DATA PRIVACY LAWS – A GLOBAL COMPARISON

AUTHOR – VED PATIL, GOVERNMENT LAW COLLEGE, MUMBAI 

Data is an essential part of the modern life of humans. Personal Information of individuals becomes increasingly invaluable. This article provides a global comparison of data privacy laws, analyzing the approaches of different countries. This article examines the general principles, strengths and weaknesses of major data privacy networks, which include GDPR, USDPL, DPDA etc. The GDPR stands out as one of the most extensive and strict privacy regulations, giving more control over personal data and creating a single data protection standard. On the other hand, the United States has a more disjointed approach, with distinct laws for certain industries, for example, California's CCPA for consumer protection and HIPAA for healthcare. In the meantime, countries like China, India, and Japan implemented their framework. China has implemented a Personal Information Protection Law (PIPL), Japan has introduced the Act on the Protection of Personal Information (APPI) and India has introduced Digital Personal Data Protection Act (DADP). The article concludes by emphasizing the challenges of harmonizing data privacy laws globally. As data privacy issues continue to gain prominence, the article suggests that global cooperation and evolving regulatory frameworks will be essential to protect individuals’ rights in an increasingly interconnected world.

Data privacy, GDPR, CCPA, HIPAA, DADP.

Data has turned into the most precious commodity in the digital age. Organizations all over the globe are collecting, processing, and even storing data for numerous purposes, including marketing, enhancing user experience, and even product creation. However, the increasing tendency towards the collection of personal data spruces a tremendous possibility of misuse. As a consequence, it is becoming increasingly important for individuals, as well as organizations, to safeguard their private information. While these technological advancements and the growing consciousness of the need to protect personal data from potential exploitation and misuse have fostered the growth of data privacy laws, this article discusses the laws on data privacy in different parts of the world. The most memorable laws include the US's California Consumer Privacy Act (CCPA), the European Union's General Data Protection Regulation (GDPR), and other comparable manifestations in various geographical areas. 

LITERATURE REVIEW

This is the age in which privacy becomes a major issue and different legislation has begun being enacted all over the world to ensure private data of people. The General Data Protection Regulation (GDPR) of the European Union (EU) is at its highest standards because it does not only focus on the protection of data, but also emphasizes many rights given to an individual such as permission, access, and portability of data. It has inspired many nations which have modelled their countries after it when it comes to privacy laws. According to BygraveThe GDPR can be an effective means to establish a very strong system of open data processing and enforce legislation outside the EU.

The Current Online Age has Seen the advent of Data Privacy to that Prominence where it has Found a Room for Different Legislative Frameworks, which are Thus Enacted Around the Globe to Protect People's Personal Data. The EU's General Data Protection Regulation (GDPR), with its strong emphasis on significantly greater individual rights such as permission, access, and data portability, has indeed pushed the international bar for data protection up. Many countries have drawn inspiration from GDPR and modelled their privacy laws about it. Research by Bygrav, states that the GDPR is very successful in establishing a strong, open system for processing data, but it also suffers many difficulties enforcing it beyond the EU. California's law on consumer privacy is the most comprehensive measure ever enacted in America in terms of data privacy regulation, as opposed to what state laws offer, which are specified much differently from one another. Solove noted in 2020 that, currently, the absence of any universal government framework in the territory of data privacy within the United States leads to dissimilar privacy protection amongst the various states. This legal patchwork, therefore, stands in the way of consumers and businesses through a maze of regulations. In this context, data privacy becomes significant in India with the passing of the Personal Data Protection Bill, 2019 which incorporates regulations that suit India's socio political environment while complying with international standards like the GDPR. Experts like Bhatia have analyzed the potential of the bill, highlighting that while it clarifies requirements for data processors and increases user rights, its provisions on data localization and government access to data have raised concerns over state surveillance. As compared to the European Union, India has developed realistic data privacy perspectives, but it still does not possess an enforcement regime. This indicates the need to keep on improving the new and existing data privacy legislation across this jurisdiction to meet rising technological challenges and global data flows. Dastin further argues that, compared to the European Union, India has developed quite realistic data privacy perspectives. Yet when it comes to enforcement regimes, the two are not comparable. This reveals the need for constant improvements in emerging and existing data privacy legislation in this domain to address increasing technology challenges and global data flows.

Using comparative legal analysis methodology, the article examines data privacy laws in four relevant countries: China, India, the United States, and the European Union (EU). The study investigates principal statutes, case law, and scholarly literature to understand the framework, scope, and effect of data privacy systems. This analysis will be supplemented by a cross-jurisdictional study to investigate legal parallels and differences in their application principles and sanctions. Courts will also be studied to understand how statutes were interpreted concerning particular cases having implications on matters of privacy.

European Union Directive on General Data Protection Regulation

It issued a historical law in May 2018, which applies to all member states of the European Union. This law is the General Data Protection Regulation which aims at unified rules concerning data protection. The GDPR is a strong and comprehensive framework put in place for securing the personal information and privacy of persons within the EU, to combat any intent to manipulate the information or privacy of a person.

Consent: Article 6 states that people must give their express consent before having data collected and processed.  

Rights of Data Subjects: Articles 15-22 of the GDPR provide such rights to individuals, access to their data, secondly, amendment of the data, thirdly, removal of data, fourthly limitation of the processing of data, fifthly, transfer of their data. Under Article 35, an organization is mandated to do Data Protection Impact Assessments for all its high-risk processing operations.

Cross-Border Data Transfers: To provide a sufficient degree of protection in third countries, the GDPR sets stringent rules for the transfer of personal data beyond the EU (Chapter V).  According to Article 83, non-compliance can result in fines for organizations of up to 4% of their global annual sales or €20 million, whichever is larger. In Google v. CNIL, According to a ruling by the European Court of Justice, the "right to be forgotten" under the GDPR does not apply to search engines outside the EU. The ECJ declared in Schrems II that the U.S. does not offer sufficient protection against monitoring, invalidating the EU-US Privacy Shield and potentially influencing the transfer of personal data to the U.S. 

California Consumer Privacy Act (CCPA): The CCPA aims to grant California residents the right to know, delete, and opt out of the sale of their data, effective from January 2020. 

Health Insurance Portability and Accountability Act: HIPAA governs the use of personal health info by healthcare providers. 

Children's Online Privacy Protection Act: COPPA protects children because it limits the collection of personal data from children under the age of 13 by websites and online services. 

All these define the different challenges facing the U.S. system, Much of the present concerns about the inconsistency and enforcement centre on the fact that data protection in the United States is so fragmented. More so, the inconsistency results from not having a federal data privacy law. This means that consumers can easily find themselves with different protection levels depending on the state where they live.  For example, In FTC vs GoogleThe Federal Trade Commission fined Google for deceptive practices related to its collection of personal data from users. In the Facebook privacy settlement, U.S. Federal Trade Commission (FTC) imposed a $5 billion fine on Facebook for privacy violations related to the Cambridge Analytica Scandal.

On 1st November 2021, the Personal Information Protection Law (PIPL) aims at operating as an all-encompassing measure of data privacy laws akin to the GDPR. Irrespective of whether the company is located in the country, this regulation is imposed on all entities that manage personal data regarding any person in China.

Key Provisions of PIPL:

Consent and Transparency: Article 14 calls for data controllers to seek people's consent by informing them about the aim and extent of data gathering.

Data Localization: Article 38 requires that specific sensitive personal data must be stored and that strict regulations be established regarding cross-border data transfers.

Individual Rights: Articles 44-47 of PIPL bestow upon the individual the right to access their personal data, to modify that data, to delete it, and to withdraw from processing.

The Personal Information Protection Law is a reflection of China's aspiration to have more controls over personal data, indicating its movement toward stricter data privacy laws.

The field of data privacy has undergone tremendous development in India. India has not had any legislation concerning data privacy in the earlier days, but lately, the nation has sought the establishment of an all-encompassing framework for data protection.

Consent: Before processing any individual's personal data, it must obtain express consent from that person, as stipulated by Section 11 of the PDPB. 

Rights of Data Subjects: Sections 17, 18, and 19 of the Act allow individuals to check, update, and delete personal data regarding them.

 Data Localization: The PDPB, too, has its stipulations for data localization similar to the PEOPLE of China. For instance, Section 33 provides that sensitive personal data must be stored in India. 

Data Protection Authority: The law establishes the Data Protection Authority of India (DPAI) under Section 41-an independent authority to monitor compliance and investigate breaches.

K.S. Puttaswamy case, where the Supreme Court of India declared the right to privacy as a fundamental right under the Indian Constitution. This case has been pivotal in shaping data privacy discussions in India, especially with regard to government surveillance and the use of biometric data for the Aadhaar scheme.

The growing tendency of data privacy laws in different countries very clearly indicates the importance that people are attaching to their privacy in today's age. The Data Protection and Privacy Bill (DPDA) of India aligns with international norms and reflects the EU's GDPR by its sole focus on user permission, data localization, and data processor responsibility. However, it still has much to overcome, especially by striking an equilibrium between innovation and enforcement. Various cases notably stressed the importance of strong foundations and the fundamental right to privacy. International cooperation will be essential in harmonising data protection laws across borders so that effective privacy measures can remain in place globally as countries go along with the digital transition.

The issue of data privacy is increasing rapidly in the present digital world, with each country coming up with its own legislative frameworks to solve the problem. Other jurisdictions such as the US, China, and India, have varied approaches to the issue and thus try to balance privacy protection, innovation, national security, and economic interests. The other place is areas such as the European Union, with the high standards it has set for the protection of data as it brought in the General Data Protection Regulation. Nevertheless, even with the differences, there is common ground increasingly being made across countries worldwide for the importance of protecting personal information, as of course evidenced by several nations updating existing legal frameworks or enacting new ones to accommodate changes in societal norms and technology advancement. Harmonizing those different frameworks, however, remains a tricky business since it comes to cross-border compliance and the protection of the rights of persons in a globalized reality. Data privacy still does remain a dynamic and complex subject. International collaboration and a commitment to privacy norms will need to foster a more secure and clear future digitally for all.

1. General Data Protection Regulation (GDPR), EU – Regulation (EU) 2016/679 of the European Parliament and of the Council, April 27, 2016..

2. Health Insurance Portability and Accountability Act (HIPAA), USA

3. California Consumer Privacy Act (CCPA), USA

4. K.S. Puttaswamy v. Union of India (2017), Supreme Court of India.

5. Personal Data Protection Bill, 2019, Ministry of Electronics and Information Technology, India.

6. FTC v. Facebook, Inc. (2019), Federal Trade Commission.

7. Kuner, C. (2017). The General Data Protection Regulation: A Commentary. Oxford University Press.

8. Solove, D.J., & Schwartz, P.M. (2020). Information Privacy Law. Aspen Publishers.