The European Union General Data Protection Regulation (“GDPR”) is the new European data protection regulation which took effect on 25 May 2018 and replaces the EU Data Protection Directive 95/46/EC.
The GDPR data protection regime has an impact on businesses across the world in that businesses outside the EU may fall within the scope. For example, due to the global nature of businesses these days and the extra-territorial effect of the new regulation, any businesses holding and processing the personal data of individuals located in the EU, regardless of the operating location, may also need to comply with the GDPR.
As a consequence, businesses including online businesses and financial institutions in Hong Kong (“HK”) could be potentially affected. This update discusses the implications and effects of GDPR on entities operating in HK, potential risks to HK businesses, and what changes will need to be implemented in order to be GDPR compliant.
Overview of the GDPR
The GDPR aims to strengthen the laws on the protection of ‘privacy data’ (e.g. data about a person’s identity, name, address, ID number, health, genetic, race, sexual orientation, use of internet and online data such as web data location, IP address, cookie data, etc.) that relates to an identified or identifiable ‘natural person’ (i.e. one who has its own legal personality).
The GDPR has extra-territorial scope in that where Hong Kong businesses (even those with no physical presence in the EU) store or process personal information about EU citizens in EU states, then those businesses must comply with the GDPR. The GDPR will also apply to non-EU data users, so long as the processing activities relate to :-
(a) offering of goods and services to EU data subjects (regardless of whether payment is taken); or
(b) monitoring of behavior of individuals within the EU.
In the situations mentioned above, the following examples of HK businesses could be impacted by the GDPR :-
(1) A HK hospitality business using cookies to track past customers’ browsing in order to target specific promotions / deals / advertisements to those customers (including customers based in the EU).
(2) A HK business allowing customers in the EU to make orders for fulfillment only in HK. In such cases, where the price for the goods or services is denominated in an EU currency, the GDPR will apply.
An example where GDPR will not apply is :-
(3) A HK business with a website for orders / deliveries to the EU or elsewhere, where the HK businesses’ website is aimed at individuals in the EU in English. The currency is HK dollar and the address fields only allow HK addresses.
HK’s Current Data Privacy Regime and Comparisons with the GDPR
The following table below sets out the main differences between The Personal Data (Privacy) Ordinance, Laws of Hong Kong (Cap 486) (“PDPO”) and GDPR :
|Difference||PDPO Stance||GDPR Stance|
|Extra-Territorial Scope||Applies to data userswho, either alone or jointly or in common with other persons, control the collection, holding, processing or use of the personal data in or from Hong Kong. (s.2(1))||Applies to data processors or controllers :
– Established in the EU; or
– Established outside EU, that offer goods or services to individuals in the EU, or monitor behavior of individuals in EU. (Article 3)
|Mandatory Breach Notification||No mandatory notification requirement. Notification on voluntary basis.||Data controllers are required to notify the authority about a data breach without undue delay (exceptions apply), and notify data subjects unless exempted (Articles 33-34).|
|Sensitive Personal Data||No distinction between sensitive and non-sensitive personal data.||Processing of sensitive data only allowed under specific circumstances. Category of sensitive personal data expanded.|
|Consent||Consent not required for collection of personal data, unless personal data used for a new purpose. [DPPs 1 &3]||Consent must be given by data subject for processing. Consent must be freely provided, specific and informed, and an unambiguous indication of a data subject’s wish. (Art 4(1))|
|Data Processor Obligations||Data processors are not directly regulated. Data users must adopt contractual or other means to ensure data processors comply with data retention and security requirements. (DPPs 2 & 4)||Data Processor Obligations Data processors are not directly regulated. Data users must adopt contractual or other means to ensure data processors comply with data retention and security requirements. (DPPs 2 & 4) GDPR imposes new direct obligations on data processors in areas such as security, record keeping and international transfers. Data processors (i.e. organizations that process data on behalf of data controllers) are imposed with additional obligations, e.g. maintaining records of processing, ensuring security of processing, reporting data breaches, designating Data Protection Officers, etc. (Arts 30, 32-33, 37)|
|Sanctions||Privacy Commissioner not empowered to impose administrative fines or penalties, and may serve enforcement notices on data users.||Data protection authorities can impose administrative fines on data controllers and processors. (Art 58)
Fines can be up to €20million (around HKD180 million) or 4% of total worldwide annual turnover. (Art 83)*
Due to the wide reach of the GDPR, HK businesses which may fall within the scope, should conduct an assessment of their data protection policies, processes and documentation to ensure compliance with the GDPR to minimize the risk to their businesses.
Amongst some steps that HK businesses can take include, for example, undertaking an across the board review of data flows within the organization (i.e. what information is being held, with whom the information is being held, etc.), designating key members or senior management to plan for GDPR and privacy law compliance and appointing a designated data protection officer as part of good corporate governance.
Please feel free to contact our IP & IT team if you require any further assistance regarding data privacy compliance obligations under the GDPR or under Hong Kong laws generally.