1 June 2018
New EU Data Protection Regulation Set to Have Impact on Hong Kong Companies Operating in the EU
On 25 May 2018, the new General Data Protection Regulation (the GDPR) became directly applicable throughout the European Union. This new instrument, which establishes a harmonised set of rules on the protection of the personal data of individuals, replaces the current framework of the old Data Protection Directive 95/46/EC and its national implementing laws.
Hong Kong sellers with interests or activities in any of the EU’s Member States will be affected by the new rules, and should be warned that non-compliance can lead to hefty penalties. Its salient features are outlined below.
The GDPR’s broad scope: The GDPR protects personal data. Personal data are defined as any information which relates to an identified or identifiable natural person (the data subject). Personal data includes direct identifiers such as names, telephone numbers, e-mail addresses, IP addresses and cookies, as well as indirect information such as interests, profiles, location data, etc. This definition is in line with the rules under old Directive 95/46/EC.
Consequences of non-compliance: Compliance with the GDPR is now mandatory and oftentimes crucial for companies’ reputations. Hong Kong companies which fail to comply with their legal obligations under the GDPR could be exposed to potential sanctions including fines of up to EUR 20 million or 4% of the company’s worldwide turnover (whichever is higher). Data protection authorities can also order companies to give up or modify non-compliant data processing operations, causing costly interruptions to business activities.
In addition, any data subject who has suffered damage as a result of a company’s non-compliance may seek compensation from that company, including through class actions. Moreover, awareness has been raised throughout the world as to the importance of the protection of personal data. Therefore, any failure to adequately protect such data by companies would inevitably result in damage to that company’s reputation and business.
Compliance with the GDPR: Hong Kong businesses operating in the EU are most likely to fall under the scope of the GDPR for such activity. They should therefore assess how these rules will impact their business and, if they have not done so yet, start reviewing and auditing their data protection policies and practices in order to comply with all obligations contained therein, as briefly summarised below.
The GDPR builds on existing concepts and strengthens requirements for the collection and use of personal data. In addition, it introduces a number of significant changes, in particular:
- Controllers will be obliged to document the tools and decisions they take to comply with the GDPR in order to be able to demonstrate compliance (principle of accountability). Certifications and codes of conduct can help Hong Kong businesses to demonstrate compliance.
- Many companies will have to keep an internal register of all their activities involving the processing of personal data. On the other hand, the obligatory registrations or notifications of data processing activities, which currently exist in many EU Member States, are abolished.
- Requirements for obtaining consent from individuals have become stricter. As a result, companies may need to review and adapt their consent mechanisms.
- The information that needs to be provided to individuals and the manner in which this information must be provided, are described in more detail under the GDPR. Accordingly, Hong Kong businesses need to update their notices to European data subjects, including website policies, user terms & conditions and/or employee notices.
- The rights of data subjects are strengthened and new rights are granted. These include, for example, a right for data subjects to transfer their data to another processor (data portability) and a right to require the data controller to erase their personal data without undue delay in certain situations, such as where they withdraw consent and no other legal ground for processing applies. Hong Kong businesses will need to set up procedures and processes to deal with such requests.
- Companies will have to notify data breaches (e.g., accidental or unlawful loss, theft, access or disclosure of personal data). This means that personal data protection breaches will need to be notified, within 72 hours, to the supervisory authorities; and, in certain cases, the individuals concerned will need to be informed.
- In addition, data processors (i.e., companies that process personal data on behalf of other companies) will be directly responsible (and liable) to comply with a number of obligations under the GDPR, including ensuring technical and organisational protection of personal data. Controllers also need to update their contracts with processors.
- Importantly for Hong Kong companies, the GDPR provides that companies established outside the EU will need to designate a representative in an EU Member State.
Location of the personal data: The GDPR does not require that all personal data has to be kept within the EU. However, if any personal data travels outside the EU, the controller must ensure a level of (technical and legal) protection which is similar to that in the EU for the data. For companies to transfer personal data from the EU to a third country which has not been white-listed, and unless exceptional derogations apply, they have to put in place data transfer agreements which include the European Commission’s (or a national authority’s) standard contractual clauses; to follow authorised codes of conduct; or adopt group-wide Binding Corporate Rules. Neither Hong Kong nor mainland China have been white-listed by the European Commission.
In conclusion, the scope and impact of the EU’s data protection rules have significantly changed since 25 May 2018 and these potentially apply to Hong Kong companies and their EU subsidiaries. Hong Kong businesses must decide to take appropriate measures to comply with the GDPR and prepare for increased enforcement by national supervisory authorities in the EU, as well as for possible queries or complaints that may be raised by data subjects.