Europe’s General Data Protection Regulation (GDPR), which came into force on May 25, has been billed as the biggest shake-up of data privacy laws since the birth of the web. With an aim to give citizens of the European Union more rights over their online information, the new law threatens fines of up to 4 percent of a company’s annual revenue for non-compliance.
The new law applies to all businesses that deal with EU citizens’ data, regardless of whether they have incorporated units in the region. This could have far-reaching implications for tech giants such as Facebook and Google. It could also have repercussions for companies in Hong Kong, mainland China and other markets in Asia.
Despite the risk of onerous fines under the new rules, many businesses in the region are slow in getting themselves compliant with the new rules, according to Scott Thiel, a partner at DLA Piper’s Hong Kong office.
In an exclusive interview with EJ Insight, Thiel shared his views on what Asian companies with dealings in Europe need to do to comply with the new rules and avoid significant penalties.
EJ Insight: Could you explain what GDPR is and why do firms need to be aware of it?
Thiel: The GDPR is Europe’s new data privacy law, regulating all aspects of the manner in which personally identifiable information can be collected, stored and used.
It is a big change with some fundamental legal differences from the existing and other privacy laws around the world. One of the reasons it has gained so much attention is the huge increase in the level of sanctions. There could be very substantial financial penalties, up to 4 percent of the global group turnover or 20 million euros (US$22.86 million), whatever is greater.
One of the unique aspects of the GDPR is that it regulates companies outside of Europe where they are targeting or collecting data from European citizens. For example, it applies to Asian businesses selling or trying to sell to people in Europe. If you don’t have offices in Europe, and you are not trying to target or profile European-based citizens, then it likely won’t apply to your business. We do speak with some companies who say: “Some of my staff in Asia are holding European passports, does GDPR apply to their data?” No, it doesn’t.
The fundamental difference between the GDPR and other privacy regimes creates a significant challenge for multinational companies with large data sets. The question arises as to how they are going to deal with the fact that laws from multiple countries may be applying to different datasets at the same time. For example, data collected in a country in Asia might need to be compliant with both GDPR and the other regulations in Asia if it is going to be sent through IT systems based in the EU. Likewise, data collected from European citizens that is brought back to Asia might also need to comply with two or more very different sets of privacy laws.
Q: What does GDPR mean for technology companies?
A: One of the things we are seeing more of is the fragmentation of data centers within businesses. The multiple law compliance challenge is driving some businesses to create individual country or regional data silos to minimize this compliance risk.
European-headquartered companies that have operations in Asia, and have their growth expectation perhaps in the Asian market, may reconsider sending data back to Europe. Companies in Asia are also questioning whether sending data to a European country (for example to their EU headquarters) might restrict what they can do with that data if GDPR will apply to it.
Q: On the first day of GDPR enforcement, Facebook and Google have been hit with a raft of lawsuits, which seek to fine both firms billions of euros, accusing the companies of coercing users into sharing personal data. Will we see more of this?
A: The expectation is that we will see more enforcement, more civil claims, and more data protection authorities bringing in claims against companies.
There is one view that GDPR was designed in part to specifically curtail the data handling practices some of the world’s biggest data companies, particularly social media and internet search businesses. Interestingly enough, few if any of these are European businesses. Europe does appear to be focused on technology regulation while much of the rest of the world is promoting technology companies and innovation, particularly in the US and mainland China.
The GDPR sanction risk is potentially very significant for multinational companies, and we are encouraging all our clients to take it seriously.
Q: How about Chinese and Hong Kong tech firms? Have they prepared for compliance?
A: No, they haven’t, from our experience. A couple of weeks before the law went live, we were suddenly getting phone calls from clients saying, “Can you get me GDPR compliant in eight weeks?” Even two days before, we received phone calls like that.
We just had a new instruction last week from a telecommunications company which hasn’t yet planned properly for GDPR. That’s not that surprising in some ways. Being in Asia, inevitably there is a lag in terms of people thinking “that isn’t even our law”, “it’s not our core market”. Businesses may not be prepared and as we are seeing businesses just getting started, to me, that suggests there are a lot of businesses that are some way off being compliant.
But I think there is a genuine risk for those big tech players, typically Chinese companies, as they are increasingly coming out of China, looking to global markets, and they will need to be careful about GDPR compliance just as non-Chinese companies need to be mindful of the new data and cybersecurity laws in China.
Q: For those not compliant with the new rules yet, will we see more GDPR enforcement from the authorities?
A: With foreign companies, we simply don’t know the answer to that yet. But I think there is a very real risk, and I think it depends on some broader macroeconomic issues that are recurrent in the world.
– Contact us at [email protected]