The EU General Data Protection Regulation (GDPR), which enters into application on 25 May 2018, will definitely be an additional challenge for Asian Companies, particularly in terms of managing the rights of EU residents and meeting the controller and processor obligations. Asian companies should expect that it will be time-consuming to achieve compliance due to the GDPR’s complexity, lack of supervisory guidance, and significant expansion of obligations on data controllers and processors. Some studies seem to indicate that Asian companies are still widely unprepared or even ignorant of GDPR. On the other hand, those Asian companies who have already achieved compliance with the Cross Border Privacy Rules (CBPR) issued by the Asia-Pacific Economic Cooperation (APEC) system, may be pleasantly surprised to find that with CBPR, they have also taken some – but not all – of the steps required for compliance with the GDPR.
The EU’s unified data protection law
The GDPR is not only the first major overhaul of EU data protection rules in over 20 years, but it will also implement a harmonised framework that will be directly applicable across all member states from mid-2018. Other than an EU directive which is implemented by the EU member states into national law, the GDPR is a regulation and thereby directly replaces the national law. However, some countries such as Germany will have implementation laws, e.g. with regulations for data protection in the public sector, or in order to “rearrange” other laws pointing at the national data protection law.
Many Asian companies will be affected – unprepared
The GDPR significantly expands the scope of the EU data protection law. It will apply to any party processing personal data of EU residents, regardless of where these parties are located, and regardless of whether the party is using that data to offer or provide goods or services, or to monitor a EU resident’s behaviour, with that behaviour taking place within the EU. With respect to the transfer of personal data, the GDPR applies directly to processors of personal data, even if they are not located in the EU.
The expanded scope of the GDPR means that many Asian companies seeking to do business in the EU will be subject to the GDPR. However, some recently published studies seem to indicate that more than 90% of Asian companies are still widely unprepared.
For example, the GDPR could affect vendors from China or Hong Kong selling merchandise to EU residents via marketplace websites such as Amazon or Alibaba. If they register an EU resident as a customer, the monitoring of that data subject’s online activity in the marketplace could be considered “monitoring” of their behaviour. Consequently, the GDPR will apply to both the Asian company and the provider of the marketplace, even if they are both located outside the EU.
Another potential issue for Asian companies which do not yet have a legal establishment inside the EU, is that maybe they will need to designate a representative in the EU under certain circumstances. The representative will serve as a point of contact for complaints from data subjects and will need to deal with regulatory matters in the EU on behalf of the Asian company.
Data Processors subject to the GDPR
In a world of outsourcing, it is a safe guess to expect that many Asian companies, in particular in the services sector, will be considered data processors. Possible cases where the GDPR will apply include, for example, scenarios where an Asian company processes an EU resident’s data in the context of cloud services, or provides call-centre and customer-services functions as outsourcing service providers to businesses in the EU. The GDPR’s obligations on controllers that will also apply to processors (i.e. the Asian companies) include the duty to implement adequate technical and organizational security measures, the duty to maintain a record of the processor’s processing activities, and the duty to appoint a data protection officer. In addition, the processor will need to assist the controller (i.e. the Asian company’s EU customer), in ensuring compliance with data breach-notification responses and data protection impact assessments.
The GDPR implements largely the same, hitherto applicable rules on transfers of personal data to countries outside the European Economic. So far, the European Commission (EC) has not determined that any Asian county provide an adequate level of protection for the personal data of people in the EU. In the medium term, Japan, Korea and maybe India are be potential candidates for an adequacy decision, but this will take time and to date no other Asian nations have emerged as potential candidates..
Therefore, the “traditional” mechanisms for a transfer of personal Data from the EU to a third country – including those in Asia – remain the tools of Choice. Notably, the GDPR formally recognizes the standard contractual clauses (SCCs), bespoke contractual arrangements or codes of conduct/certification mechanisms approved by a national data protection authority, and binding corporate rules (BCRs). It remains to be seen if the text of the SCCs or the requirements for BCRs will be updated in the future.
CBPR – a starting point
Asian companies which have already achieved compliance with the Cross Border Privacy Rules (CBPR) issued by the Asia-Pacific Economic Cooperation (APEC) system, may be pleasantly surprised to find that at the same time they have mastered some of the steps towards becoming compliant with the GDPR. However, the CBPR is not a full substitute to the GDPR. For example, it is principle-based and differs from the GDPR rules on data transfers in that the CBPR system is based on a certification mechanism which is approved by non-state auditors rather than a centrally governed mechanism approved by a data protection authority or the EU commission, as is the case in the EU. Furthermore, the CBPR lacks any centralised enforcement mechanism as it leaves enforcement to each participating country. Nevertheless, while the CBPR is in many aspect “softer” than the GDPR, it remains a useful starting point for organizations to put in place the much more formal data protection policies and procedures required by the GDPR. This is particularly true for companies where such procedures have not previously existed.
The GDPR provides much for Asian companies to consider, particularly in terms of managing the rights of EU residents and meeting the controller and processor obligations when processing activities come within scope. There is little time before the GDPR enters into application on 25 May 2018, and in many cases, achieving compliance could prove to be more time-consuming than anticipated, not least due to the GDPR’s complexity, current lack of supervisory guidance, and significant expansion of obligations on data controllers and processors. The latter will be especially challenging for companies which are used to much less regulatory burden in that respect. Therefore, planning for the GDPR is highly advisable, and each Asian company expecting to be affected by the GDPR should consider establishing a change-management programme. Companies which already have CBPR in place should seriously consider which parts of their CBPR programme may be re-usable or serve as a starting point for GDPR compliance.
(Titelbild: Copyright © fotolia)