Comparative Study of Data Protection Laws: USA vs. India: Few will argue that in this digital era, where we are hurtling headlong towards the date at which science fiction meets scientific fact (you know — robots become more capable than humans), some rules around data protection to maintain our privacy and dignity have gone from simply nice-to-haves, to must-haves. The contours of data protection are even more stark when it comes to two very significant players globally — the United States and India. In this blog we are going to compare the essential elements of their respective data protection laws, and how different or similar they both have been implemented for a better understanding.
The History
USA
The US has mostly dealt with the matter of data protection over time by cobbling together a framework from various sector-specific regulations rather than one uniform, holistic law. Some Important Legislations: U.S. Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and Gramm-Leach-Bliley. Adding to the complexity are more recent state-level laws, such as California’s Consumer Privacy Act (CCPA).
India
The first step towards stringent data management in India commenced with the Information Technology (IT) Act 2000, however then too it still had quite a long way to go and later got amended in 2008. As the technology grows and its use needs to be regulated, so in wake of this development the government introduced the Personal Data Protection (PDP) Bill passed in 2023. The bill aimed to create robust regulation that reflected the interests of both industry and individuals, while codifying protections for state residents’ personal data.
Legal Framework
USA
The Privacy Act of 1974 is landmark legislation which governs the collection and use of personal information within systems maintained by US Federal agencies. It requires executive branch agencies to seek the written consent of individuals before publicly sharing their private information (with stipulated exceptions, e.g., for statistical purposes by Census). It also gives people the right to see this information about them, request corrections if it is not accurate or complete and prevent businesses from using personal data in ways that may be arbitrary. The Privacy Act of 1974 was designed to regulate federal data practices so that the privacy and rights of individuals are not infringed upon, but rather serves as a check on how certain information about citizens is handled.
Signed into law by President Bill Clinton, The Health Insurance Portability and Accountability Act (HIPAA) was introduced back in 1996. It set down very critical ground rules for healthcare professionals on the utilization and maintenance of medical information of patients. It is only applicable to the “covered entities”, which are government programs like Medicare; health plans, such as insurance companies, healthcare clearinghouses that collect and handle medical information; and healthcare providers—any individuals (eg. doctors/nurses) involved in patient care/hospital operations. Ensures that the person has access to all health data and can call control of such information. But it also bars covered entities from using or disclosing a patient’s personal health information without the individual first giving him or her their permission. Most people think HIPAA covers all health data, however it only actually governs data exchanged with a covered entity.
The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, has placed strict limitations on what companies can do with information gathered from children under the age of 13. COPPA mandates that companies and websites must post an online privacy policy describing their data collection practices, obtain parental consent before collecting any personal information from children. Moreover the parents can also view their kid’s data and either re-verify it or they could even delete the whole record of them so nothing gets collected afterwards. Companies must also keep all data they collect on children confidential and store it only as long as necessary to accomplish the initial goal. The COPPA regulations include stringent standards, which is why almost every single account to use platforms like Facebook and Twitter requires the user to confirm they are at least 13 years of age.
One important regulation that assures data privacy at financial institutions is the 1999 Gramm-Leach-Bliley Act (GLBA), signed into law by President Bill Clinton. The law mandated a number of changes to how companies doing business with financial products and services, whether that means loans or financial advice or insurance, had to protect the data they’ve been accumulating on consumers. Financial firms need to have strong practices in place for safeguarding the confidentiality and security of nonpublic personal information against anticipated threats – including enforcing privacy notices. The notifications must then detail the data, what it is used for and who exactly it could be shared with. Moreover, the GLBA provides consumers with an opt-out right to limit information sharing for purposes that are not related to a consumer’s transaction or experience with the financial institution and gives customers additional control over their personal financial data.
The California Consumer Privacy Act (CCPA) is the most stringent U.S. data privacy law, passed in 2018. This applies to businesses that collect personal information for consumers in the state, and gives Californians a slew of new rights with respect to their data. The CCPA also grants consumers the right to know what kind of personal information businesses are collecting, with whom they share that info; and gives them the power to demand their data be deleted from its systems; allows said consumers the ability opt-out; disallowing any business to use a discriminatory treatment towards a user on the account of exercising these privacy rights. Theenactment of the California Privacy Rights Act (CPRA) in 2020, however — which came into effect from 2023, further strengthened CCPA. CPRA created new consumer rights to correct inaccurate data and to limit use of sensitive personal information
India
The Information Technology Act, 2000 (IT Act) is a foundational law in regard to cyber activities in India. It regulates everything from electronic commerce to cyber offenses. Hence, consequently the IT Act was enacted in order to present a legal framework about electronic transactions, setting guidelines for data protection and privacy, making it among the country’s earliest attempts to regulate digital information. It provides for authentication of electronic records, recognizes digital signatures, and mentions penalties for hacking, unauthorized access, and data breach. The IT Act also empowers the government to come out with rules on data security, while making it binding on companies dealing with sensitive personal data to follow reasonable security practices. Over the years, amendments to the Act have tried to increase the quantum of data protection, whereby with the evolving digital landscape, an increasing demand for more comprehensive and updated legislation lead to the drafting of the Personal Data Protection Bill.
The Digital Personal Data Protection (DPDP) Act of 2023 is touted as a watershed moment in India with regards to data protection policy, spurred on and informed by the somewhat diluted versions thereof articulated across previous drafts. Compared to the 2019 version, the DPDP undertakes a light-touch regulatory framework by reducing the obligations on businesses and protection accorded to consumers while leaving broader discretionary powers for central government. This Act applies in no way just toward Indian residents and businesses. Its reach extends to those non-citizens residing in India during the processing of their data in relation to services offered within the country.
DPDP Act further provides such processing of personal data that is for any lawful purpose, either specifically consented to by the individual or via the doctrine of legitimate use. The consent it requires is informed, specific, and unequivocal, and the data collection in this principle is only to the extent strictly necessary.
Comparative study of data protection laws: It mandates to give individuals the right to choose and opt-out from their data being shared, requires entities sharing such information with each other as well as that an individual be informed about these. The Act also carves out certain “legitimate uses” under which consent would be not required, for government services, legal obligation, medical emergency, or national security, though this raises questions around potential Government overreach due to sharing data inter-agency within the state.
Data fiduciaries, or entities responsible for data processing, are mandated to maintain data security, ensure accuracy, notify breaches, and erase data once it is no longer needed. For significant data fiduciaries (SDFs) that have large volumes of data or sensitive data, such additional obligations include data protection officer appointment, impact assessments, and further compliance measures.
In Comparative study of data protection laws, The earlier requirements for data localization have been relaxed by the DPDP Act 2023 in that it provides exemptions towards breaches for restricted transfers outside of India, save and except from restrictions imposed by government in case of national security, but sectoral regulations such as those of the Reserve Bank of India may present tougher mandates of localization.
It also includes wide exemptions, permitting data processing without consent for certain legal, governmental and research purposes, and grants the government significant discretionary power to exempt certain entities, including startups, from various provisions. This includes a controversial clause that empowers the government to grant any data fiduciary a complete or partial exemption from applicability of all provisions for up to five years, which in turn leads concern over excessive control with the Government.
In the DPDP Act, an independent Data Protection Authority (DPA) under the 2019 Bill has now been replaced with a much more circumscribed mandate, culminating in the setting up of a Data Protection Board (DPB) empowered only for preventing data breaches, conducting inquiries, and imposing penalties. DPB by itself is not a regulatory authority and does not have the power to form any regulations or codes of conduct, its members will be selected with utmost discretion from the government— shall take away some independence. It has also added an entirely new section whereby the central government can prohibit a data fiduciary from providing certain services to members of the public if they were found to be in repeated violation of the law—a far-reaching enforcement mechanism not found in previous drafts. While the DPDP Act 2023 does try to genuinely cut down on the present regulatory landscape, there lie certain fundamental reservations in terms of where it serves as a bridge between data protection and government authority with respect to measures pertaining to protecting individual privacy accountability standards from fiduciaries.
THE COMPARISON
Scope and Applicability:
United States:
U.S. laws are typically focused on sector-by-sector silos of information and specific entities like healthcare or financial institutions. The California Consumer Privacy Act and its kin require even more, with extensive state-level laws that add their own requirements for businesses domiciled or doing business within those states.
India:
The DPDP Act is a wider, sector-neutral law and applies to all entities that process the personal data of Indian residents. It also extends to non-citizens based in India and has extraterritorial application in relation to data processing activities carried out with a view to provide goods or services(to be provided) within the territory.
Rights of Individuals:
United States:
Different rights are offered in accordance with the sector under U.S. laws. HIPAA puts individuals in charge of their health information, COPPA gives rights over data collected about children to parents and CCPA provides California residents with the right to access, delete, or opt-out-of-data sale.
India:
The DPDP Act provides for an extensive regime of rights over the personal data of subjects, including a right to consent, withdraw the permission against access and rectify or delete them. The Act reflects transparency as it also determines that data fiduciaries shall inform individuals of entities with which their personal data has been shared.
Enforcement and Regulatory Oversight:
United States:
In the U.S., enforcement is decentralized, with multiple agencies regulating different sectors. The Department of Health and Human Services (HHS) enforces HIPAA, whereas the Federal Trade Commission (FTC) is a major player in enforcement of consumer protection laws such as COPPA or GLBA. State laws, and indeed the CCPA itself, are enforced by state attorney generals.
India:
The DPDP Act categorizes the Data Protection Board (DPB) as a regulatory body that is responsible for investigating and issuing sanctions against data breaches. Unlike the earlier DPA, however, there is no power with the DPB to develop regulations or codes of conduct and its members are government appointed which may impact on independence.
Data Localization:
United States:
The U.S. has no Federal data localization requirements; however some sector-specific regulations — such as those from the Department of Defence may require locating certain sensitive information.
India:
The DPDP Act relaxes mandates that existed under the previous data localization. DPDP Act has legally withdrawn such restriction unless required by law enforcement agencies for security reasons. That’s a looser standard than in previous drafts.
Exemptions and Government Powers:
United States:
U.S. law also provides for certain exemptions, such as those related to national security or withrespect to a specific enforcement provision; however these are typically clearly drawn and confined to specific circumstances.
India:
The DPDP Act gives sweeping powers to the government providing for exemptions of classes of data fiduciaries from sections and also processing without consent — state security interests purposes, preventing and detecting crime threats like that or even public health necessity. This sweeping authority has raised concerns about government overreach.
Conclusion of Comparative study of data protection laws
Comparative study of data protection laws: The two data protection frameworks in the US and India are a reflection of their legal as well as cultural settings. In the U.S., this is a sector-focused approach with laws passed to address various sectors (healthcare, finance) and there has been substantial variation at the state level. In contrast India’s DPDP Act attempts a solution on an extremely broad canvas—a centralized regime that would cover everything in one bill [one could argue not so different from GDPR]: efficient but also empowered much government discretion; generously peppered with exemptions of all kinds! Each of the two frameworks protect personal data, but they accomplish this in separate ways that echo the larger differences between these nations
Also Read: Gatekeeper Liability and the Intermediary Dilemma
