In our increasingly connected digital society, the services of many organisations are global in nature. But the online world does not respect physical or geographical boundaries and this gives rise to the question of which law is applicable. In the data protection and privacy space, Europe's new General Data Protection Regulation (GDPR) seeks to tackle online transnational data and privacy issues through its extra-territorial application.
What does the GDPR regulate?
The GDPR came into force on 25 May 2018 and prescribes how companies and organisations (controllers) should process “personal data” (being any information that enables an individual to be identified). Companies and organisations handling or processing personal data may only do so in a legitimate, fair and transparent way, informing data subjects about their processing activities and gaining consent where required. There are limits on the retention of personal data, as well as reporting requirements in the case of certain data breaches (a cyber-attack being an obvious example). The GDPR anticipates that companies will implement new systems and processes to protect personal data, and conduct impact assessments in certain situations. Data transfers present a further compliance issue, as companies subject to the GDPR are required to ensure that personal data is protected and consents sought when that data is transferred to a third party.
Extra-territoriality and the GDPR
The GDPR replaces the EU Data Protection Directive. Application of the Directive was anchored to the location of data processing and it attracted criticism as a result. It allowed organisations processing the personal data of individuals in the EU to avoid compliance with the Directive by locating their business (and often their servers) outside of the EU. The GDPR takes a different approach, taking into account not only the location of the processing but also the location of the individual whose personal data is being processed. This marks a significant expansion of the territorial scope of the Directive. As such, it is likely to transform data protection inside and outside the EU.
The GDPR will be binding on organisations outside the EU if they process personal data:
- in the context of an establishment of a controller or a processor in the EU;
- relating to the offer of goods or services to individuals in the EU (eg via a website offering delivery to the EU); or
- relating to the monitoring of the behaviour of individuals in the EU (eg by using cookies to track an individual’s activity on the internet).
This will impact businesses and firms in Hong Kong provided one of the above requirements is satisfied. The legislation has potentially very wide application, although we don’t yet have any guidance on how this drafting will be interpreted in practice.
The extra-territoriality test
In the context of an establishment
According to the recitals to the GDPR, establishment “implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” The presence of a single representative may be sufficient according to European Court of Justice case law. In Weltimmo v NAIH (C-230/14), a case concerning the Directive, Weltimmo – which was incorporated in Slovakia – was considered to be established in Hungary by virtue of the use of a website in Hungarian, which advertised Hungarian properties, use of a local agent, and use of a Hungarian postal address and bank account.
Offering goods and services
The recitals to the GDPR provide that the following factors are strong indicators of offering goods or services to EU residents:
- language – using the language of a Member State where that language is not relevant to customers in the home state (ie. a Chinese web shop with a website available in English, French and German);
- currency – using the currency of a Member State where that currency is not generally used in the home state;
- delivery – offering delivery to a Member State; or
- reference to citizens – referencing EU residents.
This is described as relating to the tracking of individuals online, including where this is used to take decisions to analyse/predict personal preferences, behaviours and attitudes (profiling). Examples of monitoring could include:
- online behavioural advertising;
- travel data of individuals using a city’s public transport system (eg tracking via travel cards);
- profiling and scoring for the purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
- location tracking, for example, by mobile apps; and
- monitoring of wellness, fitness and health data via wearable devices.
Examples of extra-territoriality in practice
Company A is a multi-national organisation with presence in multiple jurisdictions around the globe. It has a shared services centre located in Hong Kong which provides certain support services to group companies, including to the UK group entity. Some of those support services involve the processing of personal data on behalf of the UK entity.
Application of Extra-Territoriality
The GDPR applies to the processing of personal data in the context of the activities of the UK entity (regardless of whether the processing takes place in the EU or not). Although there is currently no guidance on how this would be interpreted, it is also likely that the GDPR would apply to the UK-related activities of the Hong Kong entity.
Company B is located in the PRC. It does not advertise or market its goods directly in to the EU but its website is also available in English and customers in the UK can order products to be delivered to the UK.
Application of extra-territoriality
The GDPR applies to the processing of personal data of EU data subjects by Company B where the processing activities are related to the offering of goods or services to EU data subjects. The absence of direct marketing is not relevant if Company B is providing goods and services to EU data subjects. The GDPR would therefore apply to the PRC company’s processing of personal data relating to its EU customers.
Practical impact of extra-territoriality for non-EU companies
One point to note is that the GDPR does not apply if EU national employees working overseas are not physically based in the EU/resident in the EU. The GDPR does not apply to a Hong Kong entity’s processing of personal data relating to its employees who are EU nationals resident in Hong Kong.
The mechanism for overseas enforcement of GDPR obligations is also currently unclear. The unanswered questions regarding the enforceability of the regime against non-EU companies suggest that, despite increased fines and sanctioning powers, reputation may continue to be the key driver behind privacy compliance for market leaders outside the EU.
That said, the GDPR provides that non-EU controllers and processors offering goods and services to EU residents, or monitoring their behaviour, must designate a representative in the EU. The representative must be:
- co-located in the Member State “where the data subjects are whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored”; and
- mandated by the controller or processor to be addressed “in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purpose of ensuring compliance with the Regulation”.
The designation of a representative is without prejudice to legal action that could be initiated against the controller or processor but it seems that an EU representative may be legally liable for non-compliance by its non-EU principal. Given the questions about enforceability of the rules of extra-territoriality, it would seem likely that EU regulators and courts will be inclined to pursue a party located within the EU if there is doubt over enforcement externally. This raises the question why anyone would want to accept a representative role. Especially given that a representative can’t force their principal to comply, but could still be liable for non-compliance.
Regardless of enforcement issues, it is clear that the GDPR will have far-reaching implications for non-EU entities and as such, its requirements must be taken into account by organisations around the world. Hong Kong companies and firms should assess whether their activities will place them within the reach of the GDPR and EU regulators, and prepare accordingly.