Data privacy law is going global. Well not quite. But having passed the first anniversary of the General Data Protection Regulation 2016/679 (GDPR) coming into effect in several EU member states, its success is being reflected in similarly strong data privacy laws in other countries. The California Consumer Privacy Act (CCPA) is a good example. There is also new legislation in Brazil and Kenya. Japan’s data privacy law pre-dated the GDPR by a year.
The GDPR is widely recognised as the “gold-standard” of privacy law. Non-EU businesses are aware that they are subject to the GDPR’s provisions if they offer goods and services to, or monitor the behaviour of persons located in the EU.
GDPR General Advice
- Guidelines on the territorial scope of the GDPR were issued by the European Data Protection Board (EDPB) in November 2018. These should be considered carefully if there is external processing of personal data of persons located in the EU.
- The GDPR applies to non-EU entities if they fulfil the criteria for having an “establishment” in the EU, even if they are primarily located elsewhere.
- If an organisation has no confirmed “establishment” but is targeting EU situated individuals, it must appoint a representative to deal with all GDPR compliance issues.
- Relevant organisations should ensure that privacy policies reflect the GDPR, as well as local privacy laws.
- If the UK is relevant to data processing activities, organisations must keep under review the issues that arise if the UK leaves the EU on a “no deal” basis.
Recent Client Matters
Here at Barlow Robbins LLP, we have recently advised US and Far East clients which process the data of EU residents in order to provide services to them. In neither case had they appointed an EU representative as specified in the legislation, although in the US example a representative was processing some of the data in the UK and elsewhere.
Our work for these clients related to issues such as obtaining effective consent to process the personal data of children, contract data sharing and export, joint control of data by entities in multiple non-EU jurisdictions (including the effect of Singapore’s Personal Data Protection Act 2012) and the structuring of suitable privacy policies taking all issues into account.
Author
Laurie Heizler, Of Counsel – Intellectual Property, Technology & Media, Barlow Robbins LLP, Guildford, Surrey UK
Read the article on our web page.
Ecovis is a leading global consulting firm with its origins in Continental Europe. It has over 7,500 people operating in over 75 countries. Its consulting focus and core competencies lie in the areas of tax consultation, accounting, auditing and legal advice.
The particular strength of Ecovis is the combination of personal advice at a local level with the general expertise of an international and interdisciplinary network of professionals. Every Ecovis office can rely on qualified specialists in the back offices as well as on the specific industrial or national know-how of all the Ecovis experts worldwide. This diversified expertise provides clients with effective support, especially in the fields of international transactions and investments – from preparation in the client’s home country to support in the target country.
In its consulting work Ecovis concentrates mainly on mid-sized firms. Both nationally and internationally, its one-stop-shop concept ensures all-round support in legal, fiscal, managerial and administrative issues.
The name Ecovis, a combination of the terms economy and vision, expresses both its international character and its focus on the future and growth.
ECOVIS AG Steuerberatungsgesellschaft
Ernst-Reuter-Platz 10
10587 Berlin
Telefon: +49 89 5898-266
Telefax: +49 (30) 310008556
http://www.ecovis.com
ECOVIS AG Steuerberatungsgesellschaft*
Telefon: +49 (89) 5898-266
E-Mail: gudrun.bergdolt@ecovis.com