Mainland China’s new law on personal data protection – which will take into effect on November 1 – is also applicable to entities and individuals in the Macau SAR, the Office for Personal Data Protection (GPDP) revealed today (Wednesday).
The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules on data collection, processing and protection.
Under the law, personal information refers to all kinds of information relating to an identified or identifiable person, recorded electronically or by other means, excluding information that has been anonymised.
The law says that the handling of personal information must have a clear and reasonable purpose and should be limited to the “minimum scope necessary to achieve the goals of handling” data.
According to the GPDP, the new law is applicable outside the country’s borders and institutions or individuals in the Macau SAR must observe it when they process personal data within the country or process personal data outside the country – including Macau – for purposes of providing products or services to individuals within the country, in addition to exclusively personal or domestic matters.
‘The frequent personal, economic and commercial exchange between Macau and Mainland China entails the processing of large amounts of personal data. The GPDP calls on all institutions and individuals in Macau dealing with matters relating to Mainland China to closely monitor the application of the LPIP and strictly comply with the legal and legal provisions. requirements of the competent authorities in order to avoid being punished for violating the law,’ the department adds.
If institutions or individuals in the Macau SAR fail to keep up with the evolution of the times and do not pay attention to compliance with the Macau LPDP, or even try, in various ways, to evade the law, they will undoubtedly face, quite large legal risks, they have to take the right attitude and make improvements as soon as possible.
Infringing the country’s new law could incur a fine under RMB1 million, or in serious circumstances, a fine of less than RMB50 million or less than 5 per cent of the turnover value of the previous year.
The suspension of related activities or the exercise of activities could also be ordered, or the cancellation of the license or permit of related activities. Managers or other persons with direct responsibility could also be punished with a fine of less than RMB1 million.
Under the country’s new data protection law, sensitive personal information includes information on biometrics, religious beliefs, specific identities, medical and health care, financial accounts, whereabouts, and personal information of minors under the age of 14.
Under the law, when pushing information and commercial marketing to individuals via automated decision-making, personal information processors should provide options that don’t target personal characteristics at the same time or offer options to refuse.
The implementation of the law will provide a legal foundation for the protection of personal information for foreign firms’ operations in China, but could also limit cross-border transfer of such information, especially for data related to critical information infrastructure, due to national security implications.
After the PIPL comes into effect foreign firms in China will need to revise their privacy policies to fit the requirements of the new law.
Recently the Cyberspace Administration of China also launched investigations into large tech groups, including DiDi and Alibaba, citing needs to ‘prevent security risks to national data, safeguard national security and protect the public interest”.