As a risk management lawyer, among other things, I am often involved in privacy related issues. Not only am I involved with Korean privacy laws, but privacy laws in general especially those that impact the Asia Pacific Region. Of recent note, is the EU’s General Data Protection Regulation ( GDPR) which will have an immediate impact upon businesses in Asia.
The GDPR, which will be implemented in May of 2018, effects those companies in Asia which target EU customers or monitor EU citizens. They will have to comply with its provisions. Those that fail to comply with the GDPR will obviously face fines and penalties. What should companies in the Asia Pacific Region do to comply?
One of the steps companies in Asia must take to be in compliance is to reassess how they obtain consent when seeking permission to transfer or store consumer data to ensure compliance. They will also probably have to hire a data protection office or DPO as well. In fact, the IAPP estimates that companies in China may have to hire up to 7500 DPOs qualified in privacy law to comply with the GDPR.
The GDPR when fully implemented will change the EU’s data protection rules and regulations by codifying into a single law rules and regulations on storing, transferring and collecting data. This of course means that companies doing business in Asia or headquartered in Asia will come under scrutiny by the EU if they in fact target EU citizens.
The reasons for complying with the GDPR are significant. For companies failing to comply with the GDPR provisions, penalties are severe if not draconian. For those companies that fail to comply with the GDPR, they can be subject to fines of up to 4% of their global turnover or EU 20 Million whichever is greater. Obviously, handling consent issues will be very important and must be done in accordance with the GDPR’s draconian rules.
For instance, though most countries in Asia have enacted data protection laws that may touch upon how data can be collected, stored and transferred where an individual has given consent, most laws do not cover consent as specifically as the GDPR. Under the GDPR, deemed consent is no longer considered applicable. There are a host of other changes dealing with privacy under the GDPR that most Asian countries do not comply with. A look at the following Asia Pacific countries and their recent changes in privacy law suggests they have still far to go to become compliant under the GDPR:
1. Australia- Australia’s privacy law was first enacted in 1988. It has been modified twice since then, most recently in 2012. There is no provision for a data protection officer. Under the Privacy Act, there is an obligation to follow or comply with the procedures set forth in the Privacy Principles, a set of privacy principles enacted with the 2012 amendments. Once of the most significant changes in the Australian Privacy Act was a provision extending the applicability of the privacy laws to cover overseas handling of personal information.
2. Hong Kong- Hong Kong was the second jurisdiction in Asia to adopt a comprehensive data privacy law. The law, called the Hong Kong Privacy Ordinance, was enacted in 1995. The Privacy Ordinance applies to both public and private sectors and protects private information of natural persons. Amended in 2012, the Privacy Ordinance regulates the use of personal information in marketing activities. Like Australia, the Hong Kong privacy law does not require the appointment of a DPO.
3. India- India issued regulations in 2011 that implemented parts of the 2008 Information Technology Act. The 2011 regulations cover the protection of personal information. The regulations set forth how personal information may be used and collected by all organizations in India. Like Australia, the Indian privacy rules do not require the appointment of a DPO. There are however, limitations on cross-border transfer of private information but such limitations apply only to sensitive personal information.
Companies located in Asia that target EU consumers now have hard decisions to make. Considering the cost of complying with the GDPR, many companies in Asia will either have to hire qualified privacy officers or consider pulling out of the EU market altogether.