While the EU General Data Protection Regulation’s extraterritorial reach is generally well known by this point, there is still a tendency outside of Europe for organizations to express some skepticism: Will European regulators really enforce the law outside of their jurisdictions? Does the GDPR really present a compliance risk if you’re not in the EU? 

The answer to those questions, presented as part of a special KnowledgeNet session designed to coincide with the International Data Protection and Privacy Commissioners Conference here in Hong Kong this week, was a resounding “yes.”

The key consideration, said Marcus Evans, partner at Norton Rose Fulbright, is where enforcement pressure might come from. Should you experience a breach, and European personal data is involved, “the EU regulator will be coordinating with the local regulator here in Asia, and that’s where the enforcement is going to come from.”

Whether via the Global Privacy Enforcement Network or simply through relationship-building among regulators, they are becoming more likely to work together on enforcement efforts, as we saw in the Ashley Madison breach case.

The real pressure is unlikely to come directly from regulators, but rather from European companies with whom Asian companies are doing business.

However, Evans noted, the real pressure is unlikely to come directly from regulators, but rather from European companies with whom Asian companies are doing business. If controllers stand to face enforcement action due to the failures of their vendors, “they have liability, and even if it’s not your liability, they’re going to start insisting that Asian businesses implement contractual provisions.”

What European controllers expect of Asian processors, Asian processors will need to demand from their own vendors.

Evans said to expect a relative flood of model clauses, all the more prevalent due to Article 28 of the GDPR, and “I think there’s less of a culture of flowing these provisions all the way down the chain in Asia than perhaps there is in America or elsewhere where contracts are really taken seriously as they move down the chain. That’s something that European controllers are really concerned about.”

Asian firms should expect extra scrutiny of their subcontractors from their European business partners, and to either lose business or be subject to onerous auditing if they can’t produce the proper paperwork.

“You’ve just struck fear into the hearts of everyone who does contracting in Asia,” joked fellow Norton partner Anna Gamvros, CIPP/A, CIPT, FIP.

For her part, Gamvros noted that Asian firms looking to do business with European consumers are going to be faced with a dilemma in terms of their privacy notice. As Europeans will expect a notice that delineates their rights, the contact information of the DPO and so on, local Asian customers might rightly wonder what that’s all about.

“We’re having to deal with this cascading of rights,” when working with local Hong Kong firms, she said. “We have to say, here’s the privacy policy, but if you’re in Europe only this part applies. That on the face if it seems sensible, but some consumers are going to ask, ‘Why don’t I get all of those rights as well?’”

Will firms start geofencing their sites so that different notices are shown to different customers? How many relatively small companies are likely to be able to do that?

Further, how likely are Asian firms to appoint a representative in Europe, or to develop a register of data processing activities and procedures for the right to be forgotten and data portability?

Evans predicted it will get more likely if their lack triggers consumer complaints.

It’s fair to wonder, he said, “Do you appoint a representative? It’s a bit like putting your head in the lion’s mouth. … But if there are complaints about what you’re doing in Asia and the regulators start to have to follow up, the first thing they’ll be putting pressure on you to do is appoint a rep. You’ll have to be a quite brazen business to not agree to do what a high-profile European regulator is asking you to do.”

Brazen? Risk-averse? How seriously Asian firms end up taking the GDPR will depend ultimately on both their appetites for regulatory risk and the value they place on their European business partners.

And, of course, everyone in Asia will be watching for that first regulatory reach beyond European borders.