M. Georgia Gibson Henlin | EU's data protection bite - Applicability of the General Data Protection Regulation to Jamaican businesses
The General Data Protection Regulation (GDPR) is a European Union (EU)-based law that is applicable to all member states of the union. It became effective on May 25.
The GDPR generated much concern and activity worldwide in recent days. Mailboxes are flooded with requests for persons to re-consent to direct marketing and information emails or updated privacy policies.
The major concern is focused on compliance with the GDPR's provisions with eyes firmly fixed on the hefty fines of €20,000,000 or four per cent of the businesses' global income for the prior year whichever is higher.
Non-EU businesses assume that the GDPR automatically applies to their activities due to the extraterritorial application of the regulation.
The regulation fuels this assumption. Article 3(1) states that the regulation is applicable to the processing of EU data subject's personal data, whether the processing takes place in the EU or not.
It further specifies that it applies where non-EU businesses offer goods or services in the EU irrespective of whether payment is made or where there is monitoring of EU data subject's behaviour. It may also apply if member state law applies by virtue of public international law.
Notwithstanding the extraterritorial effect of the GDPR, however, it does not automatically apply to non-EU businesses. The usual, or likely circumstance, in which such businesses would fall within the GDPR net is where they have an online presence, have email details or other contact information for EU data subjects.
However, the existence of these factors is not conclusive. The fact that a Jamaican or non-EU business is accessible in the EU or by EU data subjects is not enough to bring it within the scope of the regulation. The non-EU business must demonstrate an intention to attract or target EU data subjects as customers.
Instead of assuming that the GDPR applies, therefore, a Jamaican business must assess whether its actions or activities target EU customers, or whether there is an intention to do so.
A number of factors are relevant to this assessment. These include but are not limited to the following:
- Does the Jamaican business enable access by EU data subjects in their language or currency?
- Are EU data subjects able to access good or services in their language?
- Whether the Jamaican business refers to EU customers by name or by reference to a member state when advertising goods or services?
Monitoring activities that trigger the application of the GDPR includes the tracking of individuals on the Internet and using the information to:
- Profile a natural personal so that decisions can be made about the data subject;
- Assess the data subject's personal preferences such as purchasing or browsing behaviour.
Profiling, occurs when the automated processing of personal data is used to "analyse or predict a person's behaviour." The information is then used to evaluate the data subject's personal preferences for several purposes including direct marketing, or purchasing habits, or location.
In considering the requirements for compliance, Jamaican businesses must determine whether they collect data for EU data subjects, and how it is collected or used. The more common activities which explain some of the emails that are flooding mailboxes are:
- web analytics
- cookie identifiers
- radio frequency identification tags
- geo-location tracking.
If after an assessment it is determined that the GDPR applies, the Jamaican business must determine the nature of the personal data that it processes for EU subjects and put in place mechanisms such as systems to manage the data as well as data protection policies to assure compliance.
Perhaps more fundamentally, the business must appoint an EU representative who is located in a member state and more so where the EU data subjects are located.
The representative's appointment should be in writing. The relevant information commissions or authorities should be advised to address the representative instead of the Jamaican controller or processor.
In the event of failure to comply, the representative is the likely person or entity to be the subject of enforcement proceedings. This does not affect the right of the authorities or data subject to bring judicial proceedings directly against the Jamaican data controller or processor.
The word out there is that EU representatives are not in large supply for non-EU businesses due to the risk of enforcement proceedings against them directly. It is more likely that such representatives may extract stringent terms including indemnity and insurance as a condition to representing non-EU businesses.
For Jamaican businesses, whose primary contact may be in Britain, the appointment of a representative, if necessary, should be given some thought in light of Brexit, which means that shortly it will also be a non-EU member state.
This is not to say that, as between Jamaica and Britain, the GDPR or GDPR type regulation will not be in effect. GDPR apart, there is a new Data Protection Act, 2018 in the UK which substantially mirrors the GDPR.
Personal data restrictions
Notwithstanding the foregoing Jamaican businesses should be mindful of the indirect application of the GDPR. This is because there are restrictions on EU personal data transfers from the EU to third countries, or from those states to other third countries.
The restrictions are imposed because the EU is keen to ensure that the GDPR remains as an effective measure for the protection of the EU data subject's personal data.
In this context, an "adequacy decision" would be required for Jamaica, or one or more specified sectors in Jamaica, which affirm that adequate levels of protection are in place to preserve the objectives of the regulation.
On the other hand, there may be an exemption from the requirement for an "adequacy decision" if the EU controller, or processor, has provided adequate safeguards as required by Article 46.
This exemption is available on condition that "enforceable data subject rights and effective legal remedies are available."
One such measure is for "associations and other bodies representing categories of controllers and processors" to adopt codes of conduct that acknowledge the application of the GDPR.
Finally, the requirement for persons to consent, or re-consent to direct marketing, or information emails, is not yet a part of the GDPR.
It is being done pursuant to the e-Privacy Directive, 2002/58/EC, which regulates marketing via electronic communications.
Jamaican businesses should start with an assessment of their EU contact, the nature, content, and subject matter of that contact, before implementing the GDPR regime or as part of that implementation.
It is the dawn of a new era and a long new road for Jamaican businesses.
- M. Georgia Gibson Henlin, QC LLM is a member of the International Technology Law Association. References provided in the original have been withheld.