Indiana Data Protection Law: Sectoral Exceptions Regulated by Other Laws

The factor of Sectoral Exceptions Regulated by Other Laws is used in determining the law's applicability by exempting data processing activities that are already governed by specific regulations with established data protection standards, thereby preventing duplicative regulation for sectors such as healthcare, finance, and research.

Text of Relevant Provisions

ICDPA Ch.1(1)(b)(2):

"(b) This article does not apply to any of the following: (2) Any financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.)."

ICDPA Ch.1(1)(b)(3):

"(b) This article does not apply to any of the following: (3) Any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (45 CFR Parts 160 and 164) pursuant to HIPAA."

ICDPA Ch.1(2)(1):

"The following information and data are exempt from this article: (1) Protected health information under HIPAA and related regulations under 45 CFR Part 160, 45 CFR Part 162, and 45 CFR Part 164."

Analysis of Provisions

The Indiana Consumer Data Protection Act (ICDPA) includes several provisions that exempt data processing activities regulated by other laws. For example, ICDPA Ch.1(1)(b)(2) exempts financial institutions and affiliates subject to the Gramm-Leach-Bliley Act (GLBA). Similarly, ICDPA Ch.1(1)(b)(3) exempts covered entities and business associates governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (45 CFR Parts 160 and 164) pursuant to HIPAA.

Additionally, ICDPA Ch.1(2)(1) exempts protected health information under HIPAA and related regulations. These exemptions indicate that the law does not apply to data processing activities that are already regulated by specific laws with established data protection standards.

Implications

The inclusion of these exemptions has significant implications for businesses in Indiana. For example, a healthcare provider that is already subject to HIPAA would not need to comply with the ICDPA for the same data processing activities. Similarly, a financial institution that is subject to the GLBA would not need to comply with the ICDPA for the same data processing activities.

However, it is important to note that these exemptions only apply to the specific data processing activities regulated by these laws. If a business engages in data processing activities that are not regulated by these laws, they would still need to comply with the ICDPA.

For instance, a company that processes personal data for marketing purposes would still need to comply with the ICDPA, even if they are exempt from the law for data processing activities related to healthcare or finance.