Data privacy regulation terminology: GDPR, CCPA, and more

Privacy regulations are proliferating.

And so are the terms, definitions, and requirements specified in all of them. We have talked previously a bit about the European Union (EU) General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other regulations, but in this post we wanted to get into the nitty-gritty details of some of the key pieces of legislation.

Understanding the key terms is no small feat given the densely worded content of government legislation and regulation. So we cut all the fat and gave you exactly what you need below.

What is a data subject?

According to the GDPR, a data subject is any natural person whose personal data is processed, irrespective of that person's citizenship or location. While this definition might imply that the GDPR applies to everyone in the world, the criteria for data controllers and processors limits it somewhat.

Specifically, the GDPR applies to all EU-established organizations as well as those that process personal data and offer goods or services to, or monitor the behavior of, EU residents.

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) uses the similar term titular dos dados pessoais, which translates to “holder of personal data” from Portuguese. Its definition is similarly broad, like the GDPR's.

The CCPA, however, is much more narrowly tailored in that it applies only to California residents, which it calls “consumers.” There are no citizenship requirements to qualify as a consumer under the CCPA.

What is personal data?

The GDPR has the broadest conceivable definition of what personal data is, defining it as “any information relating to an identified or identifiable natural person.” The law does not limit what qualifies as personal data, only providing examples of what might count. Furthermore, even technical identifiers that could be unique to a single person can be considered personal data, including IP addresses and browser cookies.
The main exceptions to this definition are data processed in a non-automated manner and not stored, and any information processed purely for household purposes.

The CCPA has a similarly broad definition of the equivalent term (“personal information”), which it defines as anything “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

California's law, however, excludes information that is lawfully publicly available while the GDPR does not. This is a major difference between the two standards.

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) is similar in that it defines personal information as “any factual or subjective information, recorded or not, about an identifiable individual.” The Canadian law, however, has many exclusions such as data used for artistic, journalistic, literary, personal, and even some business reasons.

Perhaps most importantly for businesses subject to these regulations, some like the GDPR and CCPA provide a “right to erasure” for the subject of this data. This means that - upon request of this person - they will need to take reasonable steps to delete the data of the person in question. Without an effective compliance program and standard operating procedures in place, this can quickly become very difficult.

What are special categories of personal data?

The GDPR creates and explicitly prohibits almost all types of processing of certain special types of information, which are:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data for the purpose of uniquely identifying a natural person
• data concerning health
• data concerning a natural person's sex life or sexual orientation

Brazil's LGPD also specifies a similar category of “sensitive personal data” and restricts its processing. The CCPA doesn't have an equivalent category, but defines “biometric data” without specifying that it must be handled differently from personal information. Importantly, the CCPA does not govern the handling of protected health information (PHI), as defined by the United States Health Insurance Portability and Accountability Act (HIPAA) and similar rules. PIPEDA also explicitly identifies biometric data as being a type of personal information.

What is a data controller?

According to the GDPR, this is the entity that determines the purposes and means of processing personal data. It holds primary responsibility for data protection and can be a person, government agency, or corporation. An equivalent term used by the CCPA is “business,” but the law makes clear that it only applies to for-profit companies (with some narrow exceptions). This is a substantially narrower definition than that of the GDPR. Brazil's LGPD has a very similar definition.

To give an example: under the GDPR, an online retailer that collects personal data from its customers for the purpose of fulfilling their orders, providing support, and improving their product offerings would be the data controller. It is responsible for making decisions about how and when the personal data in question is used. The same retailer would also qualify as a “business” under the CCPA (assuming it is subject to the law).

What is a data processor?

In the modern economy, essentially every business needs to use third parties to do at least some of its data processing, including of personal data. This party is a “data processor” according to the GDPR, and can only process personal data based on a written contract or other legal obligation with the controller. These entities also become subject to GDPR and will need to assist in fulfilling “right to erasure” and similar requirements.

Under the CCPA, these organizations are called “service providers,” and controllers are required to enter into agreements with them that limit the processing of personal information only to the extent necessary to fulfill the original agreement.

Using the example of the online retailer above, if it uses a backend-as-a-service provider to store its customer data, that entity would be considered a processor.

What is a data sub-processor?

A data sub-processor is an entity that further processes personal data on behalf of a data processor, under the instruction of the data controller. The sub-processor essentially extends the data processing activities of the processor and is subject to the same data protection obligations. Under the GDPR, the original data processors must have the consent of the controller to engage with sub-processors.

The CCPA does not explicitly recognize sub-processors and treats them as another service provider. While liability may be transferred contractually to these organizations, they don't necessarily have the full brunt of legal responsibility carried by the business.

Completing the example of the online retailer, if the backend-as-a-service provider uses a major cloud vendor for hosting purposes, that cloud vendor would be a sub-processor.

Conclusion

The GDPR, CCPA, PIPEDA, LGPD and others are definitely difficult documents to consume. Even more difficult is understanding exactly how they apply in a modern technological context. Because legislation takes a long time to write, and technology moves so quickly, gaps can often emerge. With enforcement of the GDPR beginning more than 5 years ago, it is already clear that developments in artificial intelligence and other fields are creating unanticipated scenarios.

Staying on top of the latest regulatory developments can be a huge burden for businesses whose primary focus is elsewhere. That's why having an effective automation platform can be so crucial to saving time while staying compliant.

Want to see how we tackle this problem? Set up a demo today.