On 25 May 2018, the General Data Protection Regulation 2016 (GDPR) came into force in the EU. It is drafted as a Regulation and becomes immediately applicable in all EU member states.
The GDPR contains new provisions, prohibitions and regulations for the collection and processing of personal data. This significantly enhances data protection.
A. Impact on Hong Kong
The GDPR does have extraterritorial effect, meaning that businesses in Hong Kong can be subject to the new regulations. Since the GDPR sets out more stringent regulations than the Hong Kong Privacy Ordinance, Hong Kong businesses are advised to check whether they could be subject to the GDPR.
The GDPR applies to a Hong Kong business if such business has an establishment in the EU. An establishment does not only contain a subsidiary, affiliate or mother company, but also a representative selling goods or services to the public in the EU.
The GDPR is furthermore applicable to a Hong Kong business without such establishment if they sell goods or services to the public in the EU.
B. Regulations
Organisations/ businesses subject to the GDPR must:
- Demonstrate their compliance with the principles of processing of personal data;
- Implement appropriate technical and organizational measures to ensure compliance; and
- Integrate data protection into their processing activities.
More specifically, the GDPR requires:
- The appointment of a Data Protection Officer;
- Undertaking a Data Protection Impact Assessment;
- Undertaking Privacy by Design and by Default, and integrate the necessary safeguards;
- Keep records of processing activities; and
- Draft data processing or handling policies or practices to demonstrate compliance.
Data defined by GDPR includes race, religion, sexual orientation, health, etc. Its collection is prohibited unless certain conditions are fulfilled.
For other personal data, the GDPR requires explicit, free, informed and unambiguous consent by the data subject.
If a business breached its obligations under the GDPR, it is required to notify the EU supervisory authority within a certain time limit.
If a business wants to collect personal data, it needs to comply with the new and enhanced rights for individuals, including the right to notice on data protection, the right to erase personal data, the right to object the collection and controlling, and (new) the right to restrict the processing of the personal data.
C. What Hong Kong businesses should do
Given its wide application, it is advisable for a Hong Kong business to check whether it might be subject to the GDPR. If so, the responsible persons should make sure that their privacy statements, collection and processing process of personal data is up to date.
If the Hong Kong business has an affiliate in the EU, it is advisable to adjust their processes to the EU level.
Solicitor, Hong Kong Qualified
Joshua Chu is Litigation Solicitor qualified to practice in Hong Kong. Before becoming a lawyer, Joshua worked in the healthcare industry serving as the IT department head at a private hospital as well as overseeing their procurement operations.
His legal experience includes representing the successful party in one of Hong Kong’s first cryptocurrency litigation cases as well as appearing before the Review Body on Bid Challenges under the World Trade Organization Government Procurement Agreement concerning a health care industry related tender.
On the side, Joshua has also dabbled into academic, regulatory, compliance and business consultancy practices where he maximize the utility of his past technical experiences.
Solicitor, GPS McQuhae (Hong Kong)
Anna Lau is Litigation Consultant at GPS McQuhae LLP in Hong Kong. A biomedical engineer by training, prior to her embarkation onto her legal career, Ms Lau had worked closely with the United States Patent and Trademark Office (USPTO) and US Food and Drug Administration (FDA) on intellectual property and FDA regulatory work.
Her unique skill set enables her to expertly deal with Technology/Intellectual Property law, being able to use an engineer’s perspective to understand each individual client’s need and advise them in their own (tech) language. Anna was part of the team that represented the successful Defendant in one of Hong Kong’s first cryptocurrency litigation.
