EU General Data Protection Regulation – The Broad Territorial Scope

31-May-2018 EU General Data Protection Regulation – The Broad Territorial Scope
Today’s technological environment poses risks and challenges to the protection of an individual’s privacy rights. The European Union has recognised this and in response has implemented the General Data Protection Regulation (‘GDPR’) which will come into effect on 25 May 2018. 

The Broad Territorial Scope:
Although implemented and governed by the European Union, the GDPR has a “broad territorial scope”, the effect of which is that it will generally apply to any business, anywhere in the world, that operates in the European Union or has customers in the European Union. 

More specifically, foreign businesses which meet any of the following criteria will be required to comply with the GDPR: 

1. Any foreign business that operates a branch or subsidiary in the European Union which processes personal data, regardless whether or not the processing actually takes place in the European Union; or 

2. Any foreign business that processes personal data of any person who is in the European Union, where the processing relates to: 

       (a) Offering goods and services to any such person in the European Union, regardless whether or not any payment is required; or 
       (b) The monitoring of any such person’s behaviour to the extent that their behaviour takes place within the European Union. 

‘Personal data’ is broadly defined as ‘any information relating to an identified or identifiable natural person’. 

‘Processing’ includes collection, recording, organisation, storage, alteration, retrieval, use, disclosure, erasure or destruction. 

 A key intent behind the GDPR is to protect members of the European Union on a global scale. It is likely that many New Zealand businesses will be captured by the GDPR, regardless of the size of their business or scale of their operations.         Compliance is mandatory. Businesses face fines of up to €20 million or 4% of their total worldwide annual turnover for non-compliance, as well as civil liability claims by any individual affected by non-compliance. 

Impact on New Zealand Businesses:
New Zealand’s privacy laws are considered to of a very high standard. Many of the requirements under the GDPR are therefore consistent with New Zealand’s current privacy laws. Compliance with New Zealand’s privacy laws will therefore inadvertently mean compliance with the GDPR in many respects, however not entirely. There will be additional compliance measures needed, notably in relation to consent requirements, reporting processes and the need to designate a representative in the European Union. 

The following is a summary of some of the key requirements and aspects of the GDPR: 

1. Personal data can only be processed if and to the extent that at least one of the following apply: 

(a) The individual has given their consent; 
(b) It is necessary for compliance with a legal obligation; 
(c) It is necessary to protect the vital interests of the individual or another natural person; 
(d) It is necessary in the public interests or in the exercise of official authority; 
(e) It is necessary for the purposes of a business’ legitimate interests (which the processing to be consistent with, and limited to, the individual’s reasonable expectations).  

2. Where consent is given: 

(a) A business must be able to demonstrate that an individual has given consent. It has been suggested that silence or inactivity will not be a valid form of consent, but instead there must be a clear statement made or affirmative action taken by the individual. 
(b) An individual must be able to easily withdraw their consent at any time, and the individual must be informed of this right before giving consent. 

3. Where consent is required from an individual less than 16 years of age, consent is to be provided by their parent or legal guardian, and a business must make ‘reasonable efforts’ to verify such consent. 

4. Processing of sensitive information, such as an individual’s race, political opinions, religious beliefs, trade union membership, health or sexual orientation is generally prohibited without the individual’s explicit consent. 

5. Processing (which includes storage and disclosure) must be consistent with the purpose in which in the personal data was collected. 

6. While not a requirement, the GDPR encourages businesses to implement data protection measures such as ‘pseudonymisation’. 

7. Individuals have the right to: 

(a) Access their personal data; 
(b) Restrict the processing of their personal data;
(c) Request the erasure or transfer of their personal data; and
(d) Object to their personal data being used for profiling or marketing purposes. 

8. Where a foreign business is captured by the GDPR because they process personal data of any person who is in the European Union, they must designate a representative in the European Union to represent them with regard to their obligations under the GDPR. There is an exception to this requirement where: 

(a) A business only occasionally processes personal data; 
(b) A business does not process sensitive information (as described above) or information relating to criminal offences on a large scale; and
(c) The processing is unlikely to result in a risk to the rights and freedoms of natural persons.  

9. A business (and where applicable, their European Union representative) must maintain records of processing activities. 

10. A personal data breach must be reported: 

(a)    To the supervisory authority in the European Union without undue delay, but in any case, within 72 hours of becoming aware of the breach. There is an exception where the breach is unlikely to result in a risk to the rights and freedoms of  natural persons. 
(b) To the individual without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons. 

11. Some businesses will need to designate a specialist data protection officer. Generally this is where the core activities of a business consist of large scale processing operations. 

12.   Personal data cannot be transferred from the European Union to a country outside of the European Union without appropriate safeguards, this includes where information is transferred within an organisation. There is however an exception where the European Commission has recognised that a country has an ‘adequate level of protection’. New Zealand is amongst the few countries that have been recognised as having an adequate level of protection.

Next Steps:
The first step for any business should be to determine whether or not they are captured by the GDPR. If so, necessary measures need to be assessed and implemented by 25 May 2018. 

It is likely that measures and processes will be adapted in time as uncertainties with respect to application of the GDPR become clearer in time. For now, compliance is expected and is in fact mandatory on a global scale by 25 May 2018, and from a practical perspective, New Zealand businesses will likely feel the effect of the GDPR in their relations with other foreign businesses as they seek to ensure their own compliance with the GDPR. 
Should you require any assistance or further information, please contact: 

Nick Lovegrove

Direct Dial:    09 3003776

Mobile:         021 711-997