In our first article on the European Union General Data Protection Regulation (Regulation (EU) 2016/679 or ‘GDPR’) we focused on the global territorial scope of the new rules and how they could affect businesses based in Asia. In particular, we highlighted how the enhanced rights of data subjects in the EU and the expanded obligations on data controllers and data processors — even if they are located outside the EU — provide much for businesses to consider as they become compliant with the new rules. In this second article, we will focus on the new regulatory-enforcement regime and international data transfers, and then draw comparisons with the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
Senior Principal at Promontory
John is a Senior Principal in Promontory's privacy and data protection team. John advises clients on all aspects of compliance with data protection laws and regulations. He is a specialist on the European Union’s proposal for a new General Data Protection Regulation. Prior to joining Promontory, John worked at the U.K. Ministry of Justice where he was the government’s lead negotiator on the proposed General Data Protection Regulation. This work involved leading the U.K. delegation to the Council of the European Union’s DAPIX expert working group in Brussels, developing the government’s policy position on the proposed Regulation, engaging with a wide range of stakeholders and advocates, and regularly briefing ministers. John is an experienced public speaker and has sat on many data protection conference panels including leading keynote sessions at the Sedona Conference and the IAPP Data Protection Intensive.
The General Data Protection Regulation is the first comprehensive overhaul of European Union data protection rules in 20 years. This two-part article will examine the GDPR’s impact on businesses in Asia, with a focus on territorial scope, controller and processor obligations, and international data transfers.