Greetings from Portsmouth, New Hampshire,
OK, back from Hong Kong. And I want to answer a question I heard any number of times while in Asia: Will European regulators really enforce the EU General Data Protection Regulation outside of their jurisdictions? Does the GDPR really present a compliance risk if you’re not in the EU?
In short: “Yes.”
That’s my conclusion after listening in on the Hong Kong KnowledgeNet co-hosted by Norton Rose Fulbright and Bird & Bird. The key consideration, said Marcus Evans, a partner at Norton Rose Fulbright, is where enforcement pressure might come from. Should you experience a breach and European personal data is involved, “the EU regulator will be coordinating with the local regulator here in Asia, and that’s where the enforcement is going to come from.”
Whether via the Global Privacy Enforcement Network or simply through relationship-building among regulators, they are becoming more likely to work together on enforcement efforts, as we saw in the Ashley Madison breach case.
Further, what European controllers expect of Asian processors, Asian processors will need to demand from their own vendors. Asian firms should expect extra scrutiny of their subcontractors from their European business partners and to either lose business or be subject to onerous auditing if they can’t produce the proper paperwork.
“You’ve just struck fear into the hearts of everyone who does contracting in Asia,” joked fellow Norton Partner Anna Gamvros, CIPP/A, CIPT, FIP.
For her part, Gamvros noted that Asian firms looking to do business with European consumers are going to be faced with a dilemma in terms of their privacy notice. As Europeans will expect a notice that delineates their rights, the contact information of the DPO and so on, local Asian customers might rightly wonder what that’s all about.
Will firms start geofencing their sites so that different notices are shown to different customers? How many relatively small companies are likely to be able to do that?
Further, how likely are Asian firms to appoint a representative in Europe or to develop a register of data processing activities and procedures for the right to be forgotten and data portability?
Evans predicted it will get more likely if their lack triggers consumer complaints. Brazen? Risk-averse? How seriously Asian firms end up taking the GDPR will depend ultimately on both their appetites for regulatory risk and the value they place on their European business partners.
And, of course, everyone in Asia will be watching for that first regulatory reach beyond European borders.