In an article published on Monday, we presented the comments of Scott Thiel, a partner at DLA Piper’s Hong Kong office, on the European Union’s General Data Protection Regulation (GDPR) and what companies should do to ensure compliance. Now, in the second part of the interview, we outline his thoughts on the law’s far-reaching and long-term impact on the tech sector worldwide.
EJ Insight: How long does it take to be GDPR compliant?
Thiel: Firstly, being fully compliant with any privacy law is an ambitious statement. I don’t think any company is fully compliant with privacy laws in every perspective. What we would do is look at the bigger issues and work with the company to define their risk appetite as the client has to balance how much they want to invest, in terms of their efforts, time and the financials involved in getting compliant, versus how much risk they want to reduce. So it depends a little bit on the client. We’ve done projects within two months, and during that time we have dealt with the majority of big issues. That’s pretty tight, but it can absolutely be done.
Q: With all the excitement regarding the potential of big data analytics and artificial intelligence (AI), there is a concern as to how to address data privacy. Would the EU’s GDPR pose challenges for big data analytics and AI?
A: Speaking with my colleagues in Europe, I know that there is a genuine expectation of privacy as fundamental human right, prevailing over the economic interests of businesses. My view is that data laws in Asia are not entirely motivated by the same objectives.
There are concerns that GDPR could stifle creativity, reduce the level of potential data analytics, impact the adoption of new services. The City Brain project that has been run in the Chinese city of Hangzhou is an incredible example of what can be delivered though the widespread adoption of AI, Surveillance and big data. Such a project is almost unthinkable under Europe’s privacy laws. As a result of the permissive legal environment, we are increasingly seeing Chinese technology companies operating at the bleeding edge of technology innovation.
As I said earlier, we are seeing companies create data silos as they are concerned it may cause them to fall behind their competitors in Asia who are not impacted by a GDPR contamination risk. They may say: how about I don’t just send the data back to Europe? We saw Facebook doing that before the law went live, they took a lot of data out of Europe and I think we will see more and more of that.
Q: China introduced a new cyber security law on June 1 last year that imposes tough controls over data, including mandating that companies store all data within China and pass security reviews. How does it compare with EU’s GDPR?
A: Consent is King when it comes to privacy compliance in most Asian jurisdictions including under the China cybersecurity law. The GDPR has moved away from consent as the preferred compliance strategy and instead introduced a requirement for a data controller to establish a legal basis for what they are doing with personal data. The most important of these in practice is the need for a company to establish that it has a “legitimate interest”. A lot of businesses are struggling to reconcile these different approaches.
GDPR is a privacy law, which only deals with personal information. China’s law is an information law, regulating a much broader category of data than just personal information. Virtually all business data may be caught.
China’s data law is tougher than the GDPR in some ways and has potentially more significant sanctions. There have already been prison sentences for individuals, and some foreign companies have had their business registrations cancelled, forcing them to leave the China market altogether. Everyone is worried about the sanctions in Europe, but I think the sanctions in China are potentially more significant.
There are a lot of uncertainties in the Chinese data law. The law took effect in June last year, but a lot of subordinate regulations and measures have not yet been finalized. Even the rules around offshore transfer are not still yet finalized. Nevertheless, we are seeing a lot of informal enforcements. In practice, this has involved the police administering the new law and simply turning up to business and requiring changes to their information handling practices.
Q: After the EU’s GDPR, will countries in the Asian region try to follow suit, seeking greater powers and controls in relation to collection of personal data?
A: I know a lot of privacy commissioners in APAC, as well as elsewhere, are all looking at GDPR with envy, wishing they had their own law and the types of substantial financial penalties their European counterparts can now impose. The Philippines has already moved to a GDPR style regulation and India has just proposed something similar. There has been a trend towards increasing regulation of data, and that will certainly continue.
Q: Some observers believe the EU’s GDPR creates an opportunity for Hong Kong, in terms of offering assistance tomainland enterprises in dealing with the regulation, as well as on corresponding cross-border data transfer and data storage practices. What’s your view on this?
A: I think there is a huge opportunity for Hong Kong to position itself as the data center for China and other parts of Asia. The challenge in Hong Kong is that its legal framework currently does not support that ambition.
If you want to create a trusted environment for data storage, you need to have an effective legal framework to protect data that is put into that jurisdiction. To give one example, the cross-border data law of Hong Kong has been on the statute books since 1997. I worked on a project for several years to try and bring that law into force. The law is still dormant and there is little indication that it will be acted upon any time soon.
At the moment, all the rules in China say you can’t send data out of China without meeting a number of uncertain and yet to be finalized criteria. When it comes to data transfer, the China cyber law makes it clear that Hong Kong is “outside China”. If a transfer between China and Hong Kong is recognized through some sort of safe harbor mechanism, I think Hong Kong can absolutely position itself as a data center hub forChina.
– Contact us at [email protected]