The EU General Data Protection Regulation (‘GDPR‘) is fast approaching. After a two-year implementation phase, the new Regulation will be coming into force on 25 May 2018. It is Europe’s biggest shift in data protection law for the last decades. Not only European companies are affected. Based on the extra-territorial effect of the GDPR, numerous Hong Kong entities will face substantial challenges adapting to the new requirements.
The new law comes in the shape of a regulation and is directly applicable in all member states. Whereas the Personal Data (Privacy) Ordinance (Cap. 486) (‘Ordinance‘) generally only provides direct compliance obligations for controllers, the GDPR imposes these obligations on both controllers and processors. This is most likely going to affect the way supply and other commercial agreements are drafted in regard of the new European rules.
One of the key foundations of lawful data processing under the GDPR is the data subject’s consent. The requirements in this regard have been increased, compared to the previous regulation under the Data Protection Directive (‘DPD‘) and go beyond those of the Ordinance. Valid consent has to be (i) freely given, (ii) specific, (iii) informed and (iv) unambiguously indicated. Hong Kong companies within the scope of the GDPR that rely on the consent of data subjects as a lawful basis for any of their processing activities should ensure that they meet the new obligations.
Several provisions on accountability and governance support the enforcement of the principles of data processing. A new feature is data protection by design and by default, which does not exist under Hong Kong law. Furthermore, the GDPR provides mandatory rules on Data Protection Officer and data breach notifications, whereas under the Hong Kong data protection regime such measures are only recommended.
The new Regulation strengthens the rights of individuals. These namely consist of the right of information, rights to access, rectification and erasure, right to restriction of processing, right of data portability, right to object and the right not to be subject to automated decision making (eg profiling).
Administrative fines up to EUR 20,000,000.00 or in the case of an undertaking (e.g. group), up to 4 percent of the total worldwide annual turnover, whichever is higher, can be imposed in case of infringements of the Regulation. Furthermore, individuals may claim for compensation of both material and non-material damages.
The GDPR provides an elaborated regulatory system as a result of several decades of data protection in Europe and a long lasting legislation process. It is an important step towards full data harmonization within the EU. Detailed requirements and heavy fines provide challenges for all affected organisations. Hong Kong companies will not be able to fully rely on existing protection measures set out in accordance with the Ordinance, which is largely based on the former European DPD. Organisations adapting to the new challenges and implementing measures like data protection by design and access ability of data may also benefit from the new, more efficient data processing and accounting systems. The new Regulation will enter into force soon and companies should take immediate steps to ensure compliance. However, several member state rules in specific areas and case law on the new provisions have yet to be established.