cyber_privacy_1_small_1920By Nick Ferguson

How important is data privacy? Consider that Facebook’s value dropped more than US$100 billion last week after questions arose about its handling of user data. And it isn’t even clear that the company actually did anything wrong.

The stakes are obviously high for companies such as Facebook, which tread a fine line between respecting their users’ privacy and, at the same time, selling their users’ data to third-party companies. But data privacy is also becoming a very significant issue for all types of companies, even in Asian jurisdictions where regulation or enforcement is lacking.

In May, Europe’s new General Data Protection Regulation (GDPR) will require companies all over the world to comply with EU data privacy laws if they handle the personal data of citizens from the EU.

So how seriously should Asian companies take the new EU rules? “GDPR should appear high on the company’s risk and planning registers, particularly if you consider the potential level of punitive measures available if a breach occurs,” according to Alex Milner-Smith, a managing associate at Lewis Silkin in London.

A serious breach of the rules could result in a fine of up to 4% of annual global turnover or €20 million (whichever is greater). However, companies can be fined up to 2% for not having their records in order, not notifying about a data breach or not conducting an impact assessment.

Any Asian company actively selling goods or services into the EU, even with no staff and no websites hosted locally, will fall under GDPR and be required to apply those standards to how they treat EU consumer data. The same obviously applies to any company with staff or subsidiaries in Europe.

“Bearing this in mind, the territorial reach is theoretically enormous and EU regulators have shown the willingness in the past to take on companies all over the world,” says Milner-Smith, who warns that compliance cannot be achieved through a quick-fix exercise, but is a long-term change that requires a significant commitment of resources.

The EU rules call for “privacy by design”, which means the inclusion of data protection from the onset of system design, rather than as an addition.

However, the extent of the compliance obligation depends on how deep a company’s nexus to the EU actually is. If a company only has a few staff in the EU, the vast majority of its customers are outside the region and the type of data being processed is low volume or low risk, there might not be too much to worry about.

“Whilst under the letter of the regulation as it stands full compliance is required, such a company can take the decision to adopt a more measured risk-based approach,” says Milner-Smith. “They need to do the major things such as map what EU data they process, ensure privacy notices are up to date, qualify that security meets or surpasses expectations, but it may be an acceptable risk for these company’s not to do full granular compliance immediately. This should still be the aim over the next two to five years, however.”

It is a different story for companies with significant EU operations or which process huge volumes of personal or sensitive data, such as anything related to health. For such companies, they have two months to get up to speed.

Tags: Data Privacy
Related Articles by Firm
Myanmar Opened its Broadcasting and TV Market
The Broadcasting Law 2015 opens commercial licenses for TV or radio for bidding under an independent supervisory authority. This offers wide opportunities to investors from broadcasting infrastructures to broadcasting services.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Tanzania: Prospecting for and mining of radioactive minerals
New uranium mining projects have recently been announced in Tanzania. This briefing looks at the legislative framework surrounding radioactive minerals in Tanzania.
Related Articles
IMF Bentham wins Singapore third-party funding agreement
Litigation funding has taken a step forward after a court ruled to allow a commercial funding arrangement to proceed.
China startup trials Chinese-English bilingual contract bot
The new legal tech platform will promote more open cross-border trade and investment in response to US-China trade friction.
Accounting firms take on Singapore legal market
The world’s biggest accounting companies are getting serious about competing with law firms in the Lion City.
Related Articles by Jurisdiction
Latest Articles
Developments in competition law in Africa
At LEX Africa’s June seminar on developments in competition law in Africa, speakers discussed the increasing trend of governments to try and use competition law as an important part of their industrial policy ...
How the Mental Health Act affects employees
Mental health conditions, which include anxiety and panic disorders, depression, eating disorders, substance abuse and addictions, have become a pervasive issue which permeates our present society ...