Commentary

Enacted on May 25, 2018, the General Data Protection Regulation (GDPR) covers a series of issues, such as personal data protection, balancing the rights of data subjects, management of data controller, and cross-border transfer of personal data. GDPR is commonly viewed as the milestone of global data protection as well as the most stringent personal data protection law in history, posing significant challenges to enterprises in relation to their obligations of personal information protection and data compliance.

Moreover, GDPR may also serve as a touchstone when enterprises compete in the era of big data. With the increasing significance and the blooming commercialization of data resources, attracting users' attention by re-construct privacy protection, improving the mechanism of data flow to build brand reputation, and converting capabilities in personal data protection into core competitiveness to attract and maintain users have become important topics to executives. Furthermore, it is imperative for enterprises to understand the key components of GDPR for the purpose of deploying their data compliance strategies.

From Directive 95/46/EC to GDPR

As part of EU law, GDPR, a regulation, replaces the Data Protection Directive 95/46/EC (Directive 95/46/EC). Compared with the effect of a “Directive”, which may be implemented by each of the EU member states at its sole discretion, GDPR shall directly apply to all member states. Therefore, the enactment of GDPR unifies the personal data protection laws and simplifies the regulatory framework across the EU member states. For multi-national enterprises, the upgrade from “Directive” to “Regulation” helps them reduce the compliance costs caused due to the differences among the laws of various member states, and substantially increases the transparency and legal certainty of the law.

Rather than an all-around protection of personal data rights and heavy penalties imposed on enterprises as believed by many people, in fact, GDPR is committed to balancing the protection of rights and the free flow of personal data, and promoting the development of the industrial economy, especially the data economy.

Therefore, entrepreneurs do not need to focus only on the complexity of the rights of the data subject and the onerous obligations, but should notice that the EU legislators have paid full attention to the balance between the rights of the data subjects and the legitimate rights and interests of other social subjects. GDPR designs many proviso clauses and derogation articles, leaving room for enterprises to pursue legitimate interests. Strategically, entrepreneurs need to give weight to GDPR and personal data protection, while tactically they need to design an effective, balanced data management system to facilitate their company development.

How to Identify the Scope of Personal Data Under GDPR:?

GDPR establishes the general rules for the protection of personal data in the EU. GDPR determines that any information could be personal data if it is related to an “identified” or “identifiable” natural person (i.e. data subject); the information of an identifiable natural person, according to GDPR, means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Any data based on which any specific natural person can be directly or indirectly identified may fall into the scope of personal data. For example, in some situations, the data subject's IP address generated by connecting to the Internet, device identifier, and even its online browsing history may constitute personal data within the scope of GDPR.

 Application of GDPR: Focuses of Multi-national Enterprises

GDPR aims at regulating an enterprise’s processing of personal data. Data processing, in accordance with Article 4 of GDPR, means various operations on personal data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In this regard, if any enterprise performs any of the above operations in its business activities, such operation may be subject to the relevant rules of GDPR.

Any processing of personal data in the context of the activities of an enterprise establishment in the EU shall be subject to GDPR. It is worth noting that even if such processing takes place outside the EU, the enterprise shall also follow GDPR in order to ensure the compliance of its processing of personal data.

Enterprises not established in the EU are not definitely excluded from the governance of GDPR. In accordance with GDPR, if an enterprise that is set up outside the EU offers data subjects goods or services in the EU, or monitors the data subjects’ behavior which takes place within the EU, such enterprise’s processing of the personal data of such data subjects in the EU shall also be subject to the requirements provided in GDPR.

In practice, a number of multi-national enterprises choose to set up servers outside the EU while offering goods and services to the EU for saving costs and other commercial purposes. In terms of GDPR's jurisdiction, even if an enterprise processes personal data outside the EU, it is still possible that such data processing will be subject to GDPR as long as the enterprise conducts business in the EU or offers goods or services to data subjects in the EU.

Basis of lawfulness of personal data processing

Personal data does not only have significant commercial value, but also involves personal privacy. Therefore, the use and processing of personal data by enterprises must focus on the balance between commercial purposes and protection of personal rights. The “informed consent” of personal data subjects, together with the principles of legality, rightfulness, and necessity understandably becomes important basis of lawfulness for enterprises to collect and use personal data from the perspectives of protecting personal privacy and legitimate rights and interests.

It is also specified in the provisions of GDPR on lawfulness of processing that processing shall be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. However, consent from the data subject is not the only basis of lawfulness. In addition to such consent, GDPR also specifies five other bases of lawfulness, including:

  1. Processing for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  2. Processing for compliance with a legal obligation to which the data controller is subject;
  3. Processing in order to protect the vital interests of the data subject or of another natural person;
  4. Processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; and
  5. Processing for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.[1]

Rights of data subjects: how to balance the interests of enterprises and rights of data subjects

Safeguarding the legitimate rights and interests of data subjects is one of the core elements of GDPR, and an important way to protect personal data. The rights of data subjects under GDPR include rights of access, rights to erasure, rights to rectification, rights to restriction of processing, rights to data portability, rights to withdraw consent, rights to object, and right to not be subject to a decision based solely on automated processing, etc.

From the perspective of protecting data subjects' rights, on the one hand, enterprises are required to establish or improve the mechanism of information interaction with their users. Instead of informing users in an ambiguous way or not informing them at all, enterprises are to inform them with documents such as privacy policy and/or user agreement in clear language of the categories of personal data to be collected and the purposes of such collection. On the other hand, they shall establish a mechanism to respond to the data subjects in terms of their rights to ensure that the legitimate and reasonable rights of the data subjects can be realized.

GDPR designs provisions on severe penalties for infringement of the legal rights of data subjects, so that enterprises in violation of GDPR are not only required to compensate for losses suffered by data subjects, but also may face a fine of up to US $23 million or 4 percent of global turnover in the previous fiscal year (whichever is higher). Notwithstanding the foregoing, enterprises are not required to respond to each and every claim made by data subjects in terms of their right. GDPR provides for a balanced approach in the sense that a balancing between the response by enterprises to the data subjects' claims on the one hand and the normal operation and legitimate and reasonable interests of enterprises on the other hand.

Obligations of data controllers

The statutory obligations of enterprises under GDPR include obligations of notification, notification of a personal data breach to the supervisory authority, records of processing activities, and security of processing, etc. Moreover, GDPR advises enterprises to account for the protection of rights and interests of the data subjects in the design of corporate programs, designate a data protection officer, carry out a data protection impact assessment and consult the supervisory authority prior to processing where there is potential risk.

Given the various obligatory requirements under GDPR, single or separate satisfaction of such requirements will not only increase the cost of corporate compliance, but also fail to effectively protect personal data security. It is much wiser for enterprises to incorporate data compliance into their corporate development strategy, and to build the data management system over the product operation system and/or business service system.

In terms of building the data compliance management system, enterprises are advised to start with the optimization of user interface by perfecting the privacy policy, user agreement, and third-party cooperation agreement, and then further improve the construction of internal systems.

Cross-border transfer of personal data: principles and exceptions

Cross-border transfer of personal data is a not only a key issue in GDPR, but also an issue of most concern by many multi-national and major corporations. GDPR provides many lawful means for cross-border transfer of personal data, such as binding corporate rules, standard contractual clauses, approved codes of conduct and certification mechanism, etc., each of which has its own merits, demerits and conditions. Instead of the specific means for cross-border transfers, enterprises are advised to pay higher attention to the principles and exceptions of cross-border transfer of personal data.

Article 45 of GDPR establishes the general principles of cross-border transfer of personal data, i.e., the personal data transferred to a country or region beyond the EU shall be protected at an adequate level of protection. To a certain extent, the exceptions in cross-border transfer of personal data are not subject to the general principles, but as a result, strict conditions must be satisfied.

The majority of enterprises had been working on data compliance intensely prior to the effectiveness of GDPR. With the GDPR in effect, the enforcement authorities and data subjects will pay more and more attention to the data processing by enterprises. It was reported that many suits and complaints were filed against Facebook and Google on the very first day when GDPR came into effect, accusing them of coercing users into sharing personal data. The case known as "the first case" was filed against Facebook for a fine of US $4.5 billion and against Google for a fine of US $4.3 billion. Public information further shows that some companies including certain US corporations have shut down their business in Europe in response to the GDPR. Nevertheless, it is believed that the inevitable trend that international corporations shall upgrade and develop themselves by implementing data compliance mechanism worldwide and building complete internal data control system in line with the globalization of trade and data flow.