Macau companies that handle personal data of mainland clients should consider having an agency or a representative in mainland China following the enactment of the Personal Information Protection Law (PIPL) across the border, legal expert José Filipe Salreta said.
In the last Breakfast Meeting of the year held by the France Macau Chamber of Commerce (FMCC), Mr Salreta, senior associate at MdME Lawyers, gave a talk on “The new Personal Information Protection Law and its effects to Macau SAR”, where he reviewed the law’s main points and implications, namely in what concerns the acts’s extraterritoriality and applicability to Macau and local firms in certain sectors.
The law, in effect since November 1, is applicable to activities outside the PRC deadline with personal information of natural persons of mainland China which fall in the scope of being for the purpose of providing services to domestic person, analyse and evaluate the person’s behaviour within the territory, among other circumstances.
“Due to the extraterritoriality of the law, I believe that companies in Macau whose operations fall into the scope of PIPL i could consider either set up an agency or appoint a representative within mainland China to handle matters related to personal data protection”, the MdME lawyer said while noting that the contact of the representative will need t be provided to the regulator – the Cyberspace Administration of China (CAC).
Mr Salreta also suggests Macau firms to obtain legitimate grounds to process data, respect data subjects’ rights and report data breaches.
A key point raised by the legal expert concerns the need for further clarification both by CAC and the local regulator – the Office for Personal Data Protection (GPDP) – with regards to the specific conditions under which data transfer can take place.
Macau’s GPDP has stated in November that they will launch a notification and optimization plan to helps SMEs better comply with PIPL provisions.
Meanwhile, Mr Salreta underlined that companies would welcome clarification by the regulators on matters such as whether Macau and Hong Kong can be under any kind of exclusion clause for data transfer abroad or if companies in the SARs will follow a specific type of CAC approved contracts or certifications.