In April 2016, the European Union sought to replace their 1995 Data Protection Directive with a new set of regulations. Which aimed to protect the internet rights of EU residents. Last week, the new and much awaited General Data Protection Regulations (GDPR) finally came into effect. It reinforces data privacy on a much larger scale than any of the previous national data privacy laws, both territorially and digitally. For the first time, one set of regulations protect the internet rights of residents of the EU and the EEA. And while the GDPR may not be a hundred percent perfect, it unifies data protection regulation across Europe and places the power quo into the hands of individual internet users rather than organizations.
A revised set of Internet rights
The GDPR provides individuals from the EU a set of fundamental data subject rights as well as contextual rights which they can exercise under particular conditions and with exceptions. These include the right to be forgotten, the right to object, the right to access and the right to be notified among several others.
Essentially, this implies that an EU resident’s data cannot be collected, used or stored until the organization has received explicit permission from the user for processing their data. These organizations are also required to clearly explain why their data is being gathered and how it is being used.
Of course, these data subject rights are not absolute, and as mentioned, are subject to conditions and exceptions. They can be influenced as well by already existing rights. For example, the right to information and the freedom of expression which could affect the right to erase one’s data. Of course, there would be cases in which organizations have their own legal stipulations and obligations which could out-weigh the data rights of users. However, in such cases, there are guidelines set up by the European Data Protection Board for organizations to follow.
The new regulations called for significant changes in company policy and infrastructure. The EU had given a grace period of two years so that companies could make the necessary changes in order to be GDPR compliant. To both European companies and those outside the EU.
Is Asia ready?
Asia, of course, is one of the regions which had to sit up and take notice of the GDPR. But do enterprises based in Asian countries need to be bothered by a data protection law for European citizens?
The matter of fact is that they do. Given that the GDPR focuses on protecting the individual rights of internet users, these regulations apply to any organization which collects and holds data of EU residents. The GDPR particularly applies to companies who (a) process personal data outside of the EU but have establishments, such as branches or subsidiaries, in the EU; (b) provide goods and services to users in the EU, or (c) monitor the behavior of individuals in the EU.
Given that many Asian countries have adopted stricter data privacy laws in recent years – like Japan’s Personal Information Protection Act (PIPA) and Singapore’s Personal Data Protection Act (PDPA), the GDPR completely raises the bar when comes to data privacy. So, is it surprising that there are very few Asian companies who are compliant despite the two-year grace period? In fact, studies have shown that even a month before the GDPR was scheduled to take effect, less than one-third of Asian companies were ready for it. While organizations in Europe have been preparing for the GDPR for past two years, many Asian companies are only just beginning to comprehend and assess the impact of the GDPR on their businesses.
What happens if Asian companies are non-compliant?
The consequences of being non-compliant are pretty dire. If the event of Facebook’s data breach had happened after the 25th of May, the social media giant would have been answerable to the EU. Then perhaps, the company wouldn’t have escaped unscathed.
An organization could face multiple lawsuits and a €20 million fine. Or would have to give up to 4% of their annual global turnover, whichever is the greater amount. However, these are the legal actions that European companies will face.
The one beacon of light in the confusion surrounding the GDPR is that the EU regulators would most likely focus on European companies before they look towards Asia and the rest of the world. It still appears to be unclear how the regulators plan to enforce GDPR overseas. The suggested route of action is that Asian companies caught would be required to appoint a representative as a point of contact in Europe. The point of contact could be a subsidiary, branch or representative office. In cases where they run into roadblocks while taking action against a non-compliant Asian company, it would most likely be that regulators would take enforcement action against this European contact.
However, the fact remains that overseas companies who fall into the GDPR compliant bracket have to ensure that they will be ready. Even if they seem too late for the game, Asian companies, including small businesses and start-ups, need to consider whether they are required to comply with the GDPR or not. And then take the necessary actions to accommodate these changes.