The new personal data protection law that took effect in mainland China last month means that it will be necessary in future for Macau resort operators to appoint a representative in mainland China, lawyer José Filipe Salreta said yesterday.
At the France Macau Chamber of Commerce (FMCC) breakfast briefing yesterday, Salreta was asked to clarify if local hotels and resorts are required to have representatives in mainland China to be compliant with the new law.
Hotels, resorts and entertainment venues all need to collect data as part of their service provision – commencing even before guests arrive, when reservations are taken .
Salreta clarified that there is no exclusion or immunity whatsoever which lifts the obligation to abide by the Personal Data Protection Law of Macau as well.
“And if you’re handling personal data of customers who are currently living or situated in mainland China, you’ll also have to respect [the] Personal Information Protection Law [of mainland China],” the lawyer added.
In order to be fully compliant with the laws of both mainland China and Macau, not only is a representative required on the mainland, the lawyer said, but risk assessments should also be conducted before the handling of personal data.
In summary, personal data collected by hotels and resorts to meet business needs must be handled in compliance with the mainland law that was enacted last month, in addition to Macau law.
While commenting on the need to handle pre-existing personal data in compliance with the new law, Salreta did not give a direct answer relating to the ambiguity on this topic. However, he said it was crucial to seek clarification from the authorities in mainland China.
Considering the extraterritorial nature of the law, entities “outside of the People’s Republic of China dealing with personal information of natural persons within [it]” must abide by the law.
It is clearly stated that entities providing products or services to domestic natural persons, which analyze and evaluate the behavior of natural persons in China or are otherwise in other circumstances stipulated by laws and administrative regulations are within the authority of the law.
A plus for businesses is that the law permits data to be transferred abroad, provided that certain requirements are met, such as passing a Chinese security assessment and obtaining a personal information certification.
The cornerstones of the mainland law are spelled out clearly. For example, personal information is defined by Article 4 of the law as “all kinds of information related to an identified or identifiable natural person recorded by electronic or other means, excluding […] information after anonymization.”
Salreta stressed that the core of the laws in both mainland China and Macau is the consent for data provision. The data handler must obtain goal-specific consent separately in order to use the data for a particular purpose, such as providing the data to a third-party.
Salreta is a senior associate at MdME Lawyers who specializes in corporate compliance, data privacy and regulatory matters. He holds three postgraduate degrees conferred to him by universities in Lisbon, Paris, and Macau.