In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law.
NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES
a. Key data protection principles
The GDPR revolves around seven key data protection principles:
- Lawfulness, fairness and transparency;
- Purpose limitation;
- Data minimisation;
- Storage limitation;
- Integrity and confidentiality (security); and
The CCPA is centered around the principles of accountability and control, but these do not go as far as the GDPR. The CPRA expands on the CCPA’s requirements by introducing more principles and requirements. The CPRA prevents businesses from collecting personal information that is incompatible with the purpose for which the data was collected. This mirrors the GDPR “purpose limitation” principle. Businesses will be prohibited from holding the data for longer than reasonably necessary, which reflects the GDPR’s “storage minimization” principle, and businesses will be prohibited from collecting more data than is reasonably necessary for the disclosed purpose, which reflects the GDPR’s “data minimization” principle.
b. Records of processing
The GDPR requires controllers and processors to maintain records of all their processing activities. The CCPA did not have this requirement, but the CPRA gives the new regulatory authority the power to create regulations that will specify “record keeping requirements for businesses” to demonstrate compliance with the CRPA.
c. Data protection impact assessments
The GDPR requires controllers to undertake “data protection impact assessments” in cases where processing is likely to result in a high risk to the rights and freedoms of individuals. The aim of this requirement is to provide a process for the controller to identify and minimize the risks of a project.
The CPRA gives the California Privacy Protection Agency the power to issue regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to perform an annual cybersecurity audit or submit to a risk assessment to the privacy protection agency on a regular basis.
d. Cross-border transfers? Data Protection Officers?
The GDPR requires certain types of organization to appoint a “data protection officer” with responsibility for complying with data protection law. It also contains stringent restrictions on transferring personal data outside the EU. These requirements are not replicated in the CCPA or the CRPA.
Step closer to GDPR? Overall – YES
A NEW SUPERVISORY AUTHORITY – THE FIRST OF ITS KIND
Under the GDPR, each EU member state has an independent public body, known as a supervisory authority, responsible for monitoring the application of the GDPR and associated privacy legislation in that state. These authorities have the power to investigate breaches of data protection legislation, issue fines and take other regulatory action.
Under the CCPA, there was no dedicated supervisory authority. At present, no U.S. state has any privacy regulator. The CCPA did provide for fines for violations, but fines issued under the CCPA were enforced through the office of the California Attorney General.
The CPRA, however, establishes a new dedicated supervisory authority for data privacy: the California Privacy Protection Agency, which will have authority to investigate and enforce data privacy legislation.
This is arguably the single biggest step towards the GDPR. It makes California the first U.S. state with a dedicated data privacy supervisory authority. The authority is intended to be funded from the General Fund with $5 million in its first year, and $10 million per year thereafter (although some of these costs may be recouped via fines) confirming California’s commitment to privacy.
Step closer to GDPR? YES
On the face of it, the CPRA appears to move the California privacy landscape closer to the European one – with new rights for consumers, new obligations for businesses, and a new supervisory authority. However, it is important to remember that while the CPRA introduces new requirements, it simultaneously narrows the application of the CCPA (which was already considerably narrower than the GDPR) as part of its goal of ensuring that it is applied only to businesses of a certain size. This is presumably intended to avoid the problems created by the GDPR, which is often criticized for placing an onerous compliance burden on small businesses that do not deal in personal data, or on not-for-profit entities such as schools or charities.