With the continuous digitization of human life and economy, questions around the ownership and privacy of our personal information need urgent attention. From June, it will be crucial for Lebanese companies to understand the implications of new European regulations on the ownership and limits to exploitation of personal information, which came into force at the end of May.
As of May 25, two years after the adoption of the General Data Protection Regulations (GDPR) by the European Union, organizations who are registered in the EU, or selling products and services to EU residents, have to apply GDPR. This can range from large international manufacturers and online retailers, to small enterprises and commercial bloggers. But many in Lebanon assume that this new regulation will not affect them.
This could be mistake, and a costly one, for companies that offer products or services online that are purchasable by EU residents. All local companies with a strong digital presence outside Lebanon should determine whether they need to initiate compliance with GDPR.
GDPR is a landmark European Union regulation that prescribes the rules and regulations for the collection, processing, use, storage, and destruction of the personal information of EU residents. The main aim of this piece of legislation is to protect consumers by giving them greater control over their personal data that is transmitted via the internet, and to compel businesses to be more accountable and transparent in their use of customers’ personal data.
As an EU regulation, GDPR is not a priori applicable outside of the bloc, however, one of the considerable changes introduced by GDPR is in its extraterritorial scope, which allows it to reach non-EU organizations performing transactions with EU residents. Under article 3 of the GDPR, a company may still have to abide by its rules even if it is incorporated outside of the EU and has no physical presence within the EU.
Compliance with GDPR is thus required of companies anywhere, as long as their activities entail the offering of goods or services to European residents, the processing of data from such persons, or the monitoring of users’ behavior that takes place in the EU. GDPR will likely apply to a Lebanese business even if it has no employees or offices within the EU, but is selling a product or service to EU residents, or even simply offering to sell, irrespective of whether a payment is made or not. Likewise, abiding by GDPR is a necessity for any Lebanese company that monitors the behavior of European residents, for example, if it processes information about consumers in an EU country to predict their behavior, or does surveys on the behavior of EU residents. In addition, GDPR is applicable to a Lebanese company if it has EU-based employees and is processing information related to these employees.
GDPR would not apply if the Lebanese company is undertaking regular marketing of goods and/or services. This means that if the company has a website offering goods and/or services but does not have a physical presence in the EU and shows no indication of targeting any EU residents, it is not required to comply with GDPR rules simply on the basis that an EU resident can somehow stumble upon its website—what this means in practice will emerge over time.
However, the GDPR likely will apply to a company, irrespective of its country of incorporation, if its website targets EU residents, if it accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, or provides information in a language that is predominantly spoken in an EU country such as Italian, French, and German.
Violating the GDPR and failing to report any infraction of personal data rights of EU residents can result in hefty fines; in serious cases, regulators can penalize businesses 20 million euros, or up to 4 percent of their previous year’s worldwide turnover, whichever is higher. For smaller infringements to the GDPR, regulators can impose fines amounting to 10 million euros, or up to 2 percent of the companies’ worldwide turnover, again, whichever is higher.
Lebanese companies, thus, would benefit from informing themselves about the provisions and requirements that are coming into force with the GDPR. If uncertain as to whether GDPR applies to a Lebanese business, it may be a good idea to contact an auditing or consulting firm with expertise in doing business in Europe, or approach a specialized adviser to make sure that its privacy initiatives are in order. This will not only avoid legal proceedings and painful fines, but also express a will to protect fundamental rights and freedoms of individuals, and in particular, the right of consumers to the protection of personal data.