A Long Overdue Update of Data Protection Law
By Sikhei Leung
Data Privacy and GDPR – What it means for your business in Hong Kong
I remember watching an episode of The West Wing where a United States Supreme Court candidate was being vetted for a seat on the court. President Bartlett (played by Martin Sheen, who to this day is regularly added to ballots as a real life candidate by voters) and the senior White House staff wanted to know where the candidate stood on the major issue. Certainty was thrown into doubt when a comment about the candidate’s stance on the right to privacy was brought to light and as a result, a member of the fictional President’s senior staff Sam Seaborn, refused to support the candidate. He pontificated: “It’s not just about abortion, it’s about the next 20 years. In the ’20s and ’30s it was the role of government. ’50s and ’60s it was civil rights. The next two decades are going to be privacy. I’m talking about the Internet. I’m talking about cell phones. I’m talking about health records and who’s gay and who’s not.”
Aaron Sorkin and the writers of The West Wing had foreshadowed the defining legal discourse in the past two decades: Data privacy.
Technological advances will inevitably outpace the development of the law that governs those very advances, so it’s a welcome change whenever a set of more comprehensive and current regulations appear. One major (not so) recent addition to the law of data privacy is the European Union General Data Protection Regulation (GDPR). The GDPR was adopted in 2016, came into force on 25 May 2018, and has consequently replaced the EU Data Protection Directive 95/46/EC. It is the single most significant change to data protection law in the European Union in more than twenty years, with serious and far-reaching effects to businesses and consumers around the globe—including those in Hong Kong.
I for one welcome the GDPR essentially raising the bar for data protection all over the world. Accountability towards consumers through transparency is critical in an age where consumer data is so readily available and so effortlessly disseminated to businesses. However, this also means that companies in Hong Kong might have to mandate data compliance with the new standards set by the GDPR, especially businesses that conduct transactions with EU partners and consumers.
Application of the GDPR
Article 3 of the GDPR determines whom the GDPR affects:
- Data Controllers or Processors (the company) with an establishment in the EU
- If data is being processed or used within the context of the business, the GDPR applies.
- Note that “establishment” essentially means most forms of presence in the EU, including the presence of sales offices and representatives in the EU
- Data Controllers or Processors with an establishment outside the EU
- If the personal data of subjects in the EU are being processed either:
- in relation to the offering of goods and services, or
- to monitor behaviour of EU subjects that occurs within the EU itself, then the GDPR applies.
- If the personal data of subjects in the EU are being processed either:
If your business falls within either of these definitions, it would be wise to overhaul your data protection compliance regulations.
The Major Changes
Here are some of the major changes that have come into play with the introduction of the GDPR. If the GDPR applies to your business, the changes below will almost certainly impact you. Find out whether the GDPR applies to your business. If it does, figure out what changes need to be made to which aspects of the business and prepare a compliance plan. Do seek professional advice and guidance on updating the company’s data compliance policies and regulations if any doubts exist, it’s a small price to pay in order to avoid an onerous fine and the loss of business, and start earlier—it’s a process that might take a while to implement.
To start you off, here’s a link to Hong Kong’s Privacy Commissioner for Personal Data’s (PCPD) handbook on the impact of the implementation of the GDPR on Hong Kong. The handbook goes into more detail than I do. For concise summary of the key changes in the GDPR, consult the section below.
The Appointment of Representatives (Article 27 of the GDPR)
Companies that do not have an office in the EU yet provide their products or services within the EU must appoint a representative within the EU if they process personal data. If a company in Hong Kong offers goods or services in the EU, it will probably need to appoint a representative in one of the countries it does business in. The representative can be a natural or a legal person (so the company can have another company in the EU carry out the job for it).
Exemptions to this rule exist but are unlikely to apply to commercial transactions that fit the above description. Here they are:
- Personal data of EU subjects are only processed occasionally, or
- data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, or
- processing is unlikely to result in a risk to the rights and freedoms of data subjects.
The representative acts as a liaison between the data subjects and supervisory authorities (the relevant public authorities of the EU member states) in the EU in order to ensure that the data controller complies with the GDPR.
Heavyweight Enforcers: The Data Protection Officers (Articles 37-39 of the GDPR)
If a company’s primary business “consist of processing operations which require regular and systematic monitoring of data subjects on a large scale” it will need to appoint one or more Data Protection Officers (DPO). Most companies will not need DPOs—this section is really targeted at, for example, social media platforms where the monitoring of data is how companies make money. What a DPO is, and has to be, is a data watchdog free of conflicts of interest and independent from the company. A DPO must be an expert in the area of data protection law and practice. The level of regulatory scrutiny exercised by a DPO is much higher than a representative. It would be best to check if your business really needs a DPO.
Faster Notification in The Event of A Data Breach (Articles 33 & 34 of the GDPR)
New requirements for notifying the subject(s) affected by a data breach are set down in the GDPR:
- How long?
- ASAP, not later than 72 hours after having become aware of it
- Yes, it’s mandatory
- What does the company need to say?
- If possible, describe the full nature and extent of the personal data breach—try to be specific about what was affected
- A point of contact, should more information about the breach be requested by the affected data subject(s)
- Describe the likely consequences of the personal data breach
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including acts of mitigation
- Communicate what’s happened in clear and plain language with all the relevant details above
Tougher Sanctions for Breaches (Articles 58 & 83 of the GDPR)
The GDPR empowers EU member states, the data protection authorities, to impose administrative fines on data controllers and processors for non-compliance of the GDPR. Fines of up to €20 million (around $193 Million Hong Kong Dollars) or 4% total worldwide annual turnover of the company are now in effect.
Hong Kong has no such fine for data regulation non-compliance.
New and Enhanced Rights for The Consumer
A couple of new rights are now enshrined in and protected by the GDPR:
- Right to notice on data processing
- Right to erasure of personal data (“right to be forgotten”)
- Right to restriction of processing and data portability
- Right to object to processing (including profiling)
Additionally, the GDPR classifies different types of data. It distinguishes between sensitive personal data and other categories of data. This works as a safeguard against companies attempting to collect and process sensitive personal data without the data subject’s consent. Under the GDPR, the data subject’s given consent is generally required for a company to collect his or her sensitive personal data. Examples of sensitive personal data include but are not limited to:
- Racial or ethnic origin of the data subject
- Political opinions and religious beliefs
- Physical or mental health or condition or biometric data
- Commission or alleged commission by him of any offence
Sikhei Leung is a law student and freelance writer. He holds a LL.M. in Human Rights from the School of Oriental and African Studies and a LL.B. from BPP University London. He also has a Psychology degree from Durham University.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.