The EU General Data Protection Regulation (GDPR) is coming into effect on May 25th, 2018. The Regulation will supersede the Directive 95/46/EC. It aims to unify the EU data protection legislations and strengthen EU’s data protection to meet the new privacy challenges brought by the development of digital technologies. GDPR will have significant impact on China’s enterprises that target the European market. Take the Alibaba Group for example. Alibaba collects a huge amount of electronic data in the EU market through AliExpress, and transfers this data to other Alibaba Group related businesses in Alibaba’s e-commerce ecosystem in order to complete transactions or to conduct marketing research. If such practices crosses the red line set by GDPR, Alibaba will face big challenges in terms of law, economics and business brand.
GDPR sets strict standards for the protection of data subjects in the Union:
Extraterritorial Effect of GDPR
GDPR Article 3 (1): As long as the data controller or processor has an establishment in the EU, and the processing of personal data is within its business scope, the data controller or processor shall comply with GDPR, regardless of where the real processing activities occur.
The term establishment should be understood broadly, as long as it effectively processes personal data in the context of its business goal, a Chinese office in the EU market with only one employee can be considered as the establishment in this sense.
Moreover, Article 3 (2) provides that the data controller or processor who processes the personal data of data subjects in the Union shall comply with GDPR under two conditions, regardless of the existence of the establishment in the Union. Two conditions include: (1) the offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; (2) the monitoring of users’ behavior as long as their behavior takes place within the EU. This clause is one of the highlights of GDPR and is of great significance for the Chinese enterprises, especially for Internet companies, which intend to do more business in the EU. Take Alibaba Group for instance, GDPR applies to Alibaba Group if it targets EU market or monitors EU users’ browsing activities.
Broad Interpretation of Personal Data
GDPR Article 4 provides that personal data is the information that either has already identified a natural person or has the ability to do so directly or indirectly. The Regulation broadly interprets the term personal data and what is considered personal data within the scope of the Regulation. Take AliExpress for example, not only the transaction information provided by users such as bank account, addresses and contact information is considered as personal data, some internet data such as IP address and device identifier can also be identified as personal data. To determine whether certain data is identifiable, all the means reasonably likely to be used shall be taken into account, and the data shall not be viewed separately from other data held by the data controller or processor. Moreover, GDPR provides stricter protection to special categories of personal data such as genetic data and biometric data.
Heavy Legal Obligations Imposed on Data Controller or Processor
GDPR provides the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability for the processing of personal data and empowers the data subjects with the right of information and access, right of rectification, right of portability, right to be forgotten, right to restriction of processing, right to restriction of profiling, etc. A Data controller or processor shall respect the principles and assist the data subjects on realizing their rights. Furthermore, data controllers or processors shall embrace privacy-by-design, conduct the privacy impact assessment, designate data protection officers or representatives and comply with the personal data breach and notification responsibility, to reduce a privacy infringement risk or mitigate the damage caused to data subjects by privacy infringements.
The supervisory authority can decide to investigate the data controller or processor by itself or after receiving the data subject’s complaint, decide whether to impose an administrative penalty and also the amount of a penalty on a case-by-case basis. Article 83 of GDPR sets different standards for different acts. For example, the data controller or processor who doesn’t adopt proper technical or management measures to avoid or lower the privacy infringement risk shall be fined 10,000,000 Euros or 2% of the global turnover (whichever is higher); the data controller or processor who violates the basic principles of the processing of personal data or doesn’t safeguard the data subject’s rights shall be fined at 20,000,000 Euros or 4% of the global turnover (whichever is higher). Aside from the supervisory authority, the data subjects can also seek judicial remedies against data controllers or data processors and have the right to be compensated.
To better develop the EU market and gain trust from EU users, China’s enterprises, including Alibaba Group, should inspect their current practices and business plans promptly, determine whether they fall under the scope of GDPR and whether the processed data are considered personal data as defined in the Regulation. The compliance of the processing principles, the safeguard of data subjects’ rights and the fulfillment of obligations can build a privacy-friendly brand to the Chinese enterprises and avoid any economic loss caused by unlawful acts.
Article 29 Data Protection Working Party, Opinion 8/2010 on applicable law, Adopted on 16 December 2010, at page 11.