GDPR: A sign of things to come for non-EU merchants?

The GDPR deadline of 25th May is fast-approaching, and companies in the EU are working hard to ensure compliance. Recent surveys however , suggest that most companies won’t be ready in time; not to mention the compliance of non-EU businesses selling into Europe!

The seriousness of GDPR is not to be underestimated by non-EU companies, especially when compared with the domestic data protection laws that they’re accustomed to.

Serious liabilities

The liabilities under GDPR go beyond the potentially huge fines and risk of class action law suits. Most companies dont realise that they may be liable for other companies to whom they have transferred data. In the payments world it may transpire that PSPs, acquirers and alternative payment method suppliers are in fact considered joint controllers. Data subjects will intent on pursuing the maximum amount of compensation for damage caused by data processing and could hold each of them separately accountable.

Furthermore, the standard data protection clauses contain provision around liabilities of third-country (sub-)processors for EU controllers, if the controller has factually disappeared, ceased to exist or become insolvent (however limited its own processing operations). Not only merchants are on the hook here. Solution providers in the industry, such as fraud solution providers based outside the EU receiving transaction data on European individuals might need to have a closer look at the implications of its client base geography.

And don’t be mistaken, even if a non-EU based company has no presence or representation within the EU, it could still be sued by EU data subjects if their personal data is found to be misused.

GDPR versus Asian data protection laws

In several jurisdictions, data protection laws such as the predecessor to GDPR are very outdated. Movement around data protection is also happening outside of the EU, with regulations similar to GDPR being considered; and rightly so. Current Asian legislations date back to well before the 21st century, with the most up to date regulations enacted in Singapore and the Philippines in 2012.

However, while those most-recent Acts do impose more requirements on the collection and use of personal data, the Singapore Act for instance does not include the extensive data subject rights given under GDPR, such as the individual’s right to restrict processing or right to be forgotten.

Other regulations within the APAC region do not cover these topics either, with an exception for the Philippines, Korea and Taiwan. These countries do provide similar GDPR rights to data subjects, except for the right of data portability.

However, almost all of these countries lack special provision around direct marketing, sensitive data processing, recordkeeping and automated decisions.

The Asian road to GDPR

In 2017 multiple developments around data protection were noted in Asia, for example with amendments to the laws of Japan and the Philippines. The latter comprises elements of GDPR including the 72-hour data breach notification, special provisions around profiling and a right to data portability.

Japan has gone so far as to designate a dedicated Data Protection Regulator, responsible for administration and law enforcement; and it did not stop there. As one of the oldest laws in the region, the Japanese Act now includes the obligation to obtain the data subject’s permission before his/her personal data can be transferred and the right for the individual to opt out. It will also introduce international data transfer sharing regulations. Japan is also enforcing criminal penalties as sanctions for non-compliance including imprisonment and fines up to 4,000 EUR (negligent violations will be given a cure period before such a remedy is sought).

Even though the level of these fines is far from comparable with GDPR, imprisonment will definitely set the tone for companies prioritising compliance.

Should GDPR principles be embedded into the global organisation?

GDPR is considered by some as the biggest ever overhaul of data privacy. It may however, be that this regulation merely sets the tone of what’s still to come. With continuous developments in technology and people spending more and more time online, not to mention recent security breaches and misuse of personal data, the world does require a different approach to data privacy and protection.

The pace of regulatory developments around data privacy and protection is rapid and non-EU merchants would be advised to take GDPR principles as a basis for their entire processing operations on a global level. One way or another, merchants will be faced with extensive regulatory requirements and increased data subject rights; be it through GDPR or updated domestic data protection laws.

And the US?

Meanwhile the APAC region seems committed to boosting their data protection rules with similar requirements to GDPR. Other continents might follow, even though the roadmap might be longer. The USA might be behind on schedule, despite the recent calls for GDPR-like privacy laws. The current administration does not seem extremely eager; last month the US Department of Homeland Security warned about GDPR having unintended consequences to its ability to protect itself from cyber-attacks.

About Nadja van der Veer

Nadja van der Veer is a payments lawyer with almost 10 years of experience in the international Payments industry and a legal expert in rules and regulations involving PSD, AML and CDD and Card Schemes. Having worked for a PSP and an acquirer, she has a broad perspective on all legal and business aspects of (Card and Alternative) Payment processing in the global ecommerce industry. As Co-Founder of PaymentCounsel and one of the Managing Partners of Pytch Ventures she consults Merchant Acquirers, Payment Services Providers (PSPs/MSPs), other fintech companies and merchants in their startup phases that want to expand their business internationally, while mitigating risk. Together with her partners, they understand all aspects of this sector intimately and aim to share their expertise with their partners with full transparency and simplicity.