23 Dec 2016
General Data Protection Regulation: Impact for Hong Kong Enterprises
Hong Kong companies operating globally will know that personal data has become one of the most critical assets for businesses today. Whether it relates to employees, customers or contacts, personal data are found in all departments of a company. The current EU framework for the protection of personal data dates from 1995 and has recently been updated to better regulate the way that personal data are used today.
After a lengthy adoption process, the new “General Data Protection Regulation” (GDPR) was published earlier this year. The GDPR replaces the current framework of the old Data Protection Directive 95/46/EC and its national implementing laws. As a Regulation, it will ensure a harmonised set of rules which will be directly applicable throughout the EU as from 25 May 2018. Nevertheless, the enforcement, which includes a significant increase in fines, will be left to the national data protection authorities.
Below, we will explain the scope of the new rules as well as the main new elements of the GDPR which are relevant to Hong Kong businesses.
In the coming months and until the entry into effect of the GDPR, EU Member States will have to amend their national laws, and companies will have to prepare for GDPR compliance. Hong Kong businesses should assess how these rules will impact their business and start reviewing and auditing their data protection policies and practices.
The GDPR protects personal data. This is any information which relates to an identified or identifiable natural person. Personal data includes direct identifiers such as names, telephone numbers, e-mail addresses, IP addresses, cookies, as well as indirect information such as interests, profiles, location data, etc. This definition is in line with the rules under old Directive 95/46/EC.
Indeed, the GDPR builds on existing concepts and strengthens requirements for the collection and use of personal data. In addition, it introduces a number of significant changes, namely:
- Controllers will be legally obliged to implement appropriate measures to ensure compliance with the law and to actively document and demonstrate compliance (principle of accountability). Certifications and codes of conduct can help Hong Kong businesses to demonstrate compliance.
- Many companies will have to keep an internal register of all their activities involving the processing of personal data. On the other hand, the obligatory registrations or notifications of data processing activities, which currently exist in many EU Member States, will be abolished.
- Some EU-based companies will have to appoint a Data Protection Officer. This is an (internal or external) person who will oversee the company’s data protection compliance. Companies will have to allocate responsibility for data protection compliance within the organisation and assess whether appointing a Data Protection Officer needs to be appointed and registered with the local supervisory authority.
- Requirements with respect to consent by individuals are changed and tightened. As a result, companies may need to review and adapt the manner in which consent is obtained.
- The content of the information that needs to be provided to individuals and the manner in which this information must be provided, is described in more detail under the GDPR.
- The rights of the data subjects are strengthened and new rights are granted. These include, for example, a right for data subjects to transfer their data to another processor (data portability) and a right to require the data controller to erase their personal data without undue delay in certain situations, such as where they withdraw consent and no other legal ground for processing applies.
- Companies will have to notify data breaches (e.g., accidental or unlawful loss, theft, access or disclosure of personal data). This means that personal data protection breaches will need to be brought to the attention, within 72 hours, of the supervisory authorities and, in certain cases, the individuals concerned.
- In addition, data processors (i.e., companies that process personal data on behalf of other companies) will be directly responsible (and liable) to comply with a number of obligations under the GDPR, including ensuring technical and organisational protection of personal data.
Companies established outside the EU will need to designate a representative in an EU Member State.
The GDPR does not require that all personal data has to be kept within the EU. However, if the personal data travels outside the EU, the controller should ensure a level of (technical and legal) protection which is similar to that in the EU for the data. The GDPR adopts a three-step approach to determine whether this is the case.
First, transfers to a country outside the EEA (i.e., the EU plus Iceland, Liechtenstein and Norway) are permitted if that third country has been white-listed by the European Commission after a strict assessment of its national data protection rules and enforcement. Currently, countries that have been given approval include: Andorra, Argentina, Canada (subject to certain limitations), the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and the US (for only certified companies under the “US-EU Privacy Shield”).
Second, if a Hong Kong company subject to the GDPR wishes to transfer personal data from the EEA to Hong Kong (or to mainland China), it must implement adequate safeguards to protect the personal data transferred. Such safeguards may be provided, for example, by means of:
- Contractual clauses: companies can implement safeguards for an international transfer if the EU company exporting the personal data and the Hong Kong company importing the data conclude a contract containing standard contractual clauses approved by the European Commission or the national authorities. Different versions of these standard contractual clauses have been adopted (as can be seen by clicking here: standard contractual clauses);
- Binding Corporate Rules (BCRs), in case of intra-group data transfers: These comprise legally enforceable, internal corporate rules on data transfers and data processing standards. BCRs must be approved by the lead Member State supervisory authority;
- Approved codes of conduct or certifications.
Finally, in exceptional cases and when the above options are not available or feasible, an international transfer of personal data outside the EU/EEA may also be permitted based on a derogation listed in the GDPR, such as the performance of a contract, defence of a legal claim, or with the free consent of the data subject.
The enforcement of the GDPR will be handled by the national supervisory authorities. To ensure a consistent application of the GDPR, a new European Data Protection Board will be set up to coordinate enforcement action between national authorities.
Hong Kong companies which fail to comply with their legal obligations under the GDPR will be exposed to potential sanctions including fines of up to EUR 20 million or 4% of the company’s worldwide turnover (whichever is higher).
Data protection authorities may also be entitled to order companies to give up or modify non-compliant data processing operations, causing costly business interruptions.
In addition, any data subject who has suffered damage as a result of non-compliance may seek compensation from the company for that damage, including through class actions.
In conclusion, the scope and impact of EU data protection rules will change significantly as from 25 May 2018. Under the newly introduced principle of “accountability”, Hong Kong companies and their EU subsidiaries that process and/or transfer personal data relating to EU customers and employees, will need to be prepared, in order to demonstrate that they have taken the steps needed to comply with data protection obligations. Therefore, Hong Kong companies need to assess how the GDPR applies to their business, allocate responsibilities and adopt a strategy to use personal data in a manner that suits the company and complies with EU regulatory requirements.