ECCT Technology Committee Lunch 

New European data protection rules
Compliance requirements and implications for business

On 25 May 2018 the European Union will implement the General Data Protection Regulation (GDPR), designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organisations across the region approach data privacy. Since the ability to transmit data across borders is critical to the operations of any company with an international presence, businesses across Europe are scrambling to complete compliance procedures ahead of the deadline. Meanwhile, many companies overseas that handle the data of European Union citizens may not even be fully aware of their obligations and risk violating the law. This may have serious implications given the steep penalties that may be imposed for violations. At this event our speaker will outline the main provisions of the GDPR and the implications for businesses operating in Taiwan. She will also offer suggestions on GDPR compliance for Taiwanese companies with branches in Europe and for the Taiwan government (in terms of regulation and certification). The event will be of interest to all members in the technology, financial and other service industry sectors that deal with personal data.

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. EU authorities have made the case that stronger rules on data protection will mean that people will have more control over their personal data and businesses will benefit from a level playing field.

The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company's location. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.

Organizations in breach of GDPR may be fined up to 4% of their annual global turnover or €20 million (whichever is greater). The rules apply to both controllers and processors, meaning that 'clouds' will not be exempt from GDPR enforcement.

Under the GDPR, the conditions for consent have been strengthened and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily-accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. These are just some of the many changes to European data protection rules that will have an impact on a large range of businesses in the service industry. ?

About the speaker
Joel Cheang is a Managing Associate technology and privacy lawyer for Linklaters Asia, based in Singapore. He has been actively involved in data privacy regulation since the Singapore Personal Data Protection Act's inception in 2012, and has particular experience in dealing with complex privacy issues concerning the cross-border transfer of data, employment-related privacy issues and cybersecurity and data breach management. He has also been appointed to the Panel of Lawyers under the Law Society of Singapore's PDPA Legal Advice Scheme. His recent experience includes advising several Asian-based businesses on the applicability of the General Data Protection Regulation to their business operations, and taking a lead role in advising a global technology business on regulatory investigations in relation to a global data breach. Cheang also has experience in advising and structuring outsourcing and service agreements and provides advice to companies across a wide spectrum of industry sectors on various issues including e-commerce, IT and consumer protection.

Janice Lin is a partner with Tsar & Tsai Law Firm and concurrently Co-Chairperson of the ECCT's Technology committee. She frequently advises and represents international and domestic financial institutions on legal compliance when adopting new technologies, or offering new products, investments, and conducting offering and placement related activities. She also works with Taiwanese financial and securities related agencies or associations on new legislation and rule making. She is an expert on privacy and personal data protection laws and advises clients in the high tech, energy, banking, finance and securities industries on the latest developments and new issues related to data protection (including cross-border transfers) and client secrecy.