EU GDPR: Impact on Hong Kong?
The European Union's General Data Protection Regulation, or EU GDPR came into effect in May 2018 and fundamentally reshapes and expands data privacy regulations. Today, we focus on two of the main concerns that businesses have had with EU GDPR: the potential for high fines (up to €20 million or 4% of worldwide annual turnover, whichever is higher) and its extra-territorial effect. Both came into the spotlight in recent months.
In January 2019, France's data protection authority, the CNIL, fined Google €50 million under the GDPR. The French regulator ruled that Google violated transparency obligations and failed to obtain valid consent from users when processing their data in relation to personalised advertising.
In July 2019, the UK Information Commissioner's Office levied a £183.4 million fine on British Airways, following a website failure that allowed hackers to steal the personal data of roughly 500,000 customers. Shortly afterwards, Marriott International was fined £99.2 million by the UK regulator after its security practices failed to protect the data of approximately 339 million customers. Both companies have said they will appeal.
Infringements that go against the core principles of the right to privacy and the right to be forgotten are seen as serious and more likely to attract higher fines.
Closer to home, and following the British Airways fine, it remains to be seen if the data leak affecting 9.4 million Cathay Pacific passengers will expose the airline to EU GDPR penalties; it is unlikely as the incident occurred in March 2018, whereas GDPR became effective in May 2018. However, this does raise an interesting point whether GDPR could apply to a non-EU company, and the answer to that is "yes", if Cathay Pacific offered services to data subjects in the EU.
The extra-territorial scope of the GDPR
This brings us to the second aspect of GDPR that has worried non-EU businesses. A significant development under the GDPR is its extra-territorial scope. When determining whether activities fall within its geographical reach, the GDPR considers not only the location of the data processing, but also the location of the individual whose data is being processed. This means that the GDPR may apply to organisations located outside the EU.
Article 3(2) of the GDPR provides that "this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
The processing of personal data of an individual in the EU is not in itself sufficient to trigger the application of GDPR; the element of "targeting" the individuals, either by offering goods or services or by monitoring their behavior must also be present. Here are some factors that will help you decide if your business is targeting a person in the EU in diagram form -
Recent guidance, in consultation form, from the European Data Protection Board contains some useful examples :
A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank's processing of the personal data of its German customers is not subject to the GDPR.
A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist's personal data via the app by the U.S. company is not subject to the GDPR.
Ultimately, whether Article 3(2) applies to a business in Hong Kong is a question of fact to be determined by the circumstances of each specific case.
• A company can be penalised, even though the breach of GDPR was the result of an external hack, rather than an internal leak. Are your company's security controls robust enough to detect and prevent external hackers?
• EU regulators may have been a little slow to start taking action but there is likely to be an increase in investigations and penalties in future.
• It is a question of fact depending on the circumstances of each case as to whether Article 3(2) would apply to a business in Hong Kong. Have you considered whether GDPR applies and are you prepared for a GDPR investigation? Could such an investigation trigger inquiries by the Hong Kong Privacy Commissioner?
Howse Williams is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.
Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; banking; fraud; financial services/corporate regulatory and compliance.
As an independent law firm, we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.