Out-Law Analysis 11 min. read
25 May 2023, 7:28 am
The introduction of the General Data Protection Regulation (GDPR) into EU law in 2018 not only had a profound impact on organisations based in Europe – it has shaped data protection practices globally.
In addition to applying directly in EU member states, the GDPR applies to organisations based outside of the EU that nonetheless target services at individuals in the EU based on the processing of their personal data. Five years on from the GDPR coming into effect, we look at the legislation’s impact on businesses and policymaking in Asia Pacific, the Middle East and Africa.
Shanghai-based Leo Xin of Pinsent Masons said the GDPR presented some challenges in China when it first came into effect. He said financial institutions, such as banks, insurers and investment funds, as well as airlines and hotel chains, industrial enterprises, e-commerce platforms and social media companies, are among the Chinese companies most impacted by the GDPR.
Xin said: “When GDPR took effect in 2018, China’s personal data protection regime was not well developed. The focus of the Chinese government at that time was on punishing data-related issues under criminal law. The was no single centralised piece of legislation to regulate data protection and data governance from the perspective of civil and administrative law.”
“In that context, most Chinese companies did not have systemic rules and policies governing data protection. When they faced the requirements of GDPR, they had no local law experiences, and had to build their data protection framework from zero. Data localisation strategies emerged, with some Chinese companies choosing to set up entities in the EU to manage EU data separately from their headquartered company in China,” he said.
The legal framework in China has since changed with the introduction of the Personal Information Protection Law (PIPL). This, according to Xin, requires Chinese companies to consider how to comply with both the PIPL and GDPR.
“Chinese companies need to understand what the differences are between the GDPR and PIPL,” Xin said. “One example is that personal data can be lawfully collected based on ‘legitimate interests’ under the GDPR, whereas this is not possible under the PIPL. Therefore, Chinese companies may need to identify such gaps between the PIPL and GDPR and put additional measures in place to ensure dual compliance.”
Hong Kong-based Jennifer Wu of Pinsent Masons said the GDPR’s impact has been felt in a city that is a renowned financial and business hub, where much of the focus has been on developing advanced technologies and fostering cross-border collaboration – with data at the heart.
The GDPR is widely recognised as a prominent benchmark for data protection, and companies may opt to implement its principles consistently across all regions and jurisdictions as a means of demonstrating their commitment to data privacy
“The GDPR has a significant impact on multinational companies in Hong Kong that have customers or employees in the EU, particularly in the technology, telecommunications, financial, hospitality and logistics industries that hire and serve globally,” Wu said. “Such multinational companies deal with vast amount of personal data ranging from onboarding data for customers to data collected during the life span of the relationship. These companies regularly review and update their privacy policies and practices to comply with the GDPR given their global footprint, on top of the local legislation, to ensure adequate safeguards are in place for their customers and employees in the EU.”
Wu said that many businesses operating globally out of Hong Kong have chosen to adopt the GDPR standard for processing the data of non-EU data subjects.
“This is because the GDPR is widely recognised as a prominent benchmark for data protection, and companies may opt to implement its principles consistently across all regions and jurisdictions as a means of demonstrating their commitment to data privacy,” she said.
Another reason for doing so, according to Wu, is the growing awareness of the public of how companies are using their data.
“Maintaining a transparent data practice and demonstrating compliance with data requirements has become increasingly important for multinational companies in Hong Kong, especially to companies that wish to be seen as socially responsible businesses,” she said.
In Hong Kong, the primary data protection legislation is the Personal Data (Privacy) Ordinance (PDPO). The PDPO is principles-based and provides a comprehensive framework setting out how data users – a term equivalent to data ‘controllers’ under the GDPR – should collect, handle and use personal data. Both the GDPR and PDPO aim to protect individuals' privacy rights, such as data subject access rights, and ensure that their personal data is processed fairly and lawfully.
Wu said: “The GDPR has been a catalyst for privacy law reform worldwide, and Hong Kong is no exception. Following the implementation of GDPR, the Hong Kong authorities have also planned to propose amendments to the local personal data legislation to align it more closely with the EU's data protection standards. The proposed reforms are expected to take shape in the coming years and that would include introducing a mandatory data breach notification regime, regulating data retention, and regulating data processors directly, which are absent in the current legislation.”
“By aligning its data protection standards with the GDPR, Hong Kong will be better positioned to engage in international data transfers and promote cross-border data flows while safeguarding the privacy rights of people and businesses in Hong Kong,” she said.
Wu said the impact of the GDPR on business decisions and policy making in Hong Kong also needs to be considered in light of the evolving regulatory requirements across the whole Asia Pacific region, especially given the introduction of the China Personal Information Protection Law.
In Australia, privacy regulations contained in the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles provide protections for the personal information of Australians.
Melbourne-based Lisa Meyer of Pinsent Masons said that compliance with the GDPR can help businesses meet their legal obligations in respect of personal data in Australia – despite there being significant differences between the two regimes.
“Australian businesses and organisations who are captured by, and compliant with, the GDPR can take some comfort in the fact that by complying with the higher standards required by the GDPR they will be compliant with majority of the requirements imposed by the Privacy Act, and that minimal work would be involved in bridging any gaps between the two regimes,” Meyer said.
The most notable difference between the GDPR and the Privacy Act is the scope of their application, according to Meyer.
“While the Privacy Act only applies to specific entities that are either located in, or have a link to, Australia, such as certain foreign entities operating a business in Australia, the GDPR applies to any entity that collects information from, or monitors the behaviour of, individuals in the EU, regardless of whether that entity operates or is located in the EU,” she said.
There are further notable differences between the requirements around consent to the collection of personal data under the GDPR and the Privacy Act, she said.
“Under the GDPR, consent must be informed, express, specific, and given freely. This requires individuals to consent to the collection of their personal data through a clear affirmative action or statement and for entities to be able to demonstrate that the specific individual consent has been obtained and provide evidence to that effect, if requested by an individual,” Meyer said. “In contrast, consent under the Privacy Act can be express or implied consent, so long as the individual has the capacity to understand and communicate the consent and is adequately informed before giving the consent, and the consent is current and specific, and given voluntarily.”
Meyer said that rights data subjects are provided with under the GDPR that enable them to exercise a degree of control over their personal data are not reflected to the same extent in Australia’s Privacy Act. These rights include the right for individuals to request that their data be deleted or transferred to another entity and the right to object, at any time, to the processing of their personal data.
However, Meyer said there are some similarities between the Privacy Act and GDPR. For example, she said both provide broad definitions for ‘personal information’ and ‘personal data’ which capture a wide range of data types and information that can be used to identify an individual, and both also require relevant entities to provide individuals with a clear and concise overview as to how their personal information or personal data will be used.
Both the GDPR and Australian Privacy Act also require entities to implement appropriate technical and organisational measures to ensure that any personal information or personal data is kept secure and impose specific reporting obligations in the event of a data breach, though she highlighted differences between the reporting regimes.
Meyer said: “Under the GDPR, entities have a maximum of 72 hours to initially report a notifiable data breach to the relevant authorities and must further notify affected individuals without undue delay. Under the Privacy Act, Australian entities are only required to report eligible data breaches as soon as practicable after becoming aware of the breach. In addition, under the GDPR, a notifiable data breach is one that is likely to risk the rights and freedoms of an individual, whereas under the Privacy Act an eligible data breach is one that is likely to result in serious harm to a person to whom the information relates.”
Dubai-based Martin Hayward of Pinsent Masons said the GDPR has been the model adopted across the Middle East and North Africa for new data protection laws.
“From Egypt to Oman, we have seen new data protection laws reflecting, often substantially, the concepts set out in the GDPR,” said Hayward. “Familiar to international businesses coming into the Middle East, the adoption of GDPR-style data protection laws has helped new entrants to the Middle East market effectively navigate the data protection regulatory landscape.”
According to Hayward, regulators have so far played an important role in ensuring data protection legislation introduced in the Middle East is implemented in a way that aligns with the GDPR standards multinational businesses recognise and understand.
“We have seen how effective data protection regulators in the Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM) and Qatar Financial Centre (QFC) have been in implementing data protection laws closely aligned to the GDPR, balancing the need to right-size data protection laws in a region relatively new to privacy legislation with ensuring that the key benefits of global data protection best practice are realised with a blend of awareness raising and a positive approach to enforcement,” Hayward said.
In a heavily interconnected region, but one characterised by distinctly national data protection laws, the need for some form of regional equivalency or overarching data protection regulatory regime [across the Middle East and North Africa] is becoming increasingly important
“As new data protection laws are implemented in countries such as the UAE, Saudi Arabia, Egypt and Oman, and new data protection regulators are established, it is important to ensure that this balance between fit-for-purpose regional laws and the adoption, as appropriate, of best-in-class global data protection laws continues,” he said.
Hayward said that one aspect of the GDPR that has benefited businesses in the EU has been its regional application. This, he said, has allowed “the effective, and protected, cross-border flow of personal data”. He said a similar data transfer framework spanning the Middle East and North Africa would be welcome.
“In a heavily interconnected region, but one characterised by distinctly national data protection laws, the need for some form of regional equivalency or overarching data protection regulatory regime is becoming increasingly important,” Hayward said.
The proliferation of new data protection legislation in the Middle East and North Africa in recent times has spurred increased awareness among businesses of their obligations under the GDPR, according to Hayward.
“Whilst many global Middle East businesses, particularly in the aviation, hospitality and financial services sectors, with global operations, quickly identified the applicability of GDPR to their global operations, many Middle East businesses are just beginning to recognise the extra-territorial reach of GDPR,” he said.
Reuben Cronjé of Pinsent Masons in Johannesburg said the GDPR has served as an international benchmark by which African policymakers have been able to measure and develop data protection and privacy legislation of their own.
Recent examples of the GDPR’s influence on data protection policy include in Tanzania and Eswatini, where new data protection regulations were introduced in 2022. Cronjé said both sets of regulations reflect general data processing principles contained in the GDPR, such as the lawfulness and fairness of processing, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
Cronjé said countries such as Rwanda, Uganda and Nigeria have also taken inspiration from the GDPR and enacted legislation that captures the core GDPR principles and follows a substantially similar framework. However, he said there are some notable differences.
“In respect of the Ugandan privacy law, its major difference when compared to the GDPR is the absence of legitimate interest as a legal basis for processing data,” Cronjé said. “In terms of the Nigerian Data Protection Regulation, it is not as comprehensive as GDPR and the requirements for filing data audit reports on an annual basis if certain processing thresholds are met differs to those requirements included in GDPR.”
South Africa, Ghana, Kenya and Mauritius were among the African countries that had data protection legislation in place prior to the GDPR taking effect. Cronjé said most of those countries modelled their legislation around the GDPR’s predecessor, the EU Data Protection Directive 1995, and that therefore there are some similarities between the respective regimes.
Looking specifically at how the Protection of Personal Information Act (POPIA) in South Africa compares to the GDPR, Cronjé said: “There are many similar concepts regarding the protection of personal data. These include that the legal grounds for data processing are similar – consent, legitimate interest, information quality etc. Additionally, data subjects under both regulations are entitled to exercise specific rights in relation to the processing of their data and both regulations impose fines on the controller/responsible party who infringes one or more of the requirements contained in the respective regulations.”
However, he also highlighted differences between POPIA and the GDPR in respect of the appointment of a person responsible for data protection, right to data portability, pseudonymisation, and the restrictions on cross-border transfers of personal data.
“It is clear that several African countries have taken inspiration from the GDPR and have to some extent aligned their legislation accordingly,” Cronjé said. “This alignment has significant benefits to the African economy. It will allow for African businesses to thrive under adequate data protection and privacy laws on par with international standards. It will also help those businesses to expand into the EU market in future – this is because their existing familiarity with their local data protection laws would make it easier for them to meet their obligations under the GDPR. By the same token, EU businesses wishing to expand into these African jurisdictions would not experience major difficulty in complying with the respective data protection and privacy laws – which can only encourage EU businesses to expand into Africa.”
Cronjé said, however, that there are still barriers to the free flow of data between Africa and the EU which represent a constraint on trade.
“The European Commission is yet to issue an ‘adequacy decision’ in respect of an African country regarding whether or not it provides adequate level of protection of personal data,” he said. “Should such a decision materialise, it would allow personal data to flow freely between the relevant African countries and the EU and enable them to further participate in the global data economy.”
25 May 2023
25 May 2023