29 December, 2018
The intention behind the issuance of the General Data Protection Regulation (GDPR) is commendable: to standardize and simplify data protection legislation across all European Union countries, so that both EU citizens and businesses (involving EU citizens) can benefit and thrive in our borderless digital era. The aim of the GDPR is to give EU citizens better protection and control of their personal data.
Nevertheless, since the GDPR was issued business players have raised a substantial number of questions and concerns, with compliance being one of the most significant concerns among non-EU businesses, including Indonesian companies.
This is due to the extraterritorial scope of the regulation, coupled with rather heavy penalties, with maximum fines of 4% of a company’s annual global turnover or up to 20 million euros (approximately USD 22 million).
Are non-EU companies liable under GDPR?
Article 3 of the GDPR provides two conditions under which a non-EU company may be subject to the provisions of the data protection regulation. The first is when a non-EU company processes the personal data of subjects in the EU and where the processing is related to the offering of goods or services to EU citizens, regardless of whether a payment by the EU citizen is required. The second condition is when a non-EU company is considered to be monitoring the behavior of EU citizens that takes place within EU territory. The scope of these conditions under Article 3 can be interpreted very broadly in practice, and there is no clear guidance as to what constitutes an “offering of goods or services” or “monitoring the behavior of EU citizens.”
Pursuant to Recital 23, to determine whether an activity can be considered as offering goods or services to EU citizens, a case-by-case basis assessment must be made. That assessment should identify whether the non-EU company actually envisaged offering services to data subjects in one or more EU countries by analyzing the non-EU company’s business intentions.
Even if the non-EU company has a website in the EU that can access the email addresses or other contact details of EU citizens, that does not necessarily prove the intention of offering goods or services. Or, for example, the fact that a non-EU company’s website uses a language commonly used in a third country where the non-EU company was established is insufficient to determine such intention. But if the website uses a language or currency commonly used in one or more EU countries, while at the same time it is possible to order goods or services in that other language, there is a chance that the non-EU company will be deemed as offering goods or services to data subjects in the EU.
As for the behavior monitoring test, this can occur when an individual is “tracked on the internet.” Recital 24 provides that this can include the use of data processing procedures to profile an individual, followed by taking a decision regarding that individual or analyzing or predicting the individual’s personal “preferences, behaviors and attitudes.” This suggests that an element of intentional or active tracking is required for the application of the GDPR to non-EU companies. Although, practically speaking, it might be difficult to identify non-EU companies collecting the data of EU citizens and actively analyzing their preferences, behaviors and attitudes, there is still a chance that the activity will be discovered or reported.
What does GDPR mean for Indonesian companies?
Given the foregoing, it is apparent that Indonesian companies can also be subject to the GDPR, especially those with businesses involving the internet or technology, such as online retailers, the travel and hospitality industry, or financial services. The GDPR also most likely covers large multinational companies with subsidiaries, offices or employees in the EU, and possibly small and medium businesses operating online that have customers in the EU.
Considering the heavy penalties under this data protection regulation, these companies are advised to determine whether they are subject to the GDPR and to take the appropriate steps to comply if they are.
Fahrul S. Yusuf, Partner, Soewito Suhardiman Eddymurthy Kardono
fahrulyusuf@ssek.com