Data Protection Compliance During EU Trade Defence Investigations
24 July 2019
This report offers guidelines and contains practical examples for securing compliance with data protection rules in the framework of trade defence investigations conducted in the European Union. It may, therefore, assist those exporting from the Chinese mainland to the EU to comply with data protection rules if and when they face trade defence investigations.
Pursuant to the EU rules on data protection (now contained in Regulation 2016/679), ‘personal data’ means any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or due to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Since the entry into force of Regulation 2016/679 (commonly known as the “GDPR”), private companies (for example, companies located in Hong Kong or mainland China having subsidiaries in the EU) participating in trade defence investigations may have encountered the issue of cooperating in such investigations without being sure of whether or not they are sufficiently complying with data protection rules. Hong Kong traders with an interest in this topic might want to know that the GDPR regulates the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not.
Private companies are increasingly concerned about knowing how to lawfully disclose personal data to trade authorities in response to requests for information. As a matter of example:
“The Directorate General for Trade of the European Commission provides private companies participating in EU anti-dumping investigations with an anti-dumping questionnaire. Section A (General Information) of the questionnaire requires the disclosure of a considerable amount of personal data, such as: (i) name, telephone number, and email of the person in the company that the case handlers will contact during the investigation; (ii) name, address, telephone number, fax, and email of the legal representative of the company for the purposes of the investigation; (iii) names of the principal shareholders of the private company; and (iv) names of the board members of the private company.”
Based on the abovementioned facts, Hong Kong traders should note that there must always be a legal basis for each instance when a private company, located or with subsidiaries in the EU, processes personal data. A legal basis is grounds for permitting the use of personal data. An exhaustive list of legal bases is laid down in the GDPR.
A private company must determine the legal basis for each purpose for which personal data are processed. The GDPR will usually permit the processing of personal data in the context of trade defence investigations on the basis of the necessity to use these personal data for the legitimate interests of the private company (acting as a controller of the data).
Processing is deemed necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
A private company can rely on the controller’s legitimate interests for processing personal data in the framework of trade defence investigations, rather than relying on the data subject’s consent. Indeed, one legal basis is sufficient to permit the processing and it could be misleading to request consent if it were not needed.
As explained by the European Data Protection Supervisor, if private companies voluntarily provide information, which may include personal data, to EU institutions (e.g. for a trade defence investigation), the legitimate interests pursued by the private company would provide the legal basis for processing this information. An example of such legitimate interest would be the non-imposition of duties, or the imposition of the lowest duty upon the conclusion of the trade defence investigation.
However, the GDPR provides that the lawful processing of personal data based on a private company’s legitimate interests, pursuant to the legitimate interests clause of the GDPR, is not absolute. Rather, it entails a balancing exercise between, on the one hand, the fundamental rights and freedoms of the data subject and, on the other hand, the legitimate interests of the private company. In most cases, the nature of the personal data that are processed will be limited to (professional) contact details and does not result in a high risk for the data subject. Therefore, it is unlikely that the risk for the data subject will override the legitimate interests pursued by the company.
Nevertheless, to further reduce the risk for data subjects, organisations should consider redacting public documents to remove personal data that are not strictly necessary. Indeed, during EU trade defence investigations, interested parties routinely provide two sets of submissions to the case handlers: a confidential version containing, e.g., sensitive financial information about the private company and to which only the case handlers have access, and a non-confidential version open for inspection by all the other parties to the investigation. There is a potential risk of a personal data breach when disclosing personal data in the non-confidential versions of the questionnaires and submissions. To prevent this risk and respect the GDPR’s principle of data minimization, trade lawyers are advised to redact personal data in the non-confidential version of the questionnaires and submissions that are not strictly necessary for the purposes of the non-confidential version.