens from unwanted phone calls, text messages and faxes by regulating telemarketing and automated communication. To highlight the differences that exist between both legislations, firstly, the nature of the Act itself, TCPA focuses on the communication regulation under its guidelines whereas DPDPA focuses on the regulation of processing, transferring, usage and protection of personal data. Secondly, TCPA does not have an option of consent when it comes to regulating the phone calls, faxes and messages to an individual, but when in specific scenarios, like survey phone calls, prior consent is required in TCPA. Whereas DPDPA focuses on the consent in an explicit and implied manner as well when it comes to the collection, processing, transferring, sharing and usage of digital personal data of the citizens. When it comes to the rights aspects of both the legislations, TCPA does not offer any rights to the citizens when it comes to the distribution of the data obtained through communications, whereas DPDPA offers various rights to its citizens like, Right to access the provided data, Right to rectify and erase the provided data and right to deny the processing of the provided personal data. To highlight some of the similarities that is expressed in both the statutes, TCPA and DPDPA, both legislations provide a cancel/opt-out option from any sort of data collected through communications. TCPA maintains a Do Not Call registry which has the data and information of people who have chosen to opt-out of the collection of data through communication systems. DPDPA, on the other hand, provides a Right to decline the usage or processing of a person’s collected data, to that person. To add on more similarities, both TCPA and DPDPA, has its own regulatory body established under the Act. TCPA has the Federal Communications Commission (FCC) acting as its regulatory authority whereas DPDPA has the Data Protection Board acting as its regulatory authority. Another similarity to observe between TCPA and DPDPA is that their penalties for non-compliance. Both the legislations have a penalty clause in case of mis-usage of the collected data. TCPA has a levied penalty of $500 to $1500 per call or message whereas DPDPA has a penalty of INR 10,000 (USD 120) to INR 250 Crores (USD 30M) depending on the violation done by the organization. These are some of the similarities and differences that exist between India’s DPDPA and United States of America’s TCPA.
DPDPA AND PDPA (SINGAPORE):
To discuss about the Personal Data Protection Act of 2012 (PDPA), it provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act. It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organisations. The main objective of the PDPA is to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. Another interesting fact about PDPA is that Malaysia also has its own version of Personal Data Protection Act, but it has its own variances and concurrencies with the Singapore’s version of PDPA. To highlight the differences between both legislations, firstly, PDPA focuses on a broader aspects of personal data whereas DPDPA narrows down its focus to Digital Personal Data. Secondly, when it comes to the Cross-Border Data Transfers, PDPA has less stringent regulations around Cross-Border Data Transfers depending upon the country to which the data is being transferred to, whereas DPDPA is more rigid when it comes to Cross-Border Data Transfers as it involves more of Personal Data and it should be done under Government Authorization. To elaborate more on the differences, DPDPA is more tailored to suit the digital development that happens day-to-day whereas PDPA is more applicable to the general data and is not-so digital friendly in its adaptation and amendments. To highlight on the similarities existing between both the statutes, firstly, both the legislations give importance to the notion of Consent. DPDPA explicitly requires consent for the collection, processing, sharing, transferring and usage of data from the owners of the data and PDPA also focuses on obtaining consent from the Principal of the data before any action could be taken based or regarding their data. Secondly, both PDPA and DPDPA focus on providing various individual rights to their citizens. DPDPA provides a broad scheme of individual rights like Right to access the provided data, Right to rectify and erase the provided data and right to deny the processing of the provided personal data. PDPA also provides rights to the individuals of the country like Right to Access to one’s data, Right to correction of one’s data, Right to withdraw their consent in the processing of their data etc. are some of the examples of rights that are provided under PDPA. Finally, both PDPA and DPDPA have regulatory bodies, authorities and organizations to hold accountability for and to moderate and regulate the collection, transfer, sharing and usage of personal data. PDPA has the Personal Data Protection Commission (PDPC) to provide regulations and guidelines under the Act. DPDPA has the Data Protection Board (DPB) to moderate and guide the transfer, sharing and collection of data done under the DPDPA. These are some of the similarities and differences that are being highlighted between India’s DPDPA and Singapore’s PDPA.
DPDPA AND PDPL (UAE):
To introduce about the Personal Data Protection Law of 2021 (PDPL) Act of the United Arab Emirates, it is the first comprehensive federal legislation aimed at protecting the privacy of data subjects and their related rights. The UAE PDPL came into effect on 2nd January, 2022 and since then has caught the attention of all the organisations and entities processing personal data. The PDPL focuses on data privacy and the rights of UAE citizens regarding sharing of their data. Thus, it applies to the processing of data involving data subjects who reside or have a place of business within the UAE and also to those residing or working outside the UAE if their data is processed by a controller or processor located in the UAE. Another interesting thing is that, a law of the same name is in force in Saudi Arabia, although they are similar by roots, each legislation is customised to adapt to its country’s specific data protection needs. To highlight the differences that exist between the two legislations is that, firstly, when it comes to the relevance with the General Data Protection Regulation (GDPR), PDPL takes a lot after the GDPR as it has a lot of similarities with comparison to GDPR, whereas, DPDPA attempts to deviate from the regulations of the GDPR but also by trying to maintain its limitations with respect to the compliance to GDPR. DPDPA attempts to be a pioneer when it comes to lead the global head in data protection. Secondly, the applicability of the law serves as yet another different point between the statutes. DPDPA has a narrower applicability where it is applicable only to digital personal data, whereas PDPL has a broader applicability when it is applicable to both digital and physical personal data as well. Thirdly, the terminologies which are used to refer the officers and individuals are different in nature. DPDPA uses Data Principal for the individual and Data Fiduciary for the organization that moderates the data, whereas the PDPL refers the individuals as Data subjects and the organization as the Data Controllers or Data Processors. Now, to focus on the similarities that lie between both the legislations, both statues have a regulatory organization that helps in moderating the collected data. DPDPA has Data Protection Board (DPB) whereas PDPL has Data Office which helps in regulating and moderating the application and penalization for non-compliance. Speaking of non-compliance, both the statutes impose fine as penalties for non-compliance of regulations. DPDPA imposes INR 10,000 (USD 120) to INR 250 Crores (USD 30M) depending on the violation done by the organization, whereas in PDPL, the amount of fine might range from AED 5,000 to AED 5 million depending upon the severity of non-compliance has been committed. Another similarity that lies between PDPL and DPDPA is that, both legislations provide rights like Right to access one’s data, Right to rectify or amend one’s data and Right to erase their data. Moreover, the level of protection that is offered by both the legislations, when it comes to Cross-Border Data Transfers, are similar in nature and is to be done under the authorization of the Government. These are some of the similarities and differences that exist between India’s DPDPA and United Arab Emirates’ PDPL Act.
CONCLUSION:
In conclusion, it is visible that the influence of General Data Protection Regulation (GDPR) has a strong withhold in the legislation of other countries due it General Accepted Accountability Principles (GAAP) numerical. Since GDPR has a higher level of GAAP, it makes it easier for the other countries, including India to refer it to make and modify their own laws, regulations and statutes. But India, as a fore leading pioneer in the field of data protection, which created sensation with its yet-to-be-enforced legislation, tries to break the pattern by creating a deviation and experimenting them in the field of data protection. It also maintains the GDPR adherence to the minimum but at the same time, explores the other possible opportunities in providing the safest protection for personal data to its citizens. Thus, this piece of literature explores the similarities and differences that exist between the above mentioned legislations and the conclusion explores the specialities of the DPDPA, given that the Internet world is growing and expanding every nanosecond.
REFERENCES:
1. A comparative analysis of DPDPA, GDPR, and CCPA. (n.d.). https://www.alfahive.com/blogs/a-comparative-analysis-of-dpdpa-gdpr-and-ccpa (Last accessed on 28-09-2024)
2. California Consumer Privacy Act (CCPA). (2024, March 13). State of California - Department of Justice - Office of the Attorney General. https://oag.ca.gov/privacy/ccpa#sectiona (Last accessed on 28-09-2024)
3. CAN-SPAM Act: A compliance guide for business. (2024, January 17). Federal Trade Commission. https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business (Last accessed on 28-09-2024)
4. What is the CAN-SPAM Act? (n.d.). LII / Legal Information Institute. https://www.law.cornell.edu/wex/inbox/what_is_can-spam (Last accessed on 28-09-2024)
5. Federal Trade Commission. (2023). Fair Credit Reporting Act. https://www.ftc.gov/system/files/ftc_gov/pdf/fcra-may2023-508.pdf (Last accessed on 28-09-2024)
6. Fair Credit Reporting Act. (2024, April 3). Federal Trade Commission. https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act (Last accessed on 28-09-2024)
7. 16 CFR Chapter I Subchapter F -- Fair Credit Reporting Act. (n.d.). https://www.ecfr.gov/current/title-16/chapter-I/subchapter-F (Last accessed on 28-09-2024)
8. TCPA | CompliancePoint. (2024, March 8). CompliancePoint. https://www.compliancepoint.com/regulations/tcpa/ (Last accessed on 28-09-2024)
9. United States Code. (1991). Telephone Consumer Protection Act 47 U.S.C. § 227. In United States Code. https://www.fcc.gov/sites/default/files/tcpa-rules.pdf (Last accessed on 28-09-2024)
10. Winston & Strawn. (n.d.). What is TCPA Law? Winston & Strawn - What Is TCPA Law? | Winston & Strawn Law Glossary. https://www.winston.com/en/legal-glossary/tcpa (Last accessed on 28-09-2024)
11. Personal Data Protection Act 2012 - Singapore Statutes online. (2022, October 1). https://sso.agc.gov.sg/Act/PDPA2012 (Last accessed on 28-09-2024)
12. PDPC | PDPA Overview. (n.d.). https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act (Last accessed on 28-09-2024)
13. PDPC | PDPA Overview. (n.d.). https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act (Last accessed on 29-09-2024)
14. Data protection laws | The Official Portal of the UAE Government. (n.d.). https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws (Last accessed on 29-09-2024)
15. Al Tamimi & Company. (2021, December 6). UAE’s New Federal Data Protection Law - Al Tamimi & Company. https://www.tamimi.com/news/uaes-new-federal-data-protection-law/ (Last accessed on 29-09-2024)
Written By - Blessy Joshua
Guided By - Advocate Jaanvi Sharma