In planning international information systems and seeking to comply with relevant legislation, EU data protection laws have always been the “Gold Standard.” Generally speaking, personal data collected in EU member states must not be sent outside the EU bloc unless the recipient has agreed to provide equivalent protections or informed consent has been obtained from the data subject. However, when the GDPR (the EU’s new General Data Protection Regulation) comes into force on 25 May 2018, the Gold Standard will receive a dramatic boost.
Compliance rules for Asian businesses
Businesses in Asia must be aware of extra-territorial application of the GDPR. Compliance is required by any business with an “establishment” in the EU, where personal data relating to the business is processed—even if that processing occurs outside the EU.
“Establishment” is widely drawn and can be triggered by the appointment of a sales agent in an EU state. Even those without an EU “establishment” must comply with GDPR to the extent they offer goods or services or monitor the behavior of individuals in the EU.
For most business of any international scale, and many online businesses of any size with a distributed customer base, GDPR compliance is an unavoidable requirement. The reason GDPR is such a big deal is that its instigators wish to put the genie of big data overuse back in the bottle.
Control over the extent of personal data use is now intended to reside much more with the individual concerned. Facebook has already voted with its feet, by migrating its non-EU users away from its legal center for business in Ireland.
Many traditional aspects of data protection have been boosted, and new types of regulation introduced.
The GDPR definition of “personal data” is enhanced so as to include data subjects (humans) capable of being indirectly identified (including via location data, online identifiers, or cultural or social identity—among a raft of other identifiers).
As a central concept of the GDPR, “processing” extends beyond the ordinary meaning of the word to include collection, recording, storage, adaptation, disclosure and erasure for the purpose of data processing. Obligations are imposed directly both on data controllers (similar to the Hong Kong PDPO’s “data user”) as well as data processors (who are not directly regulated by PDPO).
The GDPR defines “consent” as a “freely given, specific, informed and unambiguous indication of a data subject signifying his agreement to processing of personal data by either a statement or a clear affirmative action.” In the consumer context, this will require an “opt-in” check box. Where data is collected for multiple purposes, “opt-in” check boxes should be provided for each separate purpose, as bundled consent is to be avoided. Online marketers have been railing against “opt-ins” for decades, and compliance with this requirement will likely require an operational sea change in this space. In the employment context, even written consents obtained in an employment contract are now unlikely to be valid, given the inequality of bargaining power at the point an employment contract is signed.
Mandatory breach notification
The GDPR dictates that data protection regulators must be informed by data controllers and processors of data breaches no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedom of individuals. Until now, lukewarm notification requirements have led to data controllers often adopting a “wait and see” attitude, while they struggle to manage breach response hoping that losses are minimized.
Regulators in the EU will be enabled to impose two-tier administrative fines on data controllers and data processors for contravention of the GDPR. The headline news is that the upper tier of administrative fine (of up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year) transforms data protection legislation from a largely toothless tiger to a much more fearsome beast. These figures are up there with anti-trust and environmental protection sanctions and mark the coming of age of data protection regulators.
Additional and improved rights for individuals
The GDPR imposes or clarifies various extra rights for data subjects, including:
• an enhanced right to notice on data processing—this increases the prescribed information that a data controller must provide in advance of collecting data from an individual;
• the “right to be forgotten”—an individual’s right to require organizations to delete his personal data without undue delay under specified circumstances;
• an enhanced right to object to and/or to restrict processing—this includes, but is not limited to, use for direct marketing purposes and profiling; and
• a new right to data portability.
Enterprises preparing for GDPR implementation have had to review and update not only their customer and employee facing data arrangements but also the agreements involving the processing of personal data by processors, which will have to contain certain minimum mandatory provisions. The GDPR allows no “grandfathering” of pre-existing contracts, so everything must be negotiated from scratch.
It is hoped that once GDPR compliance has been achieved by organizations, they will be able to operate in more of a steady state going forward. Unfortunately, each jurisdiction across Asia Pacific operates its own separate data protection laws and with China’s entry into the ring with its Cybersecurity Law last year (with its effects yet to be felt owing to its phased introduction) and the extreme complexity of the EU regulations, this will remain a demanding area of compliance going forward.
The GDPR versus the PDPO
Hong Kong’s Privacy Commissioner has recently published a worthwhile analysis of GDPR and comparison with Hong Kong’s PDPO. In fairness, much of the Hong Kong Privacy Commissioner’s regulatory measures are aspirational, rather than backed by statute:
• the accountability and governance standards of GDPR are not included in the PDPO but our Commissioner has for a number of years advocated the adoption by enterprises of a privacy management program and the conduct of privacy impact assessments as good practice;
• Hong Kong has no mandatory breach notification requirement, although notification to the Privacy Commissioner (and data subjects, where appropriate) is recommended;
• none of the enhanced or new GDPR rights referred to above are enshrined in the PDPO, although the essential right of data access and the requirement to purge data once its use life has expired have always been in place. In the area of direct marketing activities, Hong Kong stands (depending on your viewpoint) as a regional leader in terms of restrictive regulation. The degree of complexity involved in this aspect of the PDPO (imposed in 2012 in response to the Octopus scandal) indicates how extraordinarily difficult it would be for Hong Kong to adopt its own legislation so as to mimic GDPR protections. Nobody is seriously suggesting, I hope, that that is attempted.
Peter Bullock is a partner and technology lawyer with King & Wood Mallesons.