The European Union (EU)—via the EU Commission—has enacted two key regulations relating to data processing:
- The General Data Protection Regulation (GDPR)
- The Network and Information Security Directive (NISD)
While both came into force in April 2016, they will not apply until May 25, 2018.
When the GDPR comes into full force, any company based in Hong Kong, or anywhere else for that matter, will need to have governance policies in place if they solicit or target, collect, store, or process any data on a citizen of the EU. Despite the “Brexit” filing, this also means U.K. citizens for the foreseeable future.
A recent survey by the U.K. Chartered Institute of Marketing indicated that only 5% of marketers say they wholly understand what the GDPR means for their business.
Half say they don’t know anything about it at all and a surprising 16% do not think GDPR is relevant to them. Heavy fines await businesses that are not compliant—fines for breaking the regulations are capped at US$23.3 million or 4% of global turnover, whichever is higher.
Precedent for GDPR Enforcement
A couple of recent examples indicate that even before the GDPR comes into force, individual Privacy Commissioners are enforcing their own laws more vigorously. The U.K. Information Commissioner’s Office has fined U.K.-based airline Flybe and Honda Motor Europe a total of US $107,800 for misuse of customer data.
Flybe was fined US$91,800 for simply sending an email to three million customers asking if the details on their records were correct. Honda was fined US$17,000 for sending nearly 300,000 emails about customer preferences. Both were viewed as unsolicited marketing, and therefore broke the law.
On February 2, 2017, the Italian Commissioner accused a company of misusing data they controlled in a financial scheme that involved both Hong Kong and China. The company allegedly made money transfers on behalf of individuals without their knowledge or consent to avoid money laundering laws.
This resulted in a fine of over US$6 million, comprising over US$10,000 for each offense, multiplied by the 583 victims, plus a further US$58,000 fine—a record fine for a U.K. company operating in Italy. This is the largest data privacy fine ever issued by a European data protection authority for a breach of the EU’s data protection framework.
Impact on Hong Kong Companies
What does this mean for the board of a listed company in Hong Kong? If they have a branch office in Europe, it means quite a lot.
If a company actively solicits, via email targeting or a website that is in a European language, they may be subject to the regulation, which would require compliance as they are deemed to be a “data controller.” As well as ensuring data they gather on individuals meets the purpose of processing, businesses must also ensure that they document the legal basis of processing (such as the use), that the processing is “necessary” for the performance of a contract, or that the purposes reflect the legitimate interests of the data controller or a third party.
The GDPR also has provisions governing data portability: an EU citizen or resident may request the return of all data held, or direct the entity holding the data to move it to another entity.
The EU law will mandate that many large organizations appoint a Data Protection Officer (DPO) to have an overall view of where data is located and set controlled parameters on who has access to it. The DPO will have to work with chief information security officers’ IT departments to monitor and control data movement across the company and determine how data is used. Data may be located at different locations—and countries—within the organization with no central control, so this will be a challenge to bring it all into line.
Organizations addressing the GDPR and other regulations must first take steps to re-architect their data provisioning to have any chance of compliance. Like the U.K., this has not been recognized as a matter of urgency yet in Hong Kong, or the wider region, and there are now only a few months left to get the controls in place to avoid the severe penalties[LL1] [MO2] .
Data Management Policies Need Reform Before May 2018
Hong Kong has one of the strongest personal privacy regimes in Asia, and globally. Its regime is fairly close to the GDPR in a number of key regulations, but not all: Hong Kong’s Privacy Commissioner for Personal Data is examining this with a view toward achieving equivalency.
However, a board has a fiduciary duty and needs to ensure that shareholders are protected, no matter where data is stored or processed, and that includes when companies use an outsourced service, including cloud computing services. Moreover, the data controller cannot outsource its responsibility.
Hong Kong companies, therefore, need to put in place data management policies that will protect data that is held on EU citizens or face prosecution. The technology industry is creating innovations to address compliance with the GDPR and other regulations under the general description of “RegTech.”
The boards of Hong Kong companies need to be aware of this and take action sooner rather than later to protect their shareholders (and themselves) before they get a letter from an EU privacy commissioner after May 2018.
Editor’s note: This article first appeared in Computerworld Hong Kong and may be viewed here. This article has been updated to reflect the latest developments.
This article was also published on China Briefing.Since its establishment in 1992, Dezan Shira & Associates has been guiding foreign clients through Asia’s complex regulatory environment and assisting them with all aspects of legal, accounting, tax, internal control, HR, payroll, and audit matters. As a full-service consultancy with operational offices across China, Hong Kong, India, and ASEAN, we are your reliable partner for business expansion in this region and beyond.
For inquiries, please email us at [email protected]. Further information about our firm can be found at: www.dezshira.com.