9 Feb 2018
EU Publishes Guidance on New Data Protection Law; Important Questions Relevant to Hong Kong Traders Answered
On 24 January 2018, the European Commission published a toolkit with guidance for various stakeholders, including citizens and businesses, on how to prepare for the General Data Protection Regulation 2016/679 (the GDPR). The GDPR will start to apply from 25 May 2018.
Harmonisation and territorial application: The information published will provide guidance for Hong Kong businesses. In particular, the European Commission clarifies that one of the main innovations of the GDPR, when compared to the current EU data protection rules, is the increased harmonisation. The data protection law establishes a ‘level playing field’ (albeit a stricter one) for businesses operating in the EU. Not only does the GDPR provide full harmonisation between EU Member States, but, due to the territorial application, the GDPR also ensures that businesses which do not have an establishment in the EU, but offer goods and services to the EU, or monitor EU residents, must comply with the same rules. Hong Kong traders will thus also have to ensure compliance.
Raising awareness among citizens: The various guidance tool that have been published, including a Q&A on the GDPR and brochures on data subjects’ rights, explain how data protection rules allow citizens to take control of their personal data. For instance, the materials explain that citizens (data subjects) have the right to request access to the data that an organisation holds about them. The materials refer to the example where “you’ve bought goods from an online retailer. You can ask the company to give you the personal data they hold about you, including: your name and contact details, credit card information and dates and types of purchases.” Companies must be ready to handle such requests.
What must businesses do?: Hong Kong businesses which (i) have an establishment in the EU, or (ii) offer goods and services to EU citizens, or monitor EU residents, must ensure that they comply with the GDPR. First, businesses must determine to what extent the GDPR will apply to them. Here, the European Commission also gives some useful guidance explaining that organisations must start by identifying which personal data they hold; for what purpose; and on what legal basis these data are used.
In addition, organisations must ensure that the necessary contracts are in place with their own processors, and sufficient safeguards are provided with regard to international transfers. Some organisations may also need to appoint a data protection officer.
This compliance exercise must be carried out in a manner which documents compliance (e.g. through policies, procedures and certification) and with the support and commitment of the organisation’s management. The European Commission recognises that many organisations prefer to work with compliance checklists, and seek the advice from consultancies and law firms to work out arrangements that are appropriate to the specific nature of their area, adapted to their business model.
Different ways to permit international transfers of personal data: While personal data can travel freely to EU Member States (as well as Norway, Iceland and Liechtenstein, namely, the EEA countries), personal data that are covered by the GDPR can only be transferred to third countries (outside the EU/EEA) if one of the following criteria is met:
i. Adequacy decisions: The European Commission can declare that a third country provides, through its national law, an adequate level of protection for personal data (called an adequacy decision). This has not yet happened for either Hong Kong or mainland China.
ii. Appropriate safeguards: in the absence of an adequacy decision, the international transfer of personal data is permitted if the parties can adduce appropriate safeguards protecting the personal data in the third country. Such appropriate safeguards include:
(a) Binding Corporate Rules (i.e., a binding policy within a multinational group of companies which has been authorised by EU supervisory authorities);
(b) contractual arrangements with the recipient of the personal data, for instance Standard Contractual Clauses (SCC) approved by the European Commission; and
(c) adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
iii. Derogations: if none of the above criteria apply, organisations can rely on derogations in specific situations. For instance, transfers may be permitted with the explicit consent of the data subject; or if it is necessary for the performance of a contract; or to establish, exercise or defend a legal claim; or if required for the purposes of compelling legitimate interests pursued by the organisation which are not overridden by the interests or rights and freedoms of the data subject. Transfers on the basis of these derogations are only available in “specific situations” and do not apply to transfers which are massive, structural and repetitive.
iv. In addition, the GDPR allows national supervisory authorities to adopt additional standard clauses (which must be approved by the European Commission).
Working with EU Member State processors: Hong Kong businesses working with EU companies processing their personal data must take measures to ensure that transfers of GDPR-protected personal data comply with the above requirements. For instance, a Hong Kong business that uses an EU processor (i.e., a third party which processes the personal data on behalf of the Hong Kong business) must assess whether this activity requires transfers of personal data. If personal data are transferred from the EU to a recipient outside the EU, the organisation may need to adduce adequate safeguards (outlined above). The appropriate safeguards must be assessed based on the specific scenarios at hand.
Can national law prevent the use of Standard Contractual Clauses (SCC)?: To date, the European Commission has adopted three sets of SCC: two sets for transfers from a controller (the organisation holding the data) in the EU to another controller outside the EU, and one set of SCC for a transfer between an EU controller and a non-EU processor.
In principle, all national supervisory authorities are bound by the decisions of adequacy and standard contractual clauses of the European Commission. However, supervisory authorities may have to investigate complaints by data subjects that protection in a third country may not be guaranteed. Indeed, it follows from the judgment of the Court of Justice of the EU (in Schrems, C 362/14) that supervisory authorities can still investigate claims brought against an international transfer, and pursuant to such a claim, decide that the Commission’s adequacy decision or safeguards may not provide sufficient protection for personal data in the case at hand when the data subject contends that the law and practices in force in the third country do not ensure an adequate level of protection.
However, the national supervisory authorities cannot strike down a decision that was made by the European Commission. Only the Court of Justice of the EU has this power.
Hong Kong companies wishing to know more about their obligations when dealing with personal data stemming from the EU should carefully read the guidance published on 24 January 2018 and other tools provided by the European Commission. If they are still unable to find the answers they seek, it is advisable to contact a law firm expert in such matters. Traders are reminded that fines can be levied (by Member State authorities) up to €10 million or 2% annual global turnover, whichever is higher; or up to €20 million or 4% annual global turnover, whichever is higher. The fines are based on the specific GDPR provisions which are breached (see: Article 83 of the GDPR).