The European Union's New Data Protection Directive and China
Upon voting by the European Parliament two years ago, the General Data Protection Regulation (“GDPR”) will become effective on May 25, 2018. It means that the protection to personal information and data in EU will reach a new level of strictness, in operation and coverage.
The GDPR incorporates 11 chapters, 99 articles; and articles as follows are worth of special attention:
Article 3 -“Territorial scope”:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
It means that for those enterprises or other institutions that are not domiciled in the EU, as long as they process the personal data of a data subject who is in the EU during offering goods or service (despite payment or not), or monitoring the data subject’s behavior which happens within the EU; then such enterprises or institutions shall be abide by the GDPR.
Article 6 -“Lawfulness of processing”:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
It means that when it comes to process personal data, the processing subject (e.g. enterprises or institutions) must fulfill one of the standards mentioned above.
Article 8 - “Conditions applicable to child's consent in relation to information society services”:
Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility for the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
It means that when it comes to process personal data of Children under the age of 16, agree or authorization for such children’s parents must be obtained. The age mentioned above can be modified by the EU member states, but it could not be lower than 13. Thus, for the processing subjects, they must not only to comply with the GDPR herein but also need to pay attention to the EU member states' adjustment to the age requirement (if any).
Article 9 -“Processing of special categories of personal data”:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Article 83 - “General conditions for imposing administrative fines”:
In case of infringement of the provisions of the GDPR, the infringer shall “be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
In case of severe infringement of the provisions of the GDPR, the infringer shall “be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
In addition to the articles above, the provisions concerning the right to be forgotten (Article 17), the right to data portability (Article 20), are also worth attention.
It is reported that the upcoming GDPR is a unified regulation that will be applied by all EU member states. By contrast, China does not have any law that is specialized in regulating personal data protection. However, China has established a basic framework of data protection with provisions stipulated in other laws, such as the National Security Law, the Cyber Security Law, the Measures of Safety Assessment of Personal Information and Important Data Exported Abroad and so on. Those laws and relevant national standards lay out basic principles of personal information protection, such as storing data in China, obtaining consent and so on.
Furthermore, the GDPR is also the strictest data protection law in history, not only because it fully enhances the protection level of personal data by introducing detailed principles, rights, obligations (e.g. right to be forgotten, right to data portability), as well as the severe punishment; but also because the scope of the subject who shall comply therewith expands to the subject outside the EU. Considering the rapid development of the e-commerce which breaks the geographical boundaries, any enterprises or institution, despite of its physical location, may become liable under the GDPR, assuming that they fulfill the conditions of Article 3 mentioned above. It means that Chinese enterprises will also be subjected to the strict GDPR provisions, as long as they provide products or service (for free or not) to a data subject in the EU, or involve monitoring of a data subject in the EU (e.g. collecting users’ data for analysis), even if they are not established within the EU. Thus, for Chinese enterprises, especially those involved in any form of e-commerce, online data collecting/processing and so on, they must make relevant adjustment to comply with the GDPR., otherwise, they will face the possibility of the imposition of large fines.
ABOUT THE AUTHOR: Fei Dang and Matthew Murphy
Matthew Murphy and Fei Dang are with the MMLC Group.
Copyright MMLC Group
More information from MMLC Group
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.