Introduction of the Consent and Extraterritoriality under the GDPR (Taiwan)

Tina Li

The GDPR, which stands for the General Data Protection Regulation, is a regulation adopted by the European Parliament and the European Council on April 27, 2016.  In addition to a preamble, the GDPR consists of 11 chapters and 99 articles.  The GDPR came into effect on May 25, 2018.  A two-year grace period between the adoption and implementation was provided so that EU members and other countries to which the GDPR applies could enjoy preparation time for legal compliance.

The precursor of the GDPR is the Data Protection Directive of 1995.  The difference between a “regulation” and a “directive” is that a directive is binding only when the member states incorporates it into their national laws, while a regulation applies indiscriminately to all member states and is directly binding.

The fact that the GDPR was adopted as a regulation indicates that the 28 EU members at that time were willing to relinquish a certain degree of sovereignty and allowed the EU to decide the manners and scope of personal data protection and violation penalties in each member country.

From the perspective of individuals and enterprises, personal data of ordinary people can be more thoroughly protected.  Although the GDPR is regarded as the most stringent personal data protection law in human history, still enterprises in EU member states are no longer required to localize relevant documents and equipment based on the different countries in which they are located.  As a result, legal compliance costs can be effectively reduced, personal data can flow freely among the member states, and the common objective of a single digital market can be achieved.

Although the GDPR is primarily applied to EU member states, still online shopping of goods and services has become an indispensable boom as part of the busy lives of modern people because of cross-border flows of goods and services due to international trade as well as the rapid development of e-commerce.  Shopping websites, social media, airlines, travel agencies, hotels and banks are dealing with our personal data every day.  Even if these enterprises do not have any establishment in the EU,[1] the GDPR may still be applicable if goods or services are provided to data subjects (hereinafter, the “Data Subjects”) in the EU or if the activities of the Data Subjects in the EU are monitored.

Since Taiwan’s Personal Data Protection Law is somewhat different from the provisions of the GDPR, enterprises in Taiwan not only need to comply with the Personal Data Protection Law in Taiwan but also are required to check the applicability of the GDPR.  If the GDPR applies, it is necessary to conduct a comprehensive review pursuant to relevant GDPR provisions to ascertain the types and quantities of EU personal data in possession and design external and internal audit, control documents and procedures which comply with relevant requirements.  In addition, personal data protection should be considered in the very beginning when a system or computer program is designed, and only essential personal data[2] are processed in order to minimize personal data and ensure the legality, accuracy, transparency and security during an enterprise’s processing of personal data.

This essay briefly describes two relatively more important GDPR concepts for Taiwan by referencing the standard released by the EU’s Article 29 Working Party (hereinafter, “WP29”) in the hope of benefitting enterprises when they seek to determine the applicability of the GDPR.

I. Extraterritoriality

1. There are establishments in the EU:

Whether personal data of the Data Subjects in the EU are actually processed in the EU is not considered.  For example, the GDPR may apply to an EU company that conducts the actual processing in the US or through a cloud service.

2. There is no establishment in the EU:

(1) However, the GDPR always applies if goods or services are provided to individuals in the EU, regardless of whether payments are required (e.g., trial and evaluation), or if the movement of an EU individual in the EU is monitored (via a heart rate band or smart band, for example).[3]

(2) What does it mean to “provide” goods or services to the Data Subjects in the EU? This primarily means that if the Data Subjects in the EU are targeted for marketing, including scenarios, for example, where the euro many be used for payment or specific languages in certain EU countries (such as a French version) are used, or it is mentioned that customers in the EU used to accept services or purchase goods, such scenarios will be regarded as those where the Data Subjects in the EU are targeted for marketing.

3. B-B can also become B-C:

The GDPR applies to B-C scenarios where the targets for the provision of goods or services should be the Data Subjects rather than enterprises.  Scenarios involving transactions or service provision purely between enterprises are not subject to the GDPR.  However, enterprises should note if goods and services are provided to customers of such foreign enterprises after goods and services are provided.  For example, if Company A sells goods to Company B under a B-B scenario, the GDPR does not apply to the transaction of such goods.  However, when Company A provides a warranty requiring the end users of the goods to enter their personal information on the Internet so that the warranty services will be provided, if the end users are the Data Subjects in the EU, services are considered to be provided to the Data Subjects in the EU, and the GDPR will apply to Company A.

4. Except for exceptional circumstances where a representative is not required, applicable enterprises are required to set up a representative[4] in the EU. If this requirement is not followed, a penalty of up to 10 million euros or a fine equivalent to 2%[5] of the total global revenue for the previous fiscal year may be imposed.

II. Consent

1. It is actually very risky to legally process personal data just based on “consent.”

There are a total of six legal grounds[6] for processing personal data.  In addition to personal “consent,” there are anothr five possible prerequisite grounds for legal processing, namely, essentiality for contract performance, steps required by the Data Subjects before a contract is executed, major interest specifically required by law or for the protection of the Data Subjects or others, essentiality out of public interest or for a public agency’s performance of its statutory responsibilities, and essentiality for the pursuit of justified benefits.

Although the “consent” of the Data Subjects is listed as the first possible legal ground for legitimate processing, this does not mean that a company is required to consider the sequence of the legal grounds.  On the contrary, priority should be given to the search for other legal grounds for processing, and “consent” can be obtained, if necessary, to secure the legality of personal data processing.  The main reason is that the GDPR also requires that the consent could be withdrawn at any time.  Therefore, if the sole basis for processing as relied on is “consent,” when the consent is withdrawn, many rights of the Data Subjects, including the right to erase data, will arise along with subsequent complex issues.  Therefore, it would be more appropriate to make good use of other enumerated reasons as the basis.

Since personal data are divided into two categories under the GDPR, the criteria for “consent” for different personal data also vary.  Different types of personal data require different degrees of consent.

(1) Ordinary personal data:

The GDPR defines “consent” as a clear and affirmative indication given by the Data Subjects, out of their free will, with respect to a request to process their personal data for specific purposes after the Data Subjects are informed of the matters that should be communicated.[7]

a. The consent should be a decision made after the matter that should be notified is communicated.[8] Items that should be communicated at least include the identity and contact method of the data controller (who wants my personal data?), processing purposes and basis (why are personal data wanted?), the types of personal data which are collected and used (what kind of my personal data is wanted?), the rights of the Data Subjects, automated individual decision-making, risks[9] of cross-border transmission (if any), etc.

b. The consent should be freely given. This primarily stresses that the Data Subjects have a genuine choice. For example, if the Data Subjects want to download a Photoshop app, they should not be requested to activate GPS, which allows the provider to pinpoint their position for advertising, in order to use the app.  These two purposes are not compatible and under such a circumstance, I do not have a genuine choice.[10]

c. The consent should be unambiguous. To wit, it should be given in writing or orally and could be done by electronic means.

(2) Special types of personal data:

For the consent for such category of personal data, Article 9 of the GDPR additionally requires such consent to be “explicit.”  For example, scanning a letter as prepared or a form as filled out before it is emailed or uploading it after a signature is affixed or using a digital signature or even using voice recordings can all meet such relatively more stringent requirement.

2. Consent of individuals below 16: If Internet services are provided to minors below 16 or even younger (the member states are authorized to prescribe the age), the processing of personal data can only be done by legal representatives or with their authorization. In addition, the data controllers who receive such consent are also required to use reasonable efforts to confirm the authenticity of the consent.

3. Penalties:

If personal data are processed without consent[11] (unless there are other legal grounds) for the processing of ordinary personal data and special types of personal data, the maximum administrative fine can be as high as 20 million euros or 4% of the total global revenue for the previous fiscal year.[12]  As for violation of the consent requirement concerning individuals below the age of 16, the maximum penalty can be as high as 10 million euros or 2% of the total global revenue for the previous fiscal year.[13]

[1] This refers to regular arrangements which are effectively and truly functional in the EU, regardless of whether they have characteristics of juristic persons.  See Paragraph 22 of the Preamble of the GDR for details.

[2] Please note that unlike Taiwan, the GDPR does not differentiate collection, processing and use and only refers to them generally as “processing.”  See Article 4 of the GDPR for the definition of “processing.”

[3] See Articles 3 and 27 of the GDPR.

[4] See Article 27 of the GDPR.

[5] See Article 83, Paragraph 4 of the GDPR.

[6] See Article 6 of the GDPR.

[7] See Article 4, Paragraph 1, Subparagraph (11) of the GDPR.

[8] See Articles 13 and 14 of the GDPR.

[9] See the Guidelines on Consent under Regulation 2016/679 released by WP 29.

[10] Ibid.

[11] See Articles 6, 7, and 9 of the GDPR.

[12] See Article 83, Paragraph 5 of the GDPR.

[13] See Article 83, Paragraph4 of the GDPR.