Following Europe’s General Data Protection Regulation (GDPR) implementation, companies worldwide have rushed to implement the necessary compliance measures.
The GDPR applies to the processing of personal data by a controller or processor located in Macau where the data processing is related to either the offering of goods or services to data subjects in the European Union (EU), regardless of whether a payment is required, or the monitoring of people’s behaviour in the EU.
Thus, even a company based in Macau SAR or Mainland China with no legal representation or establishment in the EU will be subject to the GDPR if it conducts any described activities.
In Mainland China, the Data Security Law was recently passed on June 10th. It includes a wide definition of data, which will cause an impact in all sectors, notably for businesses running social media, e-commerce platforms and, in general, all companies dealing with a large amount of personal data. Among other provisions, this new piece of legislation imposes obligations of implementing data security measures, risk assessment and evaluation reports, specification of a person in charge of the data security and prior authorization from the competent authorities in China before transferring data to other countries. The potential penalties vary depending on the rules that have been breached. Still, in serious circumstances, such as core state data being mishandled or national sovereignty endangered, a fine may be issued up to 10 million yuan, and business licenses may be suspended or revoked.
Regarding personal data protection specifically, the Personal Information Security Specification (the Specification) implemented in May 2018 and amended in October 2020 （GB/T 35273-2020）provides recommended guidelines for processing personal data. Nevertheless, its compliance by data controllers and processors is not mandatory.
Nevertheless, the Specification constitutes a milestone and an important source of information in what pertains to data privacy in China because it is used as:
Parallel to the GDPR, China has developed a new data protection legal framework. In October 2020, the first draft of the Personal Information Protection Law (PIPL) was released for public opinion. Following its approval, it is expected to impact several industries, particularly e-commerce and digital businesses, significantly.
The proposed provisions in the PIPL foresee that companies may be subject to a baseline fine of up to RMB1,000,000. If the violation is deemed “serious,” the fine may be increased to RMB50,000,000 or 5% of the company’s annual revenue for the turnover in the prior year.
But, after its approval, may the PIPL apply to a Macau SAR company or even to an EU or US-based company?
Yes, it may! Similar to the “long-arm jurisdiction” of the GDPR, if such a company processes personal data of individuals in China’s territory to provide products or services to individuals in China; or analyze and evaluate the activities of individuals in China, the PIPL shall be applicable.
Macau’s data protection legal framework was strongly inspired by EU legislation: the Personal Data Protection Law (Law 8/2005) was inspired by the Portuguese Law passed in 1998, which transposed the EU Directive 95/46/EC.
With increased data privacy and security concerns worldwide, the Macau Government has already approved a Cybersecurity Law to protect critical infrastructures’ information networks and computer systems. The same motives also led the Macau Data Protection Authority to become more active in data protection rights. Therefore, it is expected with great anticipation that the Personal Data Protection Law is updated to face the new challenges of the current and upcoming technological developments.
For companies operating in China, the Cybersecurity Law, the Data Security Law and the PIPL, when enacted, will establish a regulatory framework governing the processing of personal data and cross-border transfers of personal and non-personal data. For companies with operations in China and Europe, full compliance with the GDPR and PIPL will present a new challenge due to similar and overlapping rules. In any case, implementing necessary measures to resolve eventual gaps in their Data Privacy Policies and compliance with all legal requirements regarding personal data processing will be required.
Considering the legal provisions regarding privacy by design and default, the different legal frameworks applicable to cybersecurity, e-commerce, data privacy, and the current trend of extending the territorial scope of national laws to data processing carried out by companies located in other countries, companies engaged in app development, selling products and providing services through electronic means and, in general, all data controllers and data processors should be aware of their current and upcoming legal obligations in respect to data privacy.