/  Event Reports   /  New European data protection rules

New European data protection rules

The ECCT's Technology committee hosted a lunch on the topic "New European data protection rules - Compliance requirements and implications for business" with guest speaker Joel Cheang, Managing Associate at Linklaters. At the event the speaker outlined the main provisions of the General Data Protection Regulation (GDPR) and the implications for businesses operating in Taiwan.
While the European Union only implemented GDPR on 25 May 2018, more than 100 jurisdictions already had comprehensive data protection laws in place, including Taiwan, Singapore and mainland China.

Since data is now regarded as an important resource, the GDPR was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens" data privacy and to reshape the way organisations across the region approach data privacy.

The GDPR differs from the previous EU Data Protection Directive in that the GDPR is directly effective in all EU member states. It aims to remove variation in the single market, but create robust protection for citizens. The GDPR is not the only such legislation, although it is the most comprehensive. The Asia-Pacific Economic Corporation (APEC) Cross-Border Privacy Rules is another example of a push for alignment and unification of data protection laws. In a global economy that is increasingly digitised and data-driven, there is a stronger emphasis on adopting aligned and unified privacy laws to allow businesses to better manage their data, while still protecting the integrity of individuals" personal information. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. EU authorities have made the case that stronger rules on data protection will mean that people will have more control over their personal data and businesses will benefit from a level playing field.

Data protection laws in most jurisdictions are built on three core concepts: 1) Processing 2) of personal data 3) by data controllers and data processors. Processing refers to anything you might imagine doing to information. It is irrelevant whether processing is active or passive.

Data protection laws protect individuals" personal data and sometimes give extra protection to "sensitive" or "special categories" of personal data. Personal data is typically information relating to an identified or identifiable natural person such as name, contact information and passport or ID information. Sensitive personal data is a subset of personal data. The precise categories vary by jurisdiction but typically include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric, data concerning health, data concerning a person"s sexual orientation or data relating to criminal convictions or offences. One item of data, such as blood type, may not be subject to protection. However, if a person"s blood type is revealed together with other personal data, it may be subject to protection.

Most privacy laws regulate the use of personal data and sensitive personal data by two types of parties:

  • Controllers: This is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller decides "what" personal data will be processed for, and "how" it will be done.
  • Processors: This is a person who processes personal data on behalf of a controller. An example might be a company that processes payroll or a cloud provider that offers data storage. However, in more complex relationships it can be difficult in practice to work out if someone acts as controller or processor.
A controller must ensure the processing of personal data complies with all six of the following GDPR principles:
  • Fair and lawful processing: Personal data must be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
  • Retention: Personal data should be kept in an identifiable format for no longer than is necessary.
  • Integrity and security: Personal data should be kept secure. The controller must notify the data protection regulator if a breach poses a "risk" to the rights and freedoms of affected individuals within 72 hours. In addition, they must notify data subjects where there is "high risk" of a data breach.
The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company"s location. The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU. The GDPR focuses on all data subjects. Hence, not only a bank"s customers but all natural persons whose personal data a bank processes are within the scope of the regulation, including employees.

How does one determine whether a company is subject to GDPR? There is some room for interpretation but the speaker offered the following strong indications that point to being subject to GDPR:

  • Language: They are using the language of an EU member state, and that language is not relevant to customers in its home state.
  • Currency: They are using the currency of a member state that is not normally used in its home state.
  • Domain name: The website has a top level domain name of a member state.
  • Delivery to the EU: The business delivers physical goods to a member state.
  • Reference to citizens: There is reference to individuals in a member state to promote goods and services.
  • Customer base: A large proportion of customers are based in the EU.
  • Targeted advertising: The business is targeting advertising at individuals in a member state.
Under these indications, an e-commerce operation doing business with Europeans, for example, would be subject to GDPR.

Organizations in breach of GDPR may be fined up to 4% of their annual global turnover or €20 million (whichever is greater). The rules apply to both controllers and processors, meaning that "clouds" will not be exempt from GDPR enforcement. However, the speaker made the point that it will take some time for authorities to investigate and process cases of violations. Moreover, actual fines are not likely to be anywhere close the maximum levels. Authorities are also likely to focus on large players rather than small companies.

Under the GDPR, the conditions for consent have been strengthened and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily-accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. However, according to the speaker, consent is only one way to comply with the GDPR, and not the only way. The speaker noted that asking for explicit consent, for example, through an email, may simply be ignored by most people, resulting in a large loss of potential customers. Seeking consent for sending emails should not be necessary as long as the receiver has the option to be removed from the mailing list. However, this is based on the opinion that the email serves a "legitimate interest". As with other interpretations of the GDPR, this has yet to be tested in the legal process. This is one aspect that may generate friction in the implementation of GDPR. There may also be cases of GDPR conflicting with national data protection laws already in place. How the GDPR is actually implemented in practice and the implications for business may only be seen in a matter of months, or even years.