2.2.2. Privacy Regulations: GDPR, CCPA, and Global Frameworks
💡 First Principle: Privacy laws exist because individuals have a right to control information about themselves — and organizations that collect personal data become stewards of that right, with legal obligations that cannot be contracted away. The fundamental principle across all modern privacy frameworks is purpose limitation: data collected for one purpose cannot be secretly repurposed.
GDPR (General Data Protection Regulation) — EU regulation effective May 2018. The global standard that has driven privacy law development worldwide.
| GDPR Concept | Definition | Security Implication |
|---|---|---|
| Data Subject | The individual the data is about | Has eight rights (access, erasure, portability, objection, etc.) |
| Data Controller | Entity that determines why and how data is processed | Primary legal accountability for compliance |
| Data Processor | Entity that processes data on behalf of the controller | Must follow controller's instructions; DPA required |
| Lawful Basis | Legal justification for processing | One of six must apply: consent, contract, legal obligation, vital interests, public task, legitimate interests |
| Data Protection Officer (DPO) | Mandatory for certain controllers/processors | Advises on compliance; cannot be instructed on outcomes |
| Breach Notification | 72 hours to supervisory authority if risk to individuals | Must have detection and reporting capability |
| DPIA | Data Protection Impact Assessment | Required for high-risk processing |
| Transborder Transfer | Moving personal data outside EEA | Requires adequacy decision, SCCs, BCRs, or derogation |
GDPR penalties: Up to €20M or 4% of global annual revenue — whichever is higher. These are not theoretical; Meta (€1.2B), Amazon (€746M), and Google (€150M) have all received significant fines.
CCPA (California Consumer Privacy Act) — California law effective 2020, strengthened by CPRA (2023). Gives California residents rights similar to GDPR: know, delete, opt-out of sale, non-discrimination. Applies to businesses meeting revenue/data thresholds, regardless of location, if they process California residents' data.
Key distinctions between GDPR and CCPA:
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Scope | All personal data, all sectors | Consumer data, commercial context |
| Opt-in vs. opt-out | Opt-in (consent required for most processing) | Opt-out (must provide right to opt out of sale) |
| Children | 16 (or lower with member state consent) | 16 (opt-in required) |
| Enforcement | National supervisory authorities + individual right of action | CA AG + individual right of action for breaches |
| Data sale | No specific "sale" concept | Explicit right to opt out of sale of personal data |
Transborder data flows — moving personal data from the EU/EEA to countries without adequate protection requires one of:
- Adequacy decision — EC has determined the destination country has equivalent protection (UK, Canada, Japan, others)
- Standard Contractual Clauses (SCCs) — EU-approved contract terms between controller and recipient
- Binding Corporate Rules (BCRs) — For intragroup transfers in multinational companies
- Derogations — Exceptions for consent, contractual necessity, vital interests, etc.
⚠️ Exam Trap: Transferring EU personal data to a US-based cloud provider is NOT automatically compliant just because the provider is a reputable company. The organization must have a lawful transfer mechanism in place (SCCs are the most common). The invalidation of Privacy Shield in 2020 (Schrems II) and its replacement with the EU-US Data Privacy Framework (2023) demonstrates this landscape can change.
Reflection Question: A US company acquires a French startup that processes EU employee data. The US parent company's HR system is in the US. Identify three legal mechanisms the combined company could use to lawfully transfer the French employee data to the US HR system, and the tradeoff of each.
