As data becomes the new oil of the digital economy, protecting personal information is no longer a luxury—it's a necessity. Across the globe, governments are responding by enacting privacy laws that empower individuals, known as data subjects, with rights over their data.
Rights provided under the three major data privacy frameworks are :
1. GDPR – General Data Protection Regulation (EU)
2. CCPA – California Consumer Privacy Act (USA)
3. DPDP Act – Digital Personal Data Protection Act (India)
Data subject rights
Data Subject Rights are legal entitlements granted to individuals to control how their data is collected, used, stored, and shared. These rights aim to enhance transparency, accountability, and individual autonomy in the digital age. Depending on the jurisdiction, rights may include access to personal data, correction of inaccuracies, deletion (the “right to be forgotten”), data portability, and objection to processing or profiling. Key regulations like the GDPR (EU), CCPA/CPRA (California), and DPDP Act (India) each offer distinct sets of rights, reflecting regional approaches to privacy while collectively empowering individuals to take charge of their digital identities.
GDPR: The Benchmark for Data Rights
Jurisdiction: European Union
Key Data Subject Rights:
1. Right to Access
Individuals can request a copy of their data held by organizations.
2. Right to Rectification
Data subjects can request the correction of inaccurate or incomplete data.
3. Right to Erasure ("Right to be Forgotten")
They can request deletion of their data under certain conditions.
4. Right to Restrict Processing
Data processing can be limited temporarily or permanently.
5. Right to Data Portability
Individuals can receive their data in a structured, commonly used format and transfer it to another controller.
6. Right to Object
Individuals can object to data processing for marketing or legitimate interests.
7. Rights related to Automated Decision-Making
They have the right not to be subject to decisions based solely on automated processing.
CCPA: A Consumer-Focused Model
Jurisdiction: California, USA
Key Consumer Rights:
1. Right to Know
Consumers can request details on what personal data is collected, used, shared, or sold.
2. Right to Delete
Consumers can ask businesses to delete their data.
3. Right to Opt-Out
They can opt out of the sale of personal data.
4. Right to Non-Discrimination
Consumers should not face discrimination for exercising their privacy rights.
DPDP Act: India’s First Comprehensive Privacy Law
Jurisdiction: India
Key Data Principal Rights:
1. Right to Access Information
Individuals (called Data Principals) can request info about their data and its processing.
2. Right to Correction and Erasure
They can request correction, completion, or deletion of their data.
3. Right to Grievance Redressal
If individuals are unsatisfied with an organization’s response, they can escalate the issue.
4. Right to Nominate
Individuals can nominate someone to exercise their rights in the event of death or incapacity.
Difference between gdpr, ccpa, and dpdpa
Aspect | GDPR | CCPA | DPDPA |
Full name | General Data Protection Regulation | California Consumer Privacy Act | Digital Personal Data Protection Act, 2023 |
jurisdiction | European Union & EEA | California, USA | india |
Effective date | May 25, 2018 | January 1, 2020 | August 11, 2023 |
Key rights provided | Access, rectify, erase, restrict, object, and portability | Right to know, delete, opt-out, and non-discrimination | Access, correct, erase, and grievance redressal |
Penalties for violations | €20M or 4% of global turnover | $7,500 per intentional violation | ₹250 crore (~ USD 30M) |
Data protection authority | EU Supervisory Authorities | California Privacy Protection Agency (CPPA) | Data Protection Board of India |
Consent requirement | Explicit and informed consent is required | Opt-out (except for minors) | Notice and consent-based |
By Ranya Gadhia
