Most people are aware that the EU General Data Protection Regulation 2016 (GDPR) will come into force on 25 May 2018. However, it seems that many Hong Kong businesses are not aware of the wide-ranging impact of the GDPR on non-EU business and that they could actually be subject to the significant changes introduced by the Regulation.
What is the GDPR?
The GDPR is a new data privacy law intended to harmonize the data protection rules throughout Europe. It grants enhanced rights to individuals but also imposes significant new burdens on organizations and introduces increased fines and penalties for breach of the rules. It represents the biggest change to data privacy law in Europe in the last 20 years.
So how does the GDPR affect Hong Kong businesses?
The GDPR primarily affects organizations operating within the EU. However, the GDPR significantly expands the territorial scope of the EU data protection laws, and any organization dealing with EU businesses, or the personal data of subjects in the EU, may also need to comply with the GDPR.
The GDPR provides steep fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater), and 2% or €10 million (whichever is greater) for lesser infringements.
So how does it work?
The GDPR will apply to organizations located outside of the EU if:
- they offer goods or services to data subjects in the EU; or
- monitor the behaviour of data subjects in the EU.
The location of the organization that collects the personal data is not importantwhen considering whether the GDPR applies. The rules apply when personal data are collected from an individual who is located in an EU country when the data are collected and processed. This applies to any individual, not just EU citizens. By the same token, the GDPR does not apply to EU citizens who have data collected and processed, when they are outside of the EU.
Are you “offering goods or services”?
Businesses that already have an EU customer base, or intentionally offering goods and services to EU subjects, even if the business is outside the EU, will obviously fall under the GDPR.
For others, it must be apparent that the organisation envisages offering goods or services to, or targets, individuals in the EU. This will be determined on the facts. Most websites are globally accessible so the mere fact that individuals in the EU can access the website of a non-EU company will not, in itself, constitute offering goods or services to data subjects in the EU. Relevant factors that indicate intention include the use of an EU language/currency, references to EU users or customers, marketing activities directed at EU users, use of EU phone numbers, or the use EU top level domain names.
In practice, a non-EU business that trades online, has a website in English which allows EU customers to place orders, and ships products to any customers in the EU, risks falling within the GDPR’s scope, unless the business can still somehow show that it did not intend to offer goods or services to EU data subjects. The best way to make sure that the business is not subject to the GDPR is to make clear on the website that the goods/services are not intended for the EU and/or to actively exclude/disable orders from the EU.
Please note that the GDPR can apply even if the goods and services are free.
Are you “monitoring” EU data subjects?
The GDPR makes clear that “monitoring” the behaviour of EU data subjects means tracking people on the internet and includes the potential use of the information gathered to profile people, e.g., to analyse or predict their preferences, behaviours and attitudes.
The concept of “monitoring” under the GDPR is very wide. The fact that GDPR gives profiling as an example of monitoring, suggests that there should be intentional tracking and that the data should be actively used to profile the individuals or monitor their behavior. Therefore, the incidental collection of IP addresses without making any further use of the data, may not be covered by the GDPR. However, it is currently not clear how detailed the tracking of a data subject must be, before the GDPR is triggered.
Are you “processing data”?
The GDPR applies to the processing and holding the personal data by organizations with an establishment in the EU, in the context of its activities, regardless of whether the processing actually takes place in the EU.
The term “establishment” will be interpreted broadly and flexibly. An organization is likely to be regarded as having an establishment in the EU if it exercises “any real and effective activity”, even a minimal one, through stable arrangements in the EU. The legal form of the arrangement is not a determining factor; the presence of a sales office, or the appointment of an agent or representative in the EU, for the purposes of promoting or providing a company’s services to EU residents, may be sufficient.
So what are the implications for Hong Kong businesses?
If you are caught by the GDPR, there are many provisions that may affect your business. Hong Kong businesses may be subject to greater data protection obligations under the GDPR than is currently the case under the Hong Kong Personal Data Privacy Ordinance. There has been a great deal of discussion about the issue of consent and the significant penalties under the GDPR but these are only two aspects of the GDPR that may apply. The key provisions are:
- Consent - The GDPR will require organisations to obtain freely given, specific, informed, and unambiguous consent before collecting personal data from a data subject. An individual’s silence, inactivity, or failure to uncheck a pre-checked box will not indicate consent, and there is a prohibition on “bundled” consents and the offering of services that are contingent on consent to processing. Sensitive data require “explicit consent”. Organisations that do not obtain consent to collect personal data must have another valid legal basis (defined in the GDPR) for doing so. In Hong Kong, except for marketing purposes, businesses generally do not need consent when collecting data, they merely need to provide notice of the purpose of collecting data. (However, they do need to inform data subjects whether it is obligatory or voluntary for them to supply the data, so data subjects may refuse to make the data available in some cases. Consent will also need to be obtained if a business subsequently decides to use the data for a purpose that was not notified).
- Accountability and governance - The GDPR will require data controllers to implement technical measures to build privacy by design and to conduct compulsory data-protection impact assessments, amongst other measures. There are no equivalent mandatory provisions in Hong Kong.
- Mandatory breach notification - Under the GDPR, data controllers that experience a breach of security will be required, subject to some exceptions, to notify the Data Protection Authority in the relevant Member State within 72 hours of discovering the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals”. The data subject should also be notified “without undue delay,” if the breach is “likely to result in a high risk to the rights and freedoms of individuals.” In Hong Kong, there is no mandatory breach notification requirement.
- New and enhanced rights for individuals - The GDPR will give data subjects certain enhanced rights, such as the right to request erasure of personal data that they have posted online (the “right to be forgotten”), the right to data portability (the right to switch personal data between service providers) and the right to object to processing (including profiling). In Hong Kong, there is no general right to erasure (but data should not be retained for longer than necessary) and no right to data portability. There is also no right to restrict or object to processing although data controllers will need to comply with data access and correction requests and requests to opt out from direct marketing activities.
- Data processors - The GDPR imposes statutory obligations directly on data processors for the first time including maintaining records of their processing activities, ensuring the security of processing, and reporting data breaches. This means that data processors can face direct sanctions for data breaches. In Hong Kong, data processors are not directly regulated. Data users are required to adopt contractual or other means to ensure that data processors comply with the law.
- Appointment of a designated representative -The GDPR provides that, subject to certain specified exemptions, a non-EU business caught by the rules must appoint a representative who is a natural or legal person established in the EU, for the purposes of GDPR compliance. The representative will act as a point of contact for requests by the supervisory authorities or data subjects and represents the controller or processor.
What should you do now?
The GDPR will affect businesses both inside and outside of the EU. Although the GDPR is due to come into force on 25 May 2018, it is not too late; recent studies show that many companies within the scope of the GDPR will not be compliant by the end of 2018. Even if your business does not have a European presence, if you are dealing with EU businesses and the personal data of subjects in the EU, you should assess whether your business or data collection and processing activities fall within the scope of the GDPR. If your business is an international one, and especially if you have a strong internet presence, it may be better to assume that some of your customers/users may be data subjects in the EU.