14 June, 2018
Why the GDPR is relevant to you in the APAC region
As you're no doubt aware, the EU General Data Protection Regulation or "GDPR" came into force on Friday 25 May 2018. You will no doubt have received lots of emails in the run up to it coming into force explaining how businesses you interact with wish to use your data and asking for your consent to continue to use your data and market to you.
However, many business and consumers in the APAC region are not aware of why the GDPR may be relevant to them or the wide-ranging impact of the GDPR on businesses outside the EU.
What is the GDPR?
The GDPR is a new data privacy law which is intended to harmonise and enhance data protection laws across the EU. It builds upon the existing EU data protection regime established under the 1995 Data Protection Directive giving individuals significantly enhanced rights in relation to the use of their personal data and also imposes significant new obligations on organisations processing personal data, and significantly increased fines for breaking the rules.
The GDPR is one of the most wide ranging pieces of legislation passed by the EU in recent years, and the concepts it introduces such as the ‘right to be forgotten’, data portability, data breach notification and accountability (to name only a few) will take some getting used to.
Why is it potentially relevant to you?
Like the previous legislation, the GDPR applies to data controllers and data processors established in the EU.
However, the GDPR seeks to significantly increase the geographical scope of EU data protection law and therefore there are two circumstances where the GDPR will apply outside the EU:
Targeting EU residents
Where businesses outside the EU are processing EU residents' personal data in connection with goods or services which they are offering to them, the GDPR will apply. This will be most directly applicable to websites and apps.
For the GDPR to apply it must be apparent that the organisation “envisages” that activities will be directed to EU individuals. So a website merely being accessible from within the EU is not sufficient.
Similarly, having contact addresses accessible from the EU and the use of a language used in the controller’s own country are also not sufficient. However, the use of an EU language or EU currency, the ability to place orders in that other language and references to EU users or customers will all be factors to be taken in consideration. It is irrelevant to any analysis that the goods or services are provided for free.
For example:
- an Australian company having a website in English selling goods in Australian dollars but accessible from the EU would be unlikely to be considered offering good or services into the EU; but
- a Hong Kong company's website available in English, French and German, giving the option of paying in Hong Kong dollars, US dollars and Euro would be likely to be.
Similarly:
- a Singapore financial institution's banking iPhone app intended for Singapore based customers to undertake Singapore transactions would not be subject to the GDPR simply because a Singaporean customer used it on business trip in France but if it was targeted at expatriate Singaporeans living in the EU to undertake banking transactions in Singapore it would be likely to be.
Please note that the GDPR does not apply to activities outside the EU simply because a data subject is a national of an EU country so, for example, a German national living in Hong Kong using a Hong Kong website does not have any different privacy rights from any other Hong Kong user of that site.
Monitoring
Where the behaviour of individuals within the EU is “monitored” the GDPR will apply. This would include the use of obvious physical monitoring devices such as wearables and activity monitors, and overt (or covert) location monitoring in iPhone and Android apps.
However, it also specifically covers tracking individuals online to create profiles, including where this is used to take decisions to analyse or predict personal preferences, behaviours and attitudes.
Accordingly, the use of cookies, web analytics tools and other tracking techniques will be subject to the GDPR if individuals within the EU can be directly or indirectly identified.
What is the impact for businesses in APAC?
If the GDPR applies to your activities then there will be a range of different provisions and obligations which will apply to your processing of relevant personal data.
Whilst publicly the most obvious difference will generally be that you have to update your privacy and cookie policies to comply with the GDPR requirements for "privacy notices", there are a range of other obligations which will apply to your processing activities. Key impacts include:
Privacy notices
The GDPR sets out more detailed requirements in relation to the information which must be provided to data subjects when their personal data is being processed.
This information must be provided in a concise, transparent, intelligible and easily accessible way, using clear and plain language (in particular where the data subject is a child). Generally the minimum requirements include:
- the identity and contact details of the controller (or its representative, for a non-EU established controller); contact details of the Data Protection Officer;
- the purposes of processing and legal basis for processing, including the “legitimate interest” pursued by the controller (or third party) if this is the legal basis;
- details of recipients, or categories of recipients;
- details of data transfers outside the EU, including how the data will be protected (e.g. the recipient is in an adequate country; "Binding Corporate Rules" are in place etc.);
- the retention period for the data or, if not possible, then the criteria used to set this;
- a statement that the individual has a right to access and port data, to rectify, erase and restrict his or her personal data, to object to processing and, if processing is based on consent, to withdraw consent;
- a statement that the individual can complain to a supervisory authority;
- whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data; and
- details of whether there will be any automated decision taking – together with information about the logic involved and the significance and consequences of the processing for the individual.
When this information needs to be provided will depend on a number of factors including whether you are collecting personal data directly from the individual or whether it is obtained indirectly from a third party.
Consent
Under the GDPR (as under the previous regime), businesses have to be able to satisfy a lawful processing condition before they can process personal data. The processing conditions most regularly used by businesses are: consent; necessary to perform a contract with the individual; necessary for compliance with a legal obligation; or necessary for a legitimate interest.
The conditions for obtaining consent have become stricter: individuals must have the right to withdraw consent at any time; and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities and that forced, or "cover-all", consent mechanisms will not be valid.
Where your use of personal data is based on consent given by individuals, this will need to be reviewed to confirm that it is in compliance with the requirements of the GDPR. Where relying on consent, you need to ensure that:
- consent is active, and does not rely on silence, inactivity or pre-ticked boxes;
- consent is distinguishable, clear, and is not “bundled” with other written agreements or declarations, and separate consents are obtained for distinct processing operations;
- supply of services is not made conditional on consent which is not necessary for the service being supplied;
- individuals are informed that they have the right to withdraw consent at any time and there are simple methods for withdrawing consent; and
- consent is not relied on where there is a clear imbalance between the data subject and the controller.
For businesses which rely on consent to processing, verifiable parental consent is required for use of a child’s personal data. Member States are free to set their own rules for those aged 13 to 15 (inclusive). If they choose not to, parental consent is required for children under 16.
Enhanced and new data subject rights
The GDPR builds upon existing rights individuals have in relation to having the right to access personal data which is held about them and the right to have that information rectified if it is not correct.
Under the GDPR, individuals have enhanced rights to have their data erased in certain specified situations (the so-called "right to be forgotten"), the right to portability whereby they are entitled to receive their personal data in a form which can be easily transferred to another service provider and to restrict their processing of personal data in circumstances where individual has disputed the processing of their personal data.
With all data subject rights, the controller must comply “without undue delay” and “at the latest within one month”, although there are some possibilities to extend this.
Data governance obligations
The GDPR requires all organisations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they take data governance seriously.
These include accountability measures such as: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a Data Protection Officer.
In addition, organisations must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities (so-called: 'privacy by design").
Mandatory breach notification
The GDPR subjects data controllers and data processors to a general personal data breach notification regime.
Data processors must report personal data breaches to data controllers.
Data controllers must report personal data breaches to their supervisory authority within 72 hours of discovering the breach unless the breach is "unlikely to result in a risk to the rights and freedoms of individuals".
In addition, data controllers may be required to notify affected individuals without undue delay if the breach is "likely to result in a high risk to the rights and freedoms of the individual".
Data controllers must maintain an internal breach register.
Appointment of a representative
Where non-EU data controllers are processing personal data which is subject to the GDPR they are required to appoint a person or company within the EU to be its representative who can be contacted by individuals and supervisory authorities in relation to data protection matters.
What if you haven't complied?
The consequences of non-compliance can be considerable.
Under the GDPR, individuals have the right to seek compensation directly from data controllers and data processors if their rights have been breached.
In addition, the regulation includes a potential maximum fine of the higher of €20,000,000 or 4% of global turnover and supervisory authorities are required to ensure that fines are "effective, proportionate and dissuasive".
Finally, consumers in the EU take data privacy seriously and are broadly supportive of the GDPR, accordingly the negative publicity and business consequences of non-compliance should not be underestimated.
Click here to go straight to our GDPR guide.
For further information, please contact:
Alexander Shepherd, Partner, Bird & Bird
alexander.shepherd@twobirds.com