Data privacy law is going global. Well not quite. But having passed the first anniversary of the General Data Protection Regulation 2016/679 (GDPR) coming into effect in several EU member states, its success is being reflected in similarly strong data privacy laws in other countries. The California Consumer Privacy Act (CCPA) is a good example. There is also new legislation in Brazil and Kenya. Japan’s data privacy law pre-dated the GDPR by a year.
The GDPR is widely recognised as the “gold-standard” of privacy law. Non-EU businesses are aware that they are subject to the GDPR’s provisions if they offer goods and services to, or monitor the behaviour of persons located in the EU.
GDPR General Advice
- Guidelines on the territorial scope of the GDPR were issued by the European Data Protection Board (EDPB) in November 2018. These should be considered carefully if there is external processing of personal data of persons located in the EU.
- The GDPR applies to non-EU entities if they fulfil the criteria for having an “establishment” in the EU, even if they are primarily located elsewhere.
- If an organisation has no confirmed “establishment” but is targeting EU situated individuals, it must appoint a representative to deal with all GDPR compliance issues.
- Relevant organisations should ensure that privacy policies reflect the GDPR, as well as local privacy laws.
- If the UK is relevant to data processing activities, organisations must keep under review the issues that arise if the UK leaves the EU on a “no deal” basis.
Here at Barlow Robbins LLP, we have recently advised US and Far East clients which process the data of EU residents in order to provide services to them. In neither case had they appointed an EU representative as specified in the legislation, although in the US example a representative was processing some of the data in the UK and elsewhere.
Our work for these clients related to issues such as obtaining effective consent to process the personal data of children, contract data sharing and export, joint control of data by entities in multiple non-EU jurisdictions (including the effect of Singapore’s Personal Data Protection Act 2012) and the structuring of suitable privacy policies taking all issues into account.
Laurie Heizler, Of Counsel – Intellectual Property, Technology & Media, Barlow Robbins LLP, Guildford, Surrey UK
Read the article on our web page.