By Christopher & Lee Ong
For organisations based in Europe, and organisations physically located outside of Europe but which conduct business with EU residents, 25 May 2018 signals the privacy “D-Day” as this is the day that the GDPR, otherwise known as the European General Data Protection Regulation, comes into force.
What is the GDPR, and Why Is It a Concern?
The GDPR, is Europe’s new overarching framework for data protection, which replaces the previous data protection regime under Directive 95/46/EC. The GDPR is an extensive legislation, containing a total of 99 Articles which set out, amongst others, brand new and/or increased rights of individuals vis-à-vis their personal data, and heightens the obligations of organisations to protect the personal information of data subjects.
These rights and obligations are wide-ranging, and achieving compliance has and will continue to be an onerous and costly exercise.
Briefly, the GDPR introduces a multitude of new rights for individuals, ranging from the “right to be forgotten” (i.e. the right to require an organisation possessing an individual’s personal data to erase said individual’s personal data from its database and systems), to the right to request for the personal data held by one organisation to be securely transmitted to another organisation (formally known as the “right to data portability”) at the point of switching services. Organisations are also subject to new compliance requirements, such as the requirement to report the occurrence of a data breach to supervisory authorities within 72 hours from becoming aware of the data breach. Another major change brought about by the GDPR is the greatly increased obligations on data processors1 as the GDPR places direct obligations on data processors for the first time, such as the right of data subjects to enforce their rights under the GDPR directly against data processors.
However, the greatest factor causing organisations to sit up and consider GDPR compliance as a priority are the increased maximum fines for non-compliance. The maximum fine is an incredible €20 million (approximately USD24 million), or 4% of the total worldwide annual turnover of the preceding financial year for an organisation, whichever is higher. The sheer sum that can be imposed in fines for non-compliance with the GDPR is surprising in itself, but the biggest change brought about by the GDPR as compared to the previous regime pursuant to the Directive 95/46/EC, and the principal cause of concern to Malaysian organisations, is the increased territorial scope of the GDPR. In certain circumstances, the GDPR would cause Malaysian organisations to fall within its ambit, irrespective of the fact that they have no presence within Europe whatsoever.
Under Article 3 of the GDPR, the GDPR applies to organisations that process personal data in any of the following scenarios:
- Where an organisation is established in the EU, and is engaged in the processing of personal data (irrespective whether the processing is done in the capacity of an organisation as a controller2 or a processor3) in the context of that establishment’s activity, even if the processing itself takes place outside the EU;
- Where an organisation is not established in the EU but the organisation processes personal data of EU data subjects (irrespective whether the processing is done in the capacity as a controller or a processor), and the data relates to goods or services offered to EU data subjects or the monitoring of behaviour in the EU; or
- Where an organisation is not established in the EU, but the organisation is a controller that is established in a place where Member State law applies by virtue of public international law.
Based on Article 3(2), it would seem that the applicability of the GDPR has been extended to organisations established outside the EU, with no physical presence in the EU whatsoever, so long as such organisation processes personal data of EU residents. In other words, an organisation established in Malaysia with no branches, offices, or personnel based in or operating in the EU may be subject to the GDPR and the onerous compliance requirements attached to it, and subject to potentially massive scale penalties for a failure to comply.
This article will briefly examine Article 3, to consider how and to what extent the GDPR applies to Malaysian organisations. Before this, there is an important question to consider: Why has the EU gone to such lengths to protect the privacy of individuals? And the bigger question – how did it all begin?
History of Data Protection
There are historical explanations dating back to World War II, which consolidates the belief that privacy merits special protection under law. In the 1930s, the Nazi regime required citizens to identify themselves by information such as religious affiliation and race in a National Census. Ultimately, the data from this National Census was used to identify and persecute Jews, and people saw the destructive power that information could have in the wrong hands, and how, if left unchecked, information gathered for one purpose could be re-used for purposes that dehumanised individuals and ultimately led to the genocide of millions of Europeans.
The horrors of World War II left a deep mark on German citizens, and ultimately led to Germany’s adoption of the world’s first data protection act in the 1970s. In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organisation for Economic Cooperation and Development (OECD) issued recommendations, or principles, for the protection of personal data. Thereafter, these recommendations were adopted by the European Union, bulked up and took the form of Directive 95/46/EC which was issued in 1995.
Since then, many countries have rolled out data protection laws, including Malaysia’s own Personal Data Protection Act 2010 (PDPA), which by and large are based on the data protection principles in Directive 95/46/EC.
Looking back, it needs to be recognised that Directive 95/46/EC was adopted at a time when the internet was in its infancy and the world had yet to be exposed to the advent of social media networks such as Facebook, SnapChat and Instagram. Beginning 2011, EU authorities felt that the Directive was not adequate to cope with new privacy challenges arising from developments in technology, and the changing ways that personal data is used in the digital era. After a four-year preparation and review process, with more than 4,000 amendments, the GDPR was born.
The Regulation was published in the Official Journal of the European Union on 4 May 2016 with a scheduled coming into force date of 25 May 2018, which afforded organisations a two-year buffer period to pursue compliance.
Rights and Obligations Under the GDPR
To address the new and ever-changing methods that personal data is used, the GDPR not only strengthens already existing privacy rights of individuals, but also introduces new privacy rights as well. These include:4
- Right to be forgotten (Article 17) – as explained earlier in this article, this refers to the right of an individual to require an organisation with personal data of an individual to erase the said individual’s personal data from the organisation’s systems and databases without undue delay in the event that one of the qualifying circumstances in Article 17 applies, e.g. the personal data is no longer necessary in relation to the purpose for which it was collected or processed, the individual has withdrawn his consent to the processing of his personal data, or the personal data was processed unlawfully etc.
- Obligation to notify personal data breaches to supervisory authority (Article 33) – where an organisation experiences a personal data breach, it is required by the GDPR to notify the relevant supervisory authority of the breach without undue delay, and in any event no later than 72 hours after becoming aware of the breach. On this development, do note that non-EU jurisdictions such as Singapore, Australia and Canada have also passed or are in the process of passing similar legislation which requires data breaches to be reported to supervising regulators.
- Obligation to conduct data protection impact assessments (Article 35) – This refers to processing which is likely to result in a high risk to the rights and freedoms of individuals, in particular processing which is done using new technologies. In such situations, before a controller is permitted to commence processing, the controller is required to carry out a data protection impact assessment to determine the impact of the envisaged processing operation on the protection of personal data. The organisation is required to seek the advice of the organisation’s data protection officer where conducting the data protection impact assessment. In the event that a data protection impact assessment indicates that processing would result in a high risk to rights and freedoms of individuals in the absence of measures taken to mitigate such risks, the controller will be required to consult the supervisory authority prior to commencing the processing (Article 36).
- Obligation to appoint data protection officer (Article 37) – Both controllers and processors who are subject to the GDPR are required to appoint a data protection officer if the controller or processor in question is either (i) a public authority, or (ii) carries out certain types of processing activities identified in the GDPR, e.g. where the core activities of the organisation involve processing operations which require regular and systematic monitoring of data subjects on a large scale, or where special categories of personal data or personal data relating to criminal convictions and offences are processed on a large scale.
Will the GDPR Apply to Malaysian Organisations?
The wording of Article 3(1) suggests that Malaysian organisations with any EU presence whatsoever, i.e. irrespective of whether the organisation has full service offices in the EU, or conversely where the organisation only has an EU branch or representative office with one or two sales personnel, such EU offices will be subject to the GDPR.
The position is less clear under Article 3(2). Article 3(2) extends the ambit of the GDPR to organisations established outside of the EU, where an organisation processes personal data of EU data subjects who are physically situated in the EU, in certain scenarios, namely where (i) data of EU residents is processed and the data relates to goods or services offered to EU data subjects; or (ii) the behaviour of data subjects in EU is monitored.
1. Offering of goods or services
Recital 23 of the GDPR clarifies that in determining whether goods or services are offered to data subjects in the EU, authorities will consider whether the organisation “envisages” offering goods or services to data subjects in the EU. The GDPR provides examples of the factors that will be taken into account when making this determination.
Mere accessibility of an organisation’s website from the EU, or the use of a language which is generally used in the country that the organisation is established would not be sufficient to conclude that an organisation has envisaged offering goods or services to residents in the EU. On the other hand, using a language or currency generally used in the EU, providing users in the EU with the possibility of ordering goods and services in that language, and the mentioning customers or users who are in the EU, would suggest such an intention.
2. Monitoring behaviour of data subjects in the EU
Recital 24 of the GDPR provides that in determining whether a processing activity can be considered as monitoring the behaviour of data subjects, authorities will consider whether individuals are tracked on the internet, or subject to data processing techniques such as profiling, to analyse or predict personal preferences of the individual, his/her behaviours and attitudes, or to take decisions concerning the individual.
Needless to say, other than for organisations that fall squarely within the examples provided in the GDPR, the formulations currently provided in the GDPR are not specific or clear enough to aid organisations in coming to a decision as to whether they fall within the ambit of the GDPR and unfortunately leave much to interpretation.
Examples of scenarios that organisations find themselves in that do not fall squarely within the examples provided in the GDPR:-
- An organisation with its HQ in Malaysia and various countries (including an EU office) utilise a database which is located in Malaysia. Some of the records in the database are from the EU office and contains the personal data of EU residents. Would the presence of EU data in the shared database subject all non-EU offices to the GDPR
- Many organisations offer goods or services to the world at large, without having envisaged or intended for the offer to be specific to customers from the EU. Would the ability of EU residents to accept offers made to the world at large subject the organisation offering goods or services to the GDPR?
- An individual outside the EU instructs his/her local Bank to transfer money to an individual resident in the EU. The bank is required by banking laws to maintain the information (including the name and account number of the EU resident) relating to the transfer. Would the bank as a consequence of retaining the EU resident’s personal data be subject to the GDPR?
- An individual in the EU wishes to trade in securities on the Malaysian stock exchange. As required by securities laws, he/she opens a central depository system (CDS) account together with an account with a securities trading firm in Malaysia. As the details of the EU resident are on the system of the securities trading firm, would the said securities trading firm be required to comply with the GDPR?
There are no clear answers to the above and the best that can be achieved currently is to rely on interpretation in accordance with Article 3(2). Nonetheless, going forward, we expect these issues to become clearer as more guidance is issued by the EU in terms of the tests to be utilised to determine whether a non-EU organisation falls within or outside the ambit of the GDPR.
Malaysian organisations with offices or personnel located in the EU will be subject to the GDPR, and should seek the assistance of EU counsel to conduct a review of their data processing activities to ensure that (i) said offices located in the EU fully comply with the GDPR, and (ii) consider how the Malaysian arm of the organisation may be impacted by extension, e.g. where the Malaysian and EU offices share one or more databases that contains the personal data of EU residents.
Malaysian organisations with no presence in the EU but with any sort of exposure to the EU should conduct an audit or review of the data processing activities of the organisation, and consider the factors identified in the Recitals to the GDPR above to assess the risk of EU authorities finding that the organisation is offering goods or services to data subjects in the EU or monitoring the behaviour of EU residents.
Based on this assessment, the organisation should consider whether it will be necessary to consult local and/or EU counsel to provide advice on the next steps to be taken. As at the time of writing, it is unlikely that Malaysian organisations with no EU presence whatsoever will be high on the list of priorities of EU enforcement authorities.
For those Malaysian organisations with no presence in the EU, another point to consider is the likelihood of an enforcement action being brought against them, given the lack of any enforcement mechanism that can be relied upon by EU supervisory authorities. The GDPR attempts to address this conundrum by requiring organisations under Article 3(2) to appoint a representative in the EU, which would enable supervisory authorities to enforce an action for liability against that representative. However, it remains unclear how actions will be taken against organisations that fail to appoint a representative, as well as the types of actions or sanctions that may be carried out against non-EU organisations.
Regardless of the approach decided upon by Malaysian organisations, all Malaysian organisations should have at the forefront of their minds that their journey to data protection compliance is far from over, and with the coming into force of the GDPR, there are very likely more challenges to come in terms of achieving and maintaining compliance with data protection laws.
Just as Directive 95/46/EC has been the basis for data protection legislative activity the world over for the past 20 years, the GDPR will be the new benchmark for data protection legislation going forward.
1 A “Processor” or “Data Processor” is defined in Article 4 of the GDPR as meaning a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2 A “Controller” or “Data Controller” is defined in Article 4 of the GDPR as meaning the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
3 See footnote 1.
4 Please refer to Chapters III and IV of the GDPR for a full list of the rights of data subjects and obligations of organisations.