New European laws on data protection and privacy and its implications on local companies and businesses were debated during a France Macau Chamber of Commerce (FMCC) breakfast meeting at Sofitel Macau last week.
José Felipe Salreta, a lawyer at Rato, Ling, Lei & Cortés Advogados e Notários, told the Times that when in doubt a “golden rule” is “to comply with the rules now enforced by the European Union [EU].”
One reason for this is that the laws may apply both directly and indirectly to businesses and companies that are not based in the EU. Salreta added that the Macau Personal Data Protection Act (PDPA) has “its roots [or inspiration at least] in the Portuguese [and consequently European] regulations.” Although local laws are currently not as strictly enforced compared to the EU, “it is likely that in the [near] future this [will] tend to happen,” Salreta said, hinting that as soon as local companies, “at least the ones of large size and with clients [potential clients or suppliers] in European markets,” comply with the provisions of such regulations, the more protected they will be and will less likely experience problems in the future.
When questioned about which types of businesses and/or companies are more likely to be directly affected by the General Data Protection Regulation (GDPR) which has been enforced in the EU since May 25, Salreta said that sectors such as tourism, banking, finance and insurance are the ones where the GDPR “may offer more challenges.”
During last week’s meeting, Salreta said that one of the major changes now introduced is that the fines (for cases of non-compliance) are revenue-based.
Another considerable change in the new rules is that companies must obtain consent from people to collect and use their data, explaining clearly for what purpose and to what extent the data will be used.
“Just a simple statement saying something like ‘If you enter this website you consent with the rules’ is not enough anymore,” the legal expert explained. “Companies must tick all the boxes [explaining all the uses and why], inactivity or non-protest is not enough, and the same applies to requests for data deletion or access to data collected and stored,” he noted. “Privacy notices need to be clearer, specific and demand clear action from people to prove their intention of granting access […]. For most organizations this means a need to review all the forms [and policies regarding data collection].”
In his personal opinion, Salreta noted that the law changes and the consequent need to change internal policies within businesses and organizations “will possibly contribute [positively] to the collection of less data,” leading “data collectors” to “narrow down to the essential [data].”
Data breaches were also a topic addressed, either due to internal failures, mistakes or by unlawful third-party activity. “In these situations, the GDPR sets a time limit of 72 hours in which organizations must submit a report to the supervising authorities.” a warning that is also mandatorily extended to subjects that may also possibly be involved with the data breach. In which case, the law only mentions that this warning should be made “without undue delay.”
On the application of the GDPR outside the EU space, according to Salreta, “it is applicable to all companies ‘offering goods or services to the EU’,” a situation that may cause many doubts and questions.
As he explained in more detail, in order to see if a certain company or a website is likely to be under these rules we must ascertain its “intentions.”
“A website that is simply accessible by a global audience itself would not indicate the intention of offering goods and services to EU citizens, and on its own would not necessarily subject an organization or company to GDPR provisions,” he explained. However, other conditions do exist and they can be used to ascertain such intentions, such as, “the language or currency generally used in one or more member states, with the possibility of ordering goods or services, or the mentioning of costumers who are in the union make it apparent that the controller [has the intention] of offering goods or services to such subjects,” he said. He added that this can also be done by providing options to interact with the website in the native language and currency [namely the Euro], advertising to customers or users in members states and make use of international phone lines or website addresses that include the identifiable acronyms or extensions of EU countries (.eu, .de, .es, etc).
Data Protection regulations ‘fall short’
When addressing the Macau regulations on data protection currently enforced, José Felipe Salreta said, “the basic principles that brought the GDPR to life are also present in the Macau Personal Data Protection Act (PDPA), however since it has already [been enforced for] 15 years and to that we must add [another] 10 years since the directive from which it was inspired [was enforced], the PDPA still falls short regarding the new GDPR protections,” he said. “Largely it was born in the aftermath of the Chief Executive granting of gaming concessions for operating casinos and it’s inspired or at least largely transposes the data protection directive [of the European Union] of 1995 [through the Portuguese law].”
Still, as the legal expert mentioned, “it has the closest approach to EU data protection of any other country in Asia and it was also the first jurisdiction in Asia to adopt an EU style data protection law [in all its sections].”
Salreta also noted that legal provisions such as “consent” are “not existent” in the current local regulations, which also enforce “light penalties in terms of fines.”
One of the biggest challenges that Macau faces is the transference of data outside the region. These cases need to be addressed by the GPDP on a case-by-case basis. Local organizations are often forced to have their data processed by third-party companies and/or controllers that are located in other regions and countries, due to a lack of options and a market size that does not favor the installation of such service providers locally.