Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Most people are aware that the EU General Data Protection Regulation 2016 (GDPR) will come into force on 25 May 2018. However, it seems that many Hong Kong businesses are not aware of the wide-ranging impact of the GDPR on non-EU business and that they could actually be subject to the significant changes introduced by the Regulation.
What is the GDPR?
The GDPR is a new data privacy law intended to harmonize the data protection rules throughout Europe. It grants enhanced rights to individuals but also imposes significant new burdens on organizations and introduces increased fines and penalties for breach of the rules. It represents the biggest change to data privacy law in Europe in the last 20 years.
So how does the GDPR affect Hong Kong businesses?
The GDPR primarily affects organizations operating within the EU. However, the GDPR significantly expands the territorial scope of the EU data protection laws, and any organization dealing with EU businesses, or the personal data of subjects in the EU, may also need to comply with the GDPR.
The GDPR provides steep fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater), and 2% or €10 million (whichever is greater) for lesser infringements.
So how does it work?
The GDPR will apply to organizations located outside of the EU if:
The location of the organization that collects the personal data is not important when considering whether the GDPR applies. The rules apply when personal data are collected from an individual who is located in an EU country when the data are collected and processed. This applies to any individual, not just EU citizens. By the same token, the GDPR does not apply to EU citizens who have data collected and processed, when they are outside of the EU.
Are you “offering goods or services”?
Businesses that already have an EU customer base, or intentionally offering goods and services to EU subjects, even if the business is outside the EU, will obviously fall under the GDPR.
For others, it must be apparent that the organisation envisages offering goods or services to, or targets, individuals in the EU. This will be determined on the facts. Most websites are globally accessible so the mere fact that individuals in the EU can access the website of a non-EU company will not, in itself, constitute offering goods or services to data subjects in the EU. Relevant factors that indicate intention include the use of an EU language/currency, references to EU users or customers, marketing activities directed at EU users, use of EU phone numbers, or the use EU top level domain names.
In practice, a non-EU business that trades online, has a website in English which allows EU customers to place orders, and ships products to any customers in the EU, risks falling within the GDPR’s scope, unless the business can still somehow show that it did not intend to offer goods or services to EU data subjects. The best way to make sure that the business is not subject to the GDPR is to make clear on the website that the goods/services are not intended for the EU and/or to actively exclude/disable orders from the EU.
Please note that the GDPR can apply even if the goods and services are free.
Are you “monitoring” EU data subjects?
The GDPR makes clear that “monitoring” the behaviour of EU data subjects means tracking people on the internet and includes the potential use of the information gathered to profile people, e.g., to analyse or predict their preferences, behaviours and attitudes.
The concept of “monitoring” under the GDPR is very wide. The fact that GDPR gives profiling as an example of monitoring, suggests that there should be intentional tracking and that the data should be actively used to profile the individuals or monitor their behavior. Therefore, the incidental collection of IP addresses without making any further use of the data, may not be covered by the GDPR. However, it is currently not clear how detailed the tracking of a data subject must be, before the GDPR is triggered.
Are you “processing data”?
The GDPR applies to the processing and holding the personal data by organizations with an establishment in the EU, in the context of its activities, regardless of whether the processing actually takes place in the EU.
The term “establishment” will be interpreted broadly and flexibly. An organization is likely to be regarded as having an establishment in the EU if it exercises “any real and effective activity”, even a minimal one, through stable arrangements in the EU. The legal form of the arrangement is not a determining factor; the presence of a sales office, or the appointment of an agent or representative in the EU, for the purposes of promoting or providing a company’s services to EU residents, may be sufficient.
So what are the implications for Hong Kong businesses?
If you are caught by the GDPR, there are many provisions that may affect your business. Hong Kong businesses may be subject to greater data protection obligations under the GDPR than is currently the case under the Hong Kong Personal Data Privacy Ordinance. There has been a great deal of discussion about the issue of consent and the significant penalties under the GDPR but these are only two aspects of the GDPR that may apply. The key provisions are:
What should you do now?
The GDPR will affect businesses both inside and outside of the EU. Although the GDPR is due to come into force on 25 May 2018, it is not too late; recent studies show that many companies within the scope of the GDPR will not be compliant by the end of 2018. Even if your business does not have a European presence, if you are dealing with EU businesses and the personal data of subjects in the EU, you should assess whether your business or data collection and processing activities fall within the scope of the GDPR. If your business is an international one, and especially if you have a strong internet presence, it may be better to assume that some of your customers/users may be data subjects in the EU.
Please do not hesitate to contact us if you would like to know more.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at email@example.com.
Tel: +852 2825 9211
Click here to share this shortlist.
(It will expire after 30 days.)