New data privacy laws coming into effect across Asia, including in mainland China, in the coming months will require careful navigation by the region’s IR operators.
Data has become the new reserve currency for IR operators. The value of capturing extensive information about customers has become critical to overall business performance. The surge in digital activities, from Alipay and WeChat mini-program marketing, to cashless payments, digital reservations and geolocation Wifi log-ins, allows for a huge increase in data collection from new data streams that can help to inform business decisions and improve efficiencies across the IR landscape.
In a service-orientated industry, customer experience and service delivery benefit enormously from equipping front line staff with information on customers’ personal preferences in order to deliver a personalized experience. Equally, back-end CRM management that deploys sophisticated AI and data analytics tools can orchestrate a marketing communications strategy with superior engagement and ROI outcomes.
Data, therefore, has become mission critical for informing decisions throughout the IR business, from inventory management to staffing and marketing strategies. Consequently, the scope of data collection and processing has reached new levels. The majority of this data concerns personal information of customers, visitors and employees, which triggers the requirements of national personal data and privacy laws.
Given the nature of the IR industry, patrons’ personal information has always been considered especially sensitive. Now, new categories of high-risk data are subject to collection, including data generated from digital payment transactions – and prospectively cashless gaming transactions in future – as well as health code tools, such as COVID-19 tracing apps, vaccine passports and test results. With the increased volume and sensitivity of the information captured, data privacy compliance has become a critical business requirement applicable to the vast majority of IR business operations.
INCREASING PRIVACY REGULATION AND ENFORCEMENT
At the same time, the legislation of data privacy has continued to evolve, and regulators in the region have become ever-more active in enacting and enforcing new data privacy laws for the collection and use of personal information. Some of these new provisions have extra-territorial effect, meaning that operators who collect personal information from overseas customers will need to comply with the requirements of the law in the customers’ home jurisdiction in certain circumstances.
CHINA’S NEW PERSONAL INFORMATION PROTECTION LAW
Until recently, China did not have a dedicated overarching personal information law, relying instead on a myriad of sector-specific regulations that addressed standards for personal data processing in certain industries.
In August this year, the Chinese Government passed its new law on personal data protection that will take effect on 1 November 2021. The new Personal Information Protection Law will impact the activities of companies that handlethe personal information of Chinese residents – even where the companies are located overseas, or in Macau or Hong Kong. The law, therefore, is not restricted to entities located within mainland China. In fact, overseas businesses that process personal information outside of mainland China will be required to set up an agency or appoint a designated representative within China to handle matters related to personal information protection, and record it with the Chinese authorities. The law also imposes restrictions on cross-border transfers of personal information from mainland China to overseas locations, including Macau and Hong Kong. Certain requirements, such as additional security assessments, protection certifications, contracts or risk assessments, must be fulfilled prior to overseas transfers of data to these locations.
Given that mainland Chinese customers constitute the largest market segment for Macau IR operators, the effect of the new Chinese Personal Information Protection Law on business operations will need to be closely assessed ahead of the effective date on 1 November. In particular, the procedures for collection of personal information through in-market apps, WeChat official accounts and mini-programs, websites and any subsequent overseas transfer to Macau appear a priority for review.
The penalties for infringing the new law are high, including fines of up to RMB 50 million (US$7.7 million) or 5% of the company’s annual turnover for serious offences. Although enforcement of the new law is untested, the Chinese authorities have recently taken an assertive stance on data privacy violations in the technology sector. The Cyberspace Administration of China, the Chinese internet watchdog, found 84 online apps had infringed personal information through over-collection and excessive use in May 2021 and required those operators to rectify their processes within 15 days.
More recently in July 2021, Didi, the ride sharing app, was suspended from app stores in China for breaching data collection and use rules.
The potential fines and impact on operations for businesses is evident for those which fail to comply with Chinese data privacy law requirements.
JAPAN STRENGTHENS PRIVACY LAW REQUIREMENTS
Similarly, Japan has passed amendments to its personal information law that expand the extraterritorial effect of the law to all overseas companies that handle personal information of Japanese citizens, as well as pseudonymously and anonymously processed information, in certain circumstances. The amendments to the Act on the Protection of Personal Information will come into effect on 1 April 2022 and operators with Japan-focused teams will need to determine if they are affected and need to overhaul processes to comply with the updated Japanese law before the operative date.
MACAU DATA PRIVACY ENFORCEMENT
Meanwhile, in Macau recent developments have seen a determined approach by the authorities towards data privacy investigations and enforcement against infringers. In 2020, the Macau Data Protection Office levied fines totaling MOP$12 million (US$1.5 million) against companies for illegal telemarketing activities and use of personal data, and failure to secure the individuals’ consent for use of their data.
The Macau Personal Data Protection Act also enshrines a number of rights for individuals over their personal data, including the right to access, rectify, erase or block the processing of their data in some cases. As individuals’ consciousness of their rights has increased in recent times with a growing awareness of the value of their personal data and need for protection against exploitation, the number of data access, rectification and deletion requests has increased. In view of the potential number of data subjects involved and the volume of data from multiple contact points, the exercise of responding to individuals’ data requests within a reasonable time, as required under the Macau Personal Data Protection Act, demands significant dedicated resources for it to be handled effectively.
When the potential effect of overseas data privacy laws, such as the new Chinese Personal Information Protection Law, that have similar rights of access, rectification and deletion for data subjects is factored in, the volume of prospective data subject requests may rise exponentially and appear overwhelming without additional assistance and manpower.
Macau law also requires that personal data is deleted once the purpose for collection has been completed. With the infinite number of new data streams captured, it is a sizable task to determine and document the retention period for all types and categories of personal data collected, and ensure that all copies of personal data are deleted across the IT systems and on back-up servers once the retention period expires.
In addition, regulation was introduced in 2019 in Macau for gaming-specific data that requires the Macau Gaming Regulator’s prior authorization for the overseas transfer of any gaming-related data (such as betting amounts, bet placements, chip purchase and redemption), which may also include patrons’ personal data (name, nationality). IR operators also have a special duty to implement cyber security management systems and procedures, including to report cybersecurity incidents and potential data breaches to the authorities, under the 2019 Macau Cybersecurity Law as private critical infrastructure operators.
SOLUTIONS FOR THE CHALLENGE
The dramatic rise in the collection and use of data has not generally been matched with a proportionate expansion of the in-house data privacy team, despite the critical nature of data privacy compliance to IR business continuity. To tackle the ever-increasing complexity of the work, new privacy tech management tools have emerged that can support privacy teams to streamline and operationalize privacy management processes. By implementing privacy management software, data can be catalogued on a structured platform and a central map of all personal data stored and used across the business can be created to monitor activities, investigate potential breaches, update records and delete data after fulfilment.
For IRs, a core challenge to date has been the fragmented nature of data ownership across business teams which may hold a slew of separate databases or data sources that operate on various IT systems. A centralized privacy management platform can provide the visibility, automation and record keeping needed to comply with the various national data privacy laws and regulations that apply. Additionally, privacy tools can be incorporated which automate fulfilment of data subject access requests, data discovery and redaction processes, allowing privacy teams to focus on more strategic privacy issues and tasks.
“Privacy management platforms are critical tools for large organizations, like integrated resort operators, which have numerous data streams from different sources,” according to Rob Hinson, Greater China Manager of OneTrust, the most widely-used privacy platform.
“These often involve personal data of customers across a variety of jurisdictions, which can simultaneously subject the organization to multiple national data privacy laws. In an ever-changing regulatory landscape, having a tool to manage these obligations – while remaining up to date with the latest regulatory changes – becomes paramount.”
FUTURE OF PRIVACY MANAGEMENT
The adoption of privacy management software and tools can assist with streamlining data privacy management, but selection of the modules and tools must be tailored to the business’s specific data streams, processes and applicable privacy law jurisdictions. Equally, the effectiveness of privacy tech solutions relies on an understanding of privacy issues by employees – not only those in the privacy team but staff throughout the business that have contact with personal data in their roles. Employee training on new data privacy protocols and data management, triggered by the new data privacy law requirements, is also vital so that operators can demonstrate effective implementation of data protection procedures and compliance.
In fact, as customers become increasingly sensitive to personal data use and exploitation, operators can use their approach to personal data management to build a trusted reputation with customers and differentiate themselves from competitors. By providing transparent and user-centric privacy management tools that allow customers to take control and permit use only for genuinely agreed purposes, operators can demonstrate their commitment to respecting the privacy rights of users and putting the customers’ preferences first.