What does the GDPR regulate?
The GDPR came into force on 25 May 2018 and prescribes how companies and organisations (controllers) should process "personal data" (being any information that enables an individual to be identified). Companies and organisations may only handle or process such data in a legitimate, fair and transparent way, informing data subjects about their processing activities and having an appropriate legal basis for processing (which may or may not be consent). There are limits on the retention of personal data, as well as reporting requirements in the case of certain data breaches (a cyber-attack involving the disclosure of personal data being an obvious example). The GDPR anticipates that companies will implement new systems and processes to protect personal data, and conduct impact assessments in certain situations. Data transfers present a further compliance issue, as companies subject to the GDPR are required to ensure that personal data is protected and consents sought when that data is transferred to a third party.
The GDPR replaces the EU Data Protection Directive. Application of the Directive was anchored to the location of data processing and it attracted criticism as a result. It allowed organisations processing the personal data of individuals in the EU to avoid compliance with the Directive by locating their business (and often their servers) outside of the EU. The GDPR takes into account the location of the individual too and, as a result, marks a significant expansion of the territorial scope of the Directive.
The GDPR will be binding on organisations outside the EU if they process personal data:
- in the context of an establishment of a controller or a processor in the EU;
- relating to the offer of goods or services to individuals in the EU (eg via a website offering delivery to the EU); or
- relating to the monitoring of the behaviour of individuals in the EU (eg by using cookies to track an individual's activity on the internet).
This will impact businesses and firms in Asia provided one of the above requirements is satisfied. One point to note is that the GDPR does not apply if EU employees working overseas are not physically based in the EU/resident in the EU. So the GDPR does not apply to a Hong Kong entity's processing of personal data relating to its employees who are EU nationals but resident in Hong Kong.
The extra-territoriality test
In the context of an establishment
According to the recitals to the GDPR, establishment "implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect." The presence of a single representative may be sufficient according to European Court of Justice case law. In Weltimmo v NAIH (C-230/14), a case concerning the Directive, Weltimmo – which was incorporated in Slovakia – was considered to be established in Hungary by virtue of the use of a website in Hungarian, which advertised Hungarian properties, use of a local agent, and use of a Hungarian postal address and bank account.
Offering goods and services
The recitals to the GDPR provide that the following factors are strong indicators of offering goods or services to EU residents but, in general, the test is whether the controller envisages offering goods or services to individuals in the EU:
- language – using the language of a Member State where that language is not relevant to customers in the home state (ie a Japanese web shop with a website available in English and French);
- currency – using the currency of a Member State where that currency is not generally used in the home state;
- delivery – offering delivery to a Member State; or
- reference to citizens – referencing EU residents.
This is described as relating to the tracking of individuals online, including where this is used to take decisions to analyse/predict personal preferences, behaviours and attitudes (profiling). Examples of monitoring could include:
- online behavioural advertising;
- travel data of individuals using a city’s public transport system (eg tracking via travel cards);
- profiling and scoring for the purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
- location tracking, for example, by mobile apps; and
- monitoring of wellness, fitness and health data via wearable devices.
Whilst the GDPR represents an evolution rather than a revolution in data protection compliance for EU organisations, its application outside of the EU means a relatively steep learning curve for non-EU based organisations unfamiliar with European privacy standards.
It is worth noting that the mechanism for overseas enforcement of GDPR obligations is currently unclear. Unanswered questions regarding the enforceability of the regime against non-EU companies suggest that, despite increased fines and sanctioning powers, reputation may be the key driver behind privacy compliance for market leaders outside the EU. In Asia however, developing national data protection laws such as those in Japan and South Korea, mean that organisations are having to adapt to EU style obligations in any event.
Regardless of enforcement issues, it is clear that the GDPR will have far-reaching implications for non-EU entities and as such, its requirements must be taken into account. Companies should assess whether their activities will place them within the reach of the GDPR and EU regulators, and prepare accordingly.
Visit our GDPR hub to learn more and receive the latest updates on developments.