The EU General Data Protection Regulation (EU GDPR) represents the first major overhaul of European data protection rules in over 20 years. It will repeal and replace Directive 95/46/EC and introduce a harmonised framework that will be directly applicable across the 28 EU member states from mid-2018.
A number of superlatives can be applied to the EU GDPR. The most recent draft text contains over 56,000 words, consists of 99 articles, and runs to 260 pages. During the committee stage at the European Parliament, almost 4,000 amendments were filed, a record for any EU dossier. It has taken four and a half years of tough negotiations to reach agreement, but the EU GDPR is expected to enter into force in May or June 2016. Entry into force will signal the start of the two-year countdown before the new rules go live.
In this two-part article, we will highlight key aspects of the EU GDPR that businesses should be aware of and start planning for, with a focus on data controllers (who determine the purpose and means of processing) and data processors (who process data on behalf of the controller) based in Asia.
In Part I, we will look at the scope of the EU GDPR, rights of data subjects, and obligations on controller and processors. In next month’s Part II, we will explore international data transfers and the new regulatory-enforcement regime, and compare the EU GDPR with the Asia-Pacific Economic Cooperation Privacy Framework.
The EU GDPR significantly expands the scope of the EU data protection law in two ways. First, it will apply to businesses — regardless of where they are located — that process the personal data of EU residents in the context of offering them goods or services or monitoring their behaviour where that behaviour takes place within the EU.
Second, the EU GDPR will enhance the rights of data subjects and broaden obligations on controllers and processors. A key change is that the relationship between the controller and the processor will no longer be wrapped up exclusively in a contract, and therefore, many obligations in the EU GDPR will apply to processors in their own right.
The expanded territorial scope of the EU GDPR means that the new rules will apply to many companies in Asia. For example, vendors based in mainland China, Hong Kong, Japan, Indonesia, Taiwan, Singapore, and many other locations sell electronic merchandise to EU residents on well-known marketplace websites. If an EU resident is registered as a customer with a business in Asia, then processing related to the data subject’s online activity could be considered monitoring of their behaviour. In such cases, the EU GDPR will apply to the controller and the processor, even if they are located outside the EU.
Where a controller or processor does not have an establishment within the EU, it must designate a representative in the EU (unless the processing is occasional, does not include special “sensitive” categories of data, or data relating to criminal convictions and offences). Effectively the representative will serve as a point of contact for complaints from data subjects and deal with regulatory matters in Europe in addition to or instead of the controller or processor that is located outside the EU.
Scenarios where the requirement to appoint a representative may apply to companies located in Asia include where EU residents’ data are processed in the context of cloud services, outsourced call-centre and customer-services functions, and online-marketplace activities.
The EU GDPR sets out a number of new and enhanced rights for EU residents that data controllers will need to manage, whether they have an establishment in the EU or need to appoint a representative, including:
- Right of access: information to be provided to individuals free of charge and within one month of request
- Right to data portability: a new right which allows individuals to obtain their personal data in a structured, commonly used, and machine-readable format
- Right to erasure (the “right to be forgotten”): an enhanced right for individuals to request the erasure of their data without undue delay
- Right to object: individuals will be able to object to the processing of their data unless the controller can demonstrate compelling, legitimate grounds for processing
- Right not to be subject to measures based on automated processing: this right applies where automated processing — including profiling — has a legal or significant effect on individuals, for example by preventing them from accessing credit
Data controllers will be subject to new or more stringent obligations under the EU GDPR, including:
- Implementing data protection by design and data protection by default, and implementing measures to ensure a level of security appropriate to the risk to individuals
- Notifying the supervisory authority of a data breach within 72 hours (where feasible) where there is a risk to individuals
- Maintaining a record of processing activities for the purposes of demonstrating compliance
- Undertaking data protection impact assessments where the processing is likely to result in a high risk to individuals
- Designating a data protection officer who will report to the highest management level, monitor compliance with the EU GDPR, and cooperate with the supervisory authority
Many businesses in Asia will be considered data processors. Obligations on controllers that will also apply to processors include implementing appropriate security measures, maintaining a record of processing activities, and appointing a data protection officer. In addition, the processor shall assist the controller in ensuring compliance with breach-notification responses and preparing data privacy impact assessments.
The EU GDPR provides much for businesses in Asia to consider, particularly in terms of managing the rights and privacy of EU residents and meeting the controller and processor obligations when processing activities come within scope. The two-year window before the new rules apply may seem generous, but compliance could prove more time-consuming than anticipated, due to the EU GDPR’s length and complexity and the significant expansion of obligations on data controllers and processors. Timely planning for the EU GDPR is therefore advisable and the establishment of a change-management programme should be considered.
In Part II, we look at the new rules on international data transfers and how the new regulatory regime will operate in practice.