cyber_privacy_1_small_1920By Nick Ferguson

How important is data privacy? Consider that Facebook’s value dropped more than US$100 billion last week after questions arose about its handling of user data. And it isn’t even clear that the company actually did anything wrong.

The stakes are obviously high for companies such as Facebook, which tread a fine line between respecting their users’ privacy and, at the same time, selling their users’ data to third-party companies. But data privacy is also becoming a very significant issue for all types of companies, even in Asian jurisdictions where regulation or enforcement is lacking.

In May, Europe’s new General Data Protection Regulation (GDPR) will require companies all over the world to comply with EU data privacy laws if they handle the personal data of citizens from the EU.

So how seriously should Asian companies take the new EU rules? “GDPR should appear high on the company’s risk and planning registers, particularly if you consider the potential level of punitive measures available if a breach occurs,” according to Alex Milner-Smith, a managing associate at Lewis Silkin in London.

A serious breach of the rules could result in a fine of up to 4% of annual global turnover or €20 million (whichever is greater). However, companies can be fined up to 2% for not having their records in order, not notifying about a data breach or not conducting an impact assessment.

Any Asian company actively selling goods or services into the EU, even with no staff and no websites hosted locally, will fall under GDPR and be required to apply those standards to how they treat EU consumer data. The same obviously applies to any company with staff or subsidiaries in Europe.

“Bearing this in mind, the territorial reach is theoretically enormous and EU regulators have shown the willingness in the past to take on companies all over the world,” says Milner-Smith, who warns that compliance cannot be achieved through a quick-fix exercise, but is a long-term change that requires a significant commitment of resources.

The EU rules call for “privacy by design”, which means the inclusion of data protection from the onset of system design, rather than as an addition.

However, the extent of the compliance obligation depends on how deep a company’s nexus to the EU actually is. If a company only has a few staff in the EU, the vast majority of its customers are outside the region and the type of data being processed is low volume or low risk, there might not be too much to worry about.

“Whilst under the letter of the regulation as it stands full compliance is required, such a company can take the decision to adopt a more measured risk-based approach,” says Milner-Smith. “They need to do the major things such as map what EU data they process, ensure privacy notices are up to date, qualify that security meets or surpasses expectations, but it may be an acceptable risk for these company’s not to do full granular compliance immediately. This should still be the aim over the next two to five years, however.”

It is a different story for companies with significant EU operations or which process huge volumes of personal or sensitive data, such as anything related to health. For such companies, they have two months to get up to speed.

Tags: Data Privacy
Related Articles by Firm
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
Foreign Banks Allowed to Operate in Myanmar
After more than 50 years of banning, the Central Bank of Myanmar has issued the first final licenses allowing four foreign banks to operate in Myanmar.
Tanzanian Draft National Energy Policy of 2015
Highlights on the ongoing and upcoming industry developments with focus on the transition of the energy sector since the introduction of the Big Results Now! campaign
Mineral Rights Available in Tanzania
Overview of the mineral rights available in Tanzania, with specific focus on the various categories of mineral rights
The Legal Framework of the Aviation Sector in Tanzania
As attention turns to Tanzania’s trade and energy opportunities, the spotlight has fallen upon the nation’s infrastructure. This update focuses on the capabilities and issues of the Tanzanian aviation sector.
Oil price volatility - Offshore oil storage
Are there any legal concerns with tankers being used for floating storage?
Oil price volatility - risks and opportunities in 2015
While many companies can weather the oil price slide and volatility, some industry players face a real risk of insolvency.
India: Union Budget 2015
A bullet-point overview of changes in Direct Tax, Indirect Tax and Goods and Service Tax in India in light of Finance Minister Arun Jaitley’s first full-year Budget…
Prohibition against transfer of personal data outside Hong Kong
Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO.
Security of payment under FIDIC contracts: more secure, for now
The High Court of Singapore recently handed down an important judgment in relation to the enforceability of Dispute Adjudication Board (DAB) decisions under the FIDIC forms of contract.
Insurance Laws (Amendment) Bill passed as Ordinance in India
The long-awaited Insurance Laws (Amendment) Bill has become a provisional law in India. The Bill amends the Insurance Act (1938), the General Insurance Business (Naturalisation) Act (1972), and the Insurance Regulatory and Development Act (1999).
SICC: now open for business
On Monday 5 January 2015, the Singapore International Commercial Court ("SICC") was officially opened...
Myanmar insurance update
Clyde & Co partner Michael Horn recently visited Myanmar's commercial capital Yangon and reports on the current state of the insurance market...
Launch of the online mining cadastre transactional portal
Plus, a summary of the key mineral rights available in Tanzania; and, a look at the manner in which mineral rights can be transferred.
Restrictions imposed on holders of mineral rights
This briefing looks at some of the restrictions imposed on holders of mineral rights in Tanzania by the Mining Act 2010
Draft local content policy for the oil & gas industry in Tanzania
The first draft of the long-awaited local content policy for the oil & gas industry in Tanzania has now been published by the Ministry of Energy and Minerals ...
Tanzania: Revocation of mining licences
The Tanzanian government recently announced the cancellation of a total of 174 mining licences. This mining update examines the key continuing obligations imposed by the Mining Act upon mining licence holders.
Mining Development Agreements
In this month’s mining briefing we look at Mining Development Agreements (MDAs) and the role that they play in the mining sector in Tanzania.
The Tanzanian railway system: current legal framework
The railway system of mainland Tanzania has a total track length of 3,676 kilometers (km) with two separate networks, run by two separate organisations ...
Related Articles
China bans iPhone sales over Qualcomm dispute
A court in Fuzhou has moved to block sales as part of a long-running battle between Apple and Qualcomm.
Transforming busy lawyers into business leaders
Trevor Faure provides a proven approach to improve legal services in his new book.
Biggest US IP firm to open in China
Fish & Richardson has won approval to open a representative office in Shenzhen.
Related Articles by Jurisdiction
Latest Articles
The thing about … Carl Im
The brains behind eYulchon talks to Patrick Dransfield about his algorithmic approach to corporate compliance ...
New anti-money laundering law
The new law introduces subtle but important changes to the AML landscape in the UAE.