cyber_privacy_1_small_1920By Nick Ferguson

How important is data privacy? Consider that Facebook’s value dropped more than US$100 billion last week after questions arose about its handling of user data. And it isn’t even clear that the company actually did anything wrong.

The stakes are obviously high for companies such as Facebook, which tread a fine line between respecting their users’ privacy and, at the same time, selling their users’ data to third-party companies. But data privacy is also becoming a very significant issue for all types of companies, even in Asian jurisdictions where regulation or enforcement is lacking.

In May, Europe’s new General Data Protection Regulation (GDPR) will require companies all over the world to comply with EU data privacy laws if they handle the personal data of citizens from the EU.

So how seriously should Asian companies take the new EU rules? “GDPR should appear high on the company’s risk and planning registers, particularly if you consider the potential level of punitive measures available if a breach occurs,” according to Alex Milner-Smith, a managing associate at Lewis Silkin in London.

A serious breach of the rules could result in a fine of up to 4% of annual global turnover or €20 million (whichever is greater). However, companies can be fined up to 2% for not having their records in order, not notifying about a data breach or not conducting an impact assessment.

Any Asian company actively selling goods or services into the EU, even with no staff and no websites hosted locally, will fall under GDPR and be required to apply those standards to how they treat EU consumer data. The same obviously applies to any company with staff or subsidiaries in Europe.

“Bearing this in mind, the territorial reach is theoretically enormous and EU regulators have shown the willingness in the past to take on companies all over the world,” says Milner-Smith, who warns that compliance cannot be achieved through a quick-fix exercise, but is a long-term change that requires a significant commitment of resources.

The EU rules call for “privacy by design”, which means the inclusion of data protection from the onset of system design, rather than as an addition.

However, the extent of the compliance obligation depends on how deep a company’s nexus to the EU actually is. If a company only has a few staff in the EU, the vast majority of its customers are outside the region and the type of data being processed is low volume or low risk, there might not be too much to worry about.

“Whilst under the letter of the regulation as it stands full compliance is required, such a company can take the decision to adopt a more measured risk-based approach,” says Milner-Smith. “They need to do the major things such as map what EU data they process, ensure privacy notices are up to date, qualify that security meets or surpasses expectations, but it may be an acceptable risk for these company’s not to do full granular compliance immediately. This should still be the aim over the next two to five years, however.”

It is a different story for companies with significant EU operations or which process huge volumes of personal or sensitive data, such as anything related to health. For such companies, they have two months to get up to speed.

Tags: Data Privacy
Related Articles by Firm
Myanmar Opened its Broadcasting and TV Market
The Broadcasting Law 2015 opens commercial licenses for TV or radio for bidding under an independent supervisory authority. This offers wide opportunities to investors from broadcasting infrastructures to broadcasting services.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Tanzania: Prospecting for and mining of radioactive minerals
New uranium mining projects have recently been announced in Tanzania. This briefing looks at the legislative framework surrounding radioactive minerals in Tanzania.
Related Articles
Hong Kong, Shenzhen and the economics of convergence
Convergence between the two neighbours is set to be one of the two or three most vital growth stories of the next decade.
KWM targets Greater Bay Area with international centre
King & Wood Mallesons is getting on board with China’s plan to integrate Hong Kong, Macau and nine cities in Guangdong.
Reed Smith launches “innovation hours” to encourage new ideas
The scheme follows a successful pilot that saw attorneys across the firm devoting hundreds of hours to six projects in 2017.
Related Articles by Jurisdiction
Latest Articles
Thailand Update: Amendment to Work Permit Law
In response to criticism, the government decided to amend the Emergency Decree on Managing of Foreigners with relaxed penalties ...
Ethical Decision Making Process by Manish Asarkar
Manish Asarkar, legal & compliance head of Black & Veatch, India talks about the value in having strong Ethics and Compliance for companies and how to reatain these values in the decision making process.
Law passed promoting ease of doing business in the Philippines
A law promoting the ease of doing business and efficient delivery of government services took effect this June 2018.