cyber_privacy_1_small_1920By Nick Ferguson

How important is data privacy? Consider that Facebook’s value dropped more than US$100 billion last week after questions arose about its handling of user data. And it isn’t even clear that the company actually did anything wrong.

The stakes are obviously high for companies such as Facebook, which tread a fine line between respecting their users’ privacy and, at the same time, selling their users’ data to third-party companies. But data privacy is also becoming a very significant issue for all types of companies, even in Asian jurisdictions where regulation or enforcement is lacking.

In May, Europe’s new General Data Protection Regulation (GDPR) will require companies all over the world to comply with EU data privacy laws if they handle the personal data of citizens from the EU.

So how seriously should Asian companies take the new EU rules? “GDPR should appear high on the company’s risk and planning registers, particularly if you consider the potential level of punitive measures available if a breach occurs,” according to Alex Milner-Smith, a managing associate at Lewis Silkin in London.

A serious breach of the rules could result in a fine of up to 4% of annual global turnover or €20 million (whichever is greater). However, companies can be fined up to 2% for not having their records in order, not notifying about a data breach or not conducting an impact assessment.

Any Asian company actively selling goods or services into the EU, even with no staff and no websites hosted locally, will fall under GDPR and be required to apply those standards to how they treat EU consumer data. The same obviously applies to any company with staff or subsidiaries in Europe.

“Bearing this in mind, the territorial reach is theoretically enormous and EU regulators have shown the willingness in the past to take on companies all over the world,” says Milner-Smith, who warns that compliance cannot be achieved through a quick-fix exercise, but is a long-term change that requires a significant commitment of resources.

The EU rules call for “privacy by design”, which means the inclusion of data protection from the onset of system design, rather than as an addition.

However, the extent of the compliance obligation depends on how deep a company’s nexus to the EU actually is. If a company only has a few staff in the EU, the vast majority of its customers are outside the region and the type of data being processed is low volume or low risk, there might not be too much to worry about.

“Whilst under the letter of the regulation as it stands full compliance is required, such a company can take the decision to adopt a more measured risk-based approach,” says Milner-Smith. “They need to do the major things such as map what EU data they process, ensure privacy notices are up to date, qualify that security meets or surpasses expectations, but it may be an acceptable risk for these company’s not to do full granular compliance immediately. This should still be the aim over the next two to five years, however.”

It is a different story for companies with significant EU operations or which process huge volumes of personal or sensitive data, such as anything related to health. For such companies, they have two months to get up to speed.

Tags: Data Privacy
Related Articles by Firm
Myanmar Opened its Broadcasting and TV Market
The Broadcasting Law 2015 opens commercial licenses for TV or radio for bidding under an independent supervisory authority. This offers wide opportunities to investors from broadcasting infrastructures to broadcasting services.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Tanzania: Prospecting for and mining of radioactive minerals
New uranium mining projects have recently been announced in Tanzania. This briefing looks at the legislative framework surrounding radioactive minerals in Tanzania.
Related Articles
Women outnumber men in general counsel roles in Asia
Increasing number of women opting for in-house legal roles as they seek better recognition and advancement, according to In-House Community study,
Visionary Client Service Provider of the Year 2018
A total of 18 service providers are competing for the three separate categories.
Legal innovation Q&A with Alex Smith, Reed Smith
We speak with Alex Smith, innovation manager at Reed Smith, about rethinking legal services in Asia.
Related Articles by Jurisdiction
Latest Articles
The new UAE Pledge Law
Promulgation of regulations that make registration available.
Exchange control laws of India: Compounding of contraventions
India has a complex exchange control regulatory mechanism that investors often find it difficult to comply with.
Corporate Social Responsibility
There is a growing realization among the corporates that business growth along with positive community/social impact is now an expected goal ...