The European Union’s General Data Protection Regulation (GDPR), which comes into effect on May 25, is a stringent new legislation aimed at protecting the privacy of EU residents. As the law will affect companies around the world, Asian companies are scrambling to become compliant by the deadline. 

 

“The GDPR definition of personal data and processing is very broad and probably the most all-encompassing definition to date. Since interpretation is different in each country, some companies might mistakenly assume their understanding of it is in accordance with GDPR compliance,” he says.

The European Union’s new General Data Protection Regulation (GDPR) is set to come into effect May 25, and its impact will be widely felt. As this law will affect not only companies with European subsidiaries, but also companies that target EU customers, Asian companies with dealings in Europe need to comply or face significant penalties. 

The new legislation builds on the idea that “the protection of natural persons in relation to the processing of personal data is a fundamental right.” 

The key takeaway is that every individual owns their personal data, so companies must ask for consent from each person to use that data, explain why they want to use it, what they plan to do with it and for how long. 

“The GDPR builds upon the existing Data Protection Directive and seeks to develop the regulatory regime to address changes in new technologies and technological methods now employed by a wide range of organisations; and to meet changing consumer expectations in a more digitally-enabled world,” says Alexander Shepherd, a partner at Bird & Bird ATMD in Singapore.

The new legislation builds on “experience accumulated by the European Commission and each of the National Regulatory Authorities over more than 20 years,” he adds.

GOOD OR BAD?

“Whilst the GDPR is a significantly more robust piece of legislation than that which it replaces, many of the changes do make sense to address issues and concerns which have become apparent with the existing regime and to ensure that as the type and quality of data which can now be easily processed is done so in a fair, reasonable and proportionate way,” Shepherd says.

But not everyone agrees. 

Scott Thiel, a partner at DLA Piper’s Hong Kong office, thinks the regulation might just present more hoops for innovators to jump through. 

“While there is no dispute that privacy laws are important, this could present an unnecessary burden, particularly for innovative companies and services. If we look at big-name data-based services based in Europe, the only one that comes to mind is Spotify. So, we need to strike a balance that could protect individual privacy appropriately without inhibiting innovation,” Thiel says.

Others like Alexander Milner-Smith, managing associate at Lewis Silkin’s London office, feel that the GDPR can be taken either way.

“Companies can choose to either see it as a pure compliance exercise or something that shakes things up in a good way. The first positive to take from it is to see it as a spring cleaning of sorts and whittling down of things to what actually makes sense. This could be a much-needed data cleansing exercise for better security and efficiency,” Milner-Smith says.

The second positive is that GDPR compliance could eventually be seen as a mark of quality for security and privacy.

“The EU will probably issue certificates for companies that comply in about six months or so after the GDPR comes into effect. Having a ‘GDPR compliant’ seal could eventually be used as a sign that a company or website is trustworthy and secure,” adds Milner-Smith.

CONFUSION AND COMPLICATIONS

Regardless of whether the GDPR is a sound idea, enforcement is impending and implementing its requirements is a significant task. Not many Asian companies are ready.

Milner-Smith has seen a lot of confusion and last-minute scrambling in Asia over the past six months. 

“The gut reaction for a lot of Asian companies is that the GDPR doesn’t apply to them. And even with those that realise it, there is a lot of confusion surrounding it,” he says. 

Others echo Milner-Smith’s observation. “Some Japanese companies are not seriously recognizing the potential risk of the GDPR due to a general misunderstanding of the possible scope of the GDPR,” says Yoshi Takatori, a partner at Orrick, Herrington & Sutcliffe’s Tokyo office.  

“On the other hand, some companies are deeply concerned about the approaching deadline of the GDPR as ‘perfect’ countermeasures may be practically impossible due to detailed and complex requirements of its guidelines,” Takatori adds.

Besides the GDPR, Takatori says companies in Japan already have numerous compliance challenges on their plate in Europe, including the UK Bribery Act.   

Big conglomerates that have headquarters in Europe should be generally ready but smaller businesses or Asia-based companies will have a tougher time adjusting. 

Enforcement of security and privacy laws in Asia has been fairly lax while the hefty fines resulting from non-GDPR compliance is driving the mad rush now.

"Although China arguably now has the most comprehensive data law in the world, the penalties to date are not as stiff and many Chinese businesses are still paying little regard to their domestic privacy and data compliance obligations. But GDPR's high fines have got a lot of companies worried," Thiel says.

If a firm infringes on multiple provisions of the GDPR, it could be fined according to the gravest infringement, as opposed to being separately penalised for each provision. Administrative fines for lower level infringements can go up to 10 million euro ($12.4 million) or 2 percent of the worldwide annual revenue, whichever is higher. More serious infringements can cost up to 20 million euro, or 4 percent of the worldwide annual revenue. 

GETTING PREPARED

Given the very clear need to comply, how should companies begin? 

The first step is to assess existing information databases to minimise non-compliance risks. 

“Companies should assess or evaluate possible risk as precisely and efficiently as possible to prioritize what should be done first in order to minimize or avoid potential risks.  In that sense, it can be said that there is no right ‘answer’ but there is a right ‘process’ by which they can keep ‘good’ evidence,” says Takatori.

“Companies should avoid creating unnecessary ‘bad’ evidence, keeping attorney-client privilege and sensitive communication as safely as possible, including their assessment of the risks of the GDPR,” he adds. After all, keeping such personal data goes against the very thing that the GDPR stands for - maintaining security and privacy. 

“The best strategy for companies will be to keep evidence that proves or asserts that they have been attempting to decrease or minimize the possible risks as much as possible. Such efforts are not only related to the GDPR and compliance sanctions but also concern future possible liability through possible disputes caused by the violation of GDPR and multi-jurisdictional information leakage,” Takatori says. 

This may be particularly challenging for large corporations that may have large amounts of data spread across different units and multiple databases, spreadsheets and even paper archives. 

DEFINING THE DATA

According to Milner-Smith, the biggest compliance issue lies in the broad scope of the GDPR’s definitions. For example, opinions about someone, even without naming them, could fall under the “personal data” definition. 

“The GDPR definition of personal data and processing is very broad and probably the most all-encompassing definition to date. Since interpretation is different in each country, some companies might mistakenly assume their understanding of it is in accordance with GDPR compliance,” he says.

The GDPR also does not stipulate nationality or residency in its definitions, leaving room for individuals who are not of EU nationality or residents to take action against businesses that are not GDPR-compliant.  

“Generally, if you derive about 20 percent of your business from EU customers, it’s fair to say you should prepare to be GDPR compliant even if it’s wholly incidental,” Milner-Smith says.

He also thinks there is a grey area where businesses on intermediary platforms like eBay or Airbnb are involved.

“The GDPR isn’t as interested in making things difficult for individuals or small side income-generating endeavours that exist on those platforms. It is aimed at ensuring large conglomerates maintain good security and privacy measures,” he says.  

LEGITIMATE INTEREST

It’s not just the definitions that are being misunderstood. Some feel there is confusion as to where to focus their efforts.  

“A lot of companies in Asia are understandably confused about the GDPR. A common misconception is that once companies have obtained consent from consumers, that is enough,” Thiel says. 

Thiel adds companies should be focusing on justifying legitimate interest.

“What companies need to do is to frame their legitimate interest in the use of data. With their legal partners, they need look at their data collection points and help justify the usage,” he says. 

Indeed, the GDPR does provide room for “legitimate interest” to be used as a legal basis for obtaining personal data without explicit consent. 

A similar provision was also included in the Data Protection Directive 95/46/EC that preceded the GDPR. Some have seen it as a way to legitimize data processing efforts that do not fit in one of the other legal grounds. 

The mention of direct marketing as a legitimate interest also exists in the GDPR and has caused some confusion. However, the Article 29 Working Party advisory body has warned that merely having a legitimate interest does not entitle one to use personal data. They cautioned that it is not to be used “on the basis that it is less constraining than the other grounds.”

“Legitimate interest cannot outweigh the data protection rights. The ‘legitimate interest’ provision is to give authorities some room and flexibility for cases where it makes sense and there is no negative effect on the subject,” Milner-Smith says. 

But, he says, in cases like human resource requirements or sensitive business information protection, companies can mitigate risk through privacy impact assessments.

“Companies should inform the subject of this exercise, ensure any data collected is as limited as possible (in duration and collection criteria) and that it is disseminated on a need-to-know basis only,” Milner-Smith suggests.

Regardless, Thiel sees framing legitimate interest as a necessary and creative form of asset value management. 

“What we do is not just telling the companies what they can or cannot do. We support their data ambitions, so companies can use their data in more interesting ways and benefit from generating higher value from such assets,” Thiel says.

CONCERNS AND CLASHES

Even if the individuals agree to the use of their personal data, they can withdraw their permission at any time and have the right to ask companies to disclose what personal information they have, why and for what purpose. And companies have to provide the answers free of charge.

If individuals withdraw permission to use the data, there is a worry that machine-learning algorithms may “unlearn” things.

“But perhaps, it’s time for companies to question why they need this particular data and learn to tune their AI algorithms to function without the need for such personal data. They need to build their systems on aggregate anonymous data,” says Milner-Smith. 

Another major worry is that the GDPR would render existing databases null and void, which could be particularly tough for third-party data providers that mine data for marketing lists. 

“They would need to look at how to maintain the value of their databases while getting rid of any data that could personally identify an individual, be it names, e-mail addresses, or even IP addresses,” he says. 

Otherwise, they would have to ask individuals to grant them permission under new GDPR compliant settings.  

“I’m expecting a glut of e-mails from companies to individuals asking for consent to use personal data once the regulation comes into effect,” says Milner-Smith. 

But even that comes with its own complications. 

While consent clearly remains a big component of the GDPR, a bit of a chicken and egg situation occurs with acquiring that through existing data.  

Milner-Smith points out that the very act of asking for re-permissioning using personal data like e-mail addresses is a violation of the GDPR. 

Last year, the Information Commissioner's Office (ICO) fined two companies – Honda and Flybe - for breaking the rules regarding marketing emails that were sent to comply with the upcoming GDPR. 

The Exeter-based airline Flybe had sent more than 3.3 million emails to people who had told them they didn't want to receive marketing emails from the firm.

Those emails asked customers to update their marketing preferences, including whether they wanted to receive emails like the ones had just received. It also offered them the chance to enter a prize draw for replying.

The ICO fined Flybe 70,000 pounds ($97,500) for breaking Privacy and Electronic Communication Regulations. 

Honda Motor Europe also ended up with a 13,000 pound fine for 289,790 emails sent to clarify certain customers’ choices for receiving marketing spam.

ASIAN ADOPTED

Despite being a complex model, the GDPR might just set the standard and lead the way for Asian countries to adopt a similar regulation to ease compliance and flow between the two regions.  

“Many countries outside the EU have adopted the EU's existing approach to data privacy regulation; as the GDPR becomes the benchmark for data privacy regulation it is likely that jurisdictions outside the EU will seek to enhance their data privacy regimes in broadly similar ways,” Shepherd says.

This is something that Thiel already sees happening. 

“Many countries in Asia, Singapore and the Philippines in particular, are making ways towards adopting a regulatory framework that is more similar to the one in the EU. But the situation in Asia and Europe are still fundamentally different and are completely different operating models,” he says. 

He thinks the two regions are misaligned in their regulations and bridging efforts could take years.

“There will definitely be a period of investigation and adjustment after the regulation comes into effect, as regulators and companies work out the lines. That will take time, “ Thiel says. 

Even within the EU, there is still a need for getting things in sync. 

“One of the aims of the GDPR was to increase harmonisation and reduce the variation in implementation between member states; this was partly why the legislation was implemented as a regulation (which has direct effect on EU member states) as opposed to a directive,” Shepherd says. 

“Unfortunately, this proved hard to realise and therefore there are still significant differences between different member state's requirements but less than under the existing regime,” he adds.  

So, companies will still need to adjust their compliance strategies according to each member country but time should help align the different regimes. 

But it’s not all challenging. Shepherd says the GDPR aims to reduce the regulatory burden by reducing filings. 

“These used to be required in almost all countries for most data processing, with authorisations needed for data transfer in many situations. Filings will still be needed for some things and in some countries, but the bureaucracy will be significantly reduced in that area,” he notes. 

There are also other possible advantages to this situation. For startups and smaller businesses, this period of adjusting to GDPR compliance might provide them with a temporary leg up over larger and less nimble competitors. 

Looking ahead, Takatori thinks this could be wake up call for companies to “place additional focus on global issues and implement more multi-jurisdictional countermeasures, such as the risks of cybersecurity, including the broad scope of GDPR.”  

 


Top five concerns with GDPR compliance

By Thomson Reuters Financial & Risk

 

New requirements: The GDPR focuses on accountability, transparency and governance to minimize the risk of breaches and uphold personal data protection by imposing new responsibilities on organizations.

Not only must organizations carry out such charges, but they must adopt, test and maintain, and be prepared to demonstrate such compliance to regulators.

Specific processes: Many of these new requirements are specific processes organizations must adopt, with the intent that such measures will help structure and formalize certain areas to make compliance more efficient.

The GDPR imposes concrete measures, such as: The obligation to keep internal records of data protection activities; the requirement to notify regulators of data breaches without undue delay (organizations must report breaches to supervisory authorities within 72 hours) and document the underlying facts, effects and remedial action taken; and appointing an official Data Protection Officer (required for some organisations).

Hefty fines and sanctions: Regulators are authorized to handle non-compliance with the GDPR in one of three ways: issue a warning or impose a temporary or definitive ban on processing personal data; impose a fine up to 20 million euro or 4 percent of the total worldwide turnover, depending on the circumstances of each individual case; or both of the above.

With these provisions, the GDPR hopes to make the cost of compliance less than the cost of violations.

Vague requirements: The lingering uncertainty around the GDPR is one of the biggest impediments to compliance, with parts of it deliberately left vague. Undefined terms such as “undue delay,” “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will require further clarity by the courts or regulators, or time for specific market practices to develop.

Similarly, the regulation offers no definition of what constitutes a “reasonable” level of protection for personal data, offering regulators significant flexibility in assessing fines for data breaches and non-compliance.

Extraterritorial reach: Similarly, the GDPR’s definition of what personal identification information has a broad scope, requiring a high level of protection for a wide range of information. It also has an extensive reach, with many firms — particularly in the U.S. — not even aware they will be subject to the new EU regulations.

The primary principle behind the GDPR is that it views personal data as the property of the individual, not data controllers or processors. It applies to all EU citizens wherever they may be situated and regardless of the organization’s location. Consequently, in today’s digital and global world, it’s almost impossible to avoid dealing with some form of personal data from the European market.

Related Articles

DATA COMPLIANCE: 探索数据资产 (ZH/EN)

数据作为“新型生产要素”的重要性不断提升,中国采取各项措施激发数据的经济效益。预期到2030年,中国数据交易行业市场规模有望达到 5155.9 亿元。数据交易在确权、合规、交易架构等方面都需要律师提供专业服务,部分“先行者”与ALB分享了这一领域的机遇和挑战。

欧华报告显示,未来中国将成数据中心新“赛场”(ZH/EN)

欧华律师事务所近期发布《全球数据中心投资展望》(Global Data Centre Investment Outlook)报告,以数据说明过去一年全球数据中心投资增长速度,以及其在中国等新兴市场的发展前景。

“智能网联汽车从交付起就不断收集数据”

by Charlie Wu 吴卓言 |

互联网汽车是投资界的热点赛道,也是政府监管重点,这从近期出台的《车联网网络安全和数据安全标准体系建设指南》就可见一斑。