Introduction
Less than 20 years ago, three quarters of all stored information was in non-digital form: names were itemized on municipal registers, identification numbers were held in national healthcare systems, and passport numbers were recorded on immigration forms. Today, more than 98% of the world’s stored information is in digitized form: our collective ‘data’ now primarily resides on a de-materialized, open-ended, global digital cloud. In this era of unprecedented online connectivity comprising email addresses, purchase preferences, reading frequencies, travel plans, and many more, all of this personal information is now within reach to be processed for a multitude of analytical purposes. In light of numerous recent privacy related scandals, the safety and security of our data has rapidly come to the fore of heightened attention and debate.
New regulations have emerged in a number of countries to enshrine data protection principles. The European Union (“EU”) has been at the vanguard in introducing a new phase of the regulatory process with the impending entry into force of European regulation 2016/679. This General Data Protection Regulation (“GDPR” or the “Regulation”) is squarely aimed at the protection of individuals with regard to the processing, securing, and free movement of their personal data.
Effected from 25 May 2018 onwards, the GDPR has replaced the Data Protection Directive 95/46/EC that was adopted in 1995. This wide-ranging reform is geared towards extending and enhancing individual data protection within the EU from privacy and data breaches. It will greatly expand data privacy rights and means of legal recourse and harmonize data protection legislation throughout the continent.
This new regulation is likely to exert significant influence on a host of businesses operating around the globe – not merely EU-based companies. It is thus crucial for companies established in Asia to fully understand the scope of the GDPR, be cognizant of its underlying obligations, and aware of the associated sanctions and penalties. Upon assessing the applicability of the GDPR to their operations, businesses must pursue proper planning of appropriate measures to ensure compliance with its provisions.
Who is affected by the GDPR?
The GDPR regulates the manner in which businesses process and manage personal data. To ascertain whether your own business will fall within the purview of this Regulation’s provisions, you must now consider whether you conduct any data processing activities within the European Union. If it transpires that the GDPR does apply, you will have to take action to determine the exact role and nature of your business as a data controller or processor.
Which activities are specifically subject to the GDPR?
The GPDR applies to the processing of personal data, i.e. the processing of any information related to an identified or identifiable individual (as opposed to a legal entity), also known as a data subject under the GDPR. This definition encompasses the collection, recording, use or deletion of names, physical or e-mail addresses, phone numbers, locations, banking information, health information, and many more. On this basis, any access of a database containing personal data, sending promotions or newsletters via email, or even simply posting someone’s personal information on social media, will clearly fall within the parameters of the GDPR. Therefore, any type of business that processes the personal data of data subjects may be subject to the GDPR. Physically storing collected data for the purposes of targeted advertising or shipping of goods are equally as exposed as more conventional e-commerce businesses that gather significant amounts of personal data as a matter of course. It is worth bearing in mind that the definition of data subjects encompasses not only an enterprise’s customers or clients, but also its own employees. Furthermore, the Regulation may also extend to other legal entities that regularly process large amounts of data, such as public authorities or governmental departments.
Where does the GDPR apply?
The biggest change to the EU data privacy regulatory environment heralded by the new Regulation lies in the expanded territorial scope of its application. Now, any business that processes personal data on EU territory, regardless of the legal entity’s location, must abide by the new Regulation. The GDPR thus applies not only to EU companies (including EU companies doing business in Asia through local subsidiaries or branches) but also to any Asia-based companies (as elsewhere in the world) operating in Europe. For instance, a local startup based in Thailand developing a new app for a global audience will potentially be subject to the GDPR’s provisions. The widening of this Regulation’s jurisdiction beyond the EU, also known as extra-territorial applicability, is particularly broad: Asia-based companies may fall under the GDPR’s scope in the following three different scenarios.
Where the business has an establishment in the EU
Firstly, the GDPR applies to any entity which has an establishment in the EU, and where personal data is processed in the normal course of such an establishment’s activities, regardless of where the processing takes place. Establishment is defined as the “effective and real exercise of activity through stable arrangements,” implying the stable presence of personnel and technical resources within the EU, although the legal form of such arrangements is not a determining factor. Thus, if your business is based in Asia but has an establishment in the EU involved in the processing of personal data, such as a single representative or sales outlet, it would fall within the jurisdiction of the GDPR.
Where the business offers goods or services in the EU
Secondly, any non-EU established business that processes the personal data of individuals within the EU for the purposes of offering of goods or services to such individuals, e.g. through a website, will be subject to the GDPR. This qualification is not subject to the actual performance of a payment transaction by the individual. Whether a company is actually offering goods or services to individuals in the EU will be determined on a case-by-case basis, with due consideration paid to the intent of the company to do so. It appears that the mere accessibility of a website by an EU audience is not sufficient to demonstrate such an intention, neither is the use of a European language also commonly used in the company’s own country. However, using an EU language or currency and the ability to order goods and services in that other language, mentioning EU clients on a website, using an EU top-level domain name, or targeting EU consumers through advertising, are factors that may demonstrate a non-EU business’s intention to offer goods or services to EU data subjects.
Where the business monitors the behaviour of individuals in the EU
Thirdly, a business which has no establishment in the EU nor offers goods or services to EU data subjects may still be subject to the GDPR if it processes individual personal data for the purposes of monitoring their behaviour within the EU. Similar to the offering of goods and services, what constitutes monitoring will be determined on a case-by case basis. This clearly implies the tracking of individuals over the internet for commercial purposes in order to profile them and to analyze and predict their preferences, behaviours, and attitudes.
Therefore, if your company’s website or app uses cookies and other tracking methods to monitor the behaviour of individuals within the EU, this would fall within the remit of the GDPR. The GDPR applies its protections to all data subjects, regardless of their nationality or residence, as long as they are ‘in’ the EU. Data subjects therefore, need not necessarily be EU citizens or residents.If your business collects personal data on Asian citizens while they are on vacation in the EU for example, such data processing may still be subject to the GDPR.
Need legal advice?
If you are in need of legal advice, you can request a quote with DFDL lawyers or get a Quick consult with experienced lawyers. With Quick Consult, from a transparent, flat fee of $49, the lawyers will call you back on the phone within 1-2 days to answer your questions and give you legal advice.
This article is written by DFDL Lawyers and edited by Rishika Pundrik of Asia Law Network.
This article was first published on the DFDL website.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.