The vast majority of IT and E-commerce exporting services in Ukraine are exported to the EU and US. At the same time, depending on the state of business registration, the state of origin of clients and the territory of services’ providing it is important for Ukrainian and other companies to understand the differences between their national legislation and the laws of states where they conduct an activity.
Within this article we will compare the requirements of Ukrainian, European and Californian law regarding the basic personal data protection matters.
- Scope of CCPA, GDPR and Law of Ukraine “On Protection of Personal Data”.
Usually, the scope of any legal act differs as regard the personal, material and territorial scope. Speaking of the personal scope of all three acts we should note that all of them protect the personal data of data subjects who are natural persons. Specifics of the “data subject” definition are described in sections 2 and 3 in detail herein. However, if we refer to the material and territorial scope of these acts we see that each of them has its own differences.
In regard of material jurisdiction, Law of Ukraine “On Protection of Personal Data” (hereinafter referred to as “the Law”) indicates that regulates the legal relations related to the protection and processing of personal data, in particular to processing that is carried out fully or partially using automated or non-automated means. The General Data Protection Regulation (hereinafter referred to as “the GDPR”) has a similar scope, at the same time providing such provision in detail and specifying the relationships that are not covered by GDPR (for example, activities that occurs outside of the EU law scope etc.).
Compared to such scope, the California Consumer Privacy Act 2018 (hereinafter referred to as “the CCPA”) establishes a broader scope of material jurisdiction, providing that the act regulates the legal relationship regarding the collection, processing and selling of personal information of individuals, including the disclosure of such information for commercial purposes.
In regard of territorial scope, it is essential to underline that the Law does not define the territorial scope within its provisions. However, given that the Law is an act of national legislation, its regulates the relations regarding the processing of personal data within the territory of Ukraine. Instead, the GDPR clearly defines the scope of its territorial jurisdiction, providing that it regulates the legal relations regarding:
- processing of personal data by controller or processor that is registered within the EU;
- processing of personal data by controller or processor that is registered outside of the EU while processing the personal data of individuals within the EU.
CCPA applies to companies conducting business in the State of California, namely conducting business activity in order to gain financial, material or monetary profit. Additionally, under the tax code, companies located outside the state also may be recognized as having conducted business within the state under certain conditions. However, if company collects and sells personal information outside the state the CCPA does not apply to such relations.
2. Different Personal Data.
According to the Law, personal data is information or a complex of information regarding the individual who is identified or specifically identifiable. In general, this definition of personal data is borrowed from the GDPR text and slightly transformed. Consequently, the category of personal data under the GDPR is broader and more detailed because it:
- uses the construction “any information related to a person” rather than information about a person (for example, the name of the company based on the person’s first name would constitute the information related to the person, but would not constitute the information about the person);
- further clarifies when the person can be considered as identifiable.
However, the category of personal data under the CCPA is even broader and relates to more information. Thus, it is indicated that personal data is the information that identifies, relates, describes, associates with, or may reasonably be associated with, directly or indirectly, with a person. Consequently, the CCPA establishes the maximum possible framework of the category of personal data.
Additionally, the matter of “sensitive data” deserves a special attention. The GDPR defines these data as such that reveals race or ethnicity, political beliefs, religious or philosophical beliefs, or membership in trade unions, and the processing of genetic data, biometric data for the sole purpose of identifying an individual, health or data about a person’s sexual life or sexual orientation. The Law additionally imposes restrictions on the processing of information about the address of a person (so-called Blacklist).
At the same time, the CCPA contains definitions of biometric and medical information but it does not impose any restrictions or special provisions regarding the collection and processing of any categories of personal data.
3. Are There Any Differences Between the Data Subjects under the CCPA, GDPR and Law of Ukraine “On Protection of Personal Data”?
The provisions of the Law, GDPR and CCPA have some differences in regard to who should be considered a data subject. The GDPR provides that the data subject is an identified or identifiable person. The Law defines that the data subject is an individual whose personal data is processed. In general, these concepts are not significantly different, but the definition provided under the GDPR is more appropriate in a view of matters of anonymization and data pseudonymisation.
The CCPA defines the data subject (originally, the consumer) as an identified individual, including as by any unique identifier, who is a resident of California. As we may see, the CCPA does not refer to entities that are identifiable individuals, unlike GDPR. In the context of the concept of personal data under CCPA, it is theoretically possible that a company would be considered as one that is collecting the personal data of a person but is not related to that person (for example, information sales situation, etc.).
Additionally, there are similarities and differences regarding the regulation of processing of minors’ personal data. Regulation of processing of personal data of minors both the GDPR and the CCPA is based on the two ages, namely 13 and 16 years. However, the GDPR states that the processing of data by a person under the age of 16 requires the consent of his or her parents or guardians. Along with it, the GDPR grants the EU member states with a right to lower the age threshold to 13 years that was exercised by the majority of states (Belgium, Estonia, Greece, etc.), while the processing of data of the persons under 13 is fully prohibited.
In turn, the CCPA provides that company must obtain the consent of a person under 16 in regard of the sale of information of such person (under the general rule of the CCPA, the company may not obtain the consent of the data subject, specified in paragraph 4 in detail). If the person is under 13 then the company must obtain the consent of the parent or guardian of that person to sell its information. Likewise, it is important that the CCPA indemnifies companies who processed personal data of a person without obtaining proper consent because they were not aware of the person’s real age. The GDPR does not provide such exceptions.
Meanwhile, the current version of the Law does not contain any specific provisions regarding the processing of personal data of minors.
4. What Is the Basis for Processing of Personal Data?
The GDPR establishes six grounds for lawful processing of personal data of data subject. The main ground is the consent of the data subject to process of his/her personal data. Other grounds include the need to perform a contract with the subject, the need to protect the vital interests of the subject, the need to perform the duties of the controller, etc. Similarly to the matter of identifying of data subject, the Law while amending the wording fully recipes GDPR provisions and establishes the same six grounds on a basis of which the data processing can be carried out.
What is fundamentally different is the CCPA’s approach to this issue is that is establishes the presumption of the lawfulness of personal data processing by the company. In other words, it does not contain a list of grounds on which it is lawful to process personal data, thus establishing that the collection and processing of personal data as such is a priori legitimate and may be carried out by companies. However, in the interest of protecting the rights of data subjects, the CCPA establishes the opt-out right, namely the fights of individual to request a company to prohibit the sale of its personal data. If such request is received, the company has no right to sell that person’s data from the moment of the request receipt.
5. Differences of Liability under the CCPA, GDPR and Law of Ukraine “On Protection of Personal Data”.
The GDPR has the most well-established mechanism of liability, namely providing a clear delineation of the types of penalties as follows:
- 2% of the total annual turnover or 10 million EUR, whichever is higher – for breach of the rules regarding the data processing of minors, duties of controller and processor, etc.; or
- 4% of the total annual turnover or 20 million EUR, whichever is higher – for breach of data processing principles, data subjects’ rights, rules on data transfers to third countries, etc.
These penalties are of an administrative nature, i.e. they are imposed by the controlling authority. In turn, the CCPA establishes the civil nature of fines, i.e. they can only be imposed by the court order. The CCPA provides the following fines:
- 2,500 USD for each violation of the Act;
- 7,500 USD for each willful misconduct.
In addition, the CCPA does not set a maximum threshold of fine. Compared to GDPR and CCPA, the Law regulates the matter of liability at the lowes level. The text of the Law simply refers to the fact that for the violation of the requirements of this Law comes the liability established under the appropriate legislation. In turn, the main scope of liability in this regard is provided under the Article 188-39 of the Code of Administrative Offenses of Ukraine (namely, establishing the different fines). Additionally, the Article 182 of the Criminal Code of Ukraine establishes responsibility for the dissemination of confidential information about a person or unlawful alteration of such information (the highest threshold is a restriction of liberty for 3 years).
A brief analysis of the provisions of the GDPR, CCPA and the Law of Ukraine “On Personal Data Protection” makes it clear that all 3 acts were adopted for different purposes, and therefore there are considerable differences.
The GDPR has been adopted as a generally binding European legislative act that should regulate the processing of personal data. Therefore, it is the most thoughtful, balanced and versatile of all three acts. The GDPR regulates the maximum possible range of relationships and issues regarding personal data protection, and as a mechanism for additional reinsurance, it first authorized the Working Party 29 and then the European Data Protection Board to provide additional clarifications of the GDPR provisions, thereby creating the ability for fix the future legislative deficiencies.
In turn, the content of the CCPA makes it clear that the main purpose of its adoption was the need to regulate the relationship regarding the sale of personal data. This issue focuses the main provisions of the Act (opt-out and opt-in requests, obtaining consent to sell data, the right of a person to prohibit the sale of personal data rather than its processing, etc.), while GDPR does not contain any provisions regarding the selling of personal data at all.
Considering the Law of Ukraine “On Personal Data Protection”, it is obvious that it was adopted with the purpose to unify national and European legislation in regard of the development of new types of legal relationships that are not regulated by national legislation. However, the Law seems to be adopted quickly and without full understanding of the specifics of such relations, therefore, it does not contain many important provisions (for example, regarding the processing of personal data of minors), and the logic and validity of other provisions can often be questioned.