TMT 2020 Comparisons

Last Updated February 21, 2020

Law and Practice

Authors



Rato, Ling, Lei & Cortés – Advogados (Lektou) is a Macau SAR-based law firm with more than 30 years’ experience of legal practice. Services regularly provided by the firm include issuing legal opinions and advising on Macau law, helping international companies start their businesses in Macau, and assisting in the reorganisation of economic groups with connections to Macau. In 2016, Lektou partnered with Zhong Yin Law Firm, in the People’s Republic of China, and Fongs, in Hong Kong, to open a new office in Hengqin Island, Zhuhai, PRC – ZLF Law Firm. This is the first law office to unite firms from the two Special Administrative Regions and Mainland China.  In 2017, Lektou opened an office in Lisbon, Portugal, as part of its internationalisation strategy to position itself as a legal player in the platform between the PRC and Portuguese-speaking countries. The firm's academic and professional approach, its update and specialisation, together with the experience of the lawyers of Lektou, will be key to answering the increasing demands of the firm’s clients worldwide.

There is currently no specific regulation on cloud computing in the Macau Special Administrative Region (MSAR). However, the processing of personal data in Macau is subject to the legal regime of the Personal Data Protection Act (Law No 8/2005, dated 22 August 2005, known as the PDPA), which defines personal data as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”. Sensitive personal data, on the other hand, is defined as “data related to philosophical or political beliefs, membership of a political or trade union association, religious belief, private life and racial or ethnic origin, health and sex life, including genetic data”. Specific stipulations relating to this legislation are indicated below (see 6 Key Data Protection Principles).

The PDPA

Under the PDPA, the processing of personal data is subject to key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specific purposes, among others, and may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law.

Moreover, any processing of personal data, either wholly or partly executed by automatic means, must be notified in writing within eight days of the start of the processing to the Macau Office for Personal Data Protection (OPDP), without prejudice to the cases where prior authorisation must be sought.

When data is retrieved directly from the data subject, the person responsible for its processing or its representative must provide the data subject with the information set out in the PDPA, and the documents used to retrieve the personal data must contain such information. Also, in the case of data collection in open networks, the data subject must be informed that their personal data may circulate in the network without security, at the risk of being seen and used by unauthorised third parties.

Role of the OPDP

In the case of cloud computing, the data is likely to be stored in servers abroad – in the case of transfer of personal data to a destination outside Macau, the PDPA determines that such transfer can only take place if the provisions of said law are respected and if the destination's legal system ensures an adequate level of protection. Said analysis is made on a case-by-case basis by the OPDP.

The transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the OPDP if the data subject has given their unequivocal consent for the transfer or when the transfer is necessary for the purposes set out in the law. It should be noted, however, that regarding sensitive data, as well as credit and solvency, the transfer cannot take place without previous authorisation by the OPDP – in this case, authorisation by the OPDP overrides the simple notification procedure and the former must be sought.

The RJSF

With regards to specific industries such as banking and finance, the Macau Financial System Legal Regime (Decree-Law No 32/93/M, dated 5 July 1993, known as the RJSF) stipulates that the members of the governing bodies of credit institutions, their workers, auditors, experts, agents and other persons who provide services to them, whether on a permanent or accidental basis, may not reveal or use, for their own or someone else's benefit, information on facts, knowledge of which has come to them from the exercise of their functions, and includes in the information subject to secrecy the names and other data relating to customers, deposit accounts and their movements, investment of funds and other banking transactions. Such duty of secrecy shall survive even after the functions referred to above have ended.

Risk and Liability

Blockchain technology is currently not regulated in Macau – therefore, the risks and liability when launching or using such technology will largely depend on the specific type of information concerned.

Intellectual Property

Intellectual property in Macau is governed by two main laws – the Industrial Property Legal Regime (Decree-Law No 97/99/M, dated 13 December 1999, known as the RJPI), which covers inventions, patents, industrial designs, trade marks, layout designs of integrated circuits, commercial names and designations, etc, and the Copyright Law (Decree-Law No 43/99/M, dated 16 August 1999, known as the Copyright Law), which protects original intellectual creations in the literary, scientific or artistic domains, inter alia, computer software.

With regards to intellectual property of blockchain technology, this would largely be covered in Macau under the general umbrella of the RJPI, under the patent of computer-implemented inventions. However, and unlike the grant rate of patent families relating to blockchain technology in Mainland China, there does not appear to be any such grant in Macau, which demonstrates the incipient character of such intellectual property in the MSAR.

Data Privacy

As indicated above, the inclusion of personal data in blockchain technology would conflict with the mandatory stipulations of the PDPA, the general principles of which determine, inter alia, that processing of personal data must strictly observe privacy rights and the rights, freedoms and guarantees set out in the Macau Basic Law), and that personal data must be:

  • processed lawfully and with respect for the principle of good faith and the general principles set out in the PDPA;
  • collected for specific, explicit and legitimate purposes directly related to the exercise of the activity of the controller, and not subsequently treated in a manner incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which it is being collected and subsequently treated;
  • accurate and, if necessary, updated, taking appropriate measures to ensure that inaccurate or incomplete data is erased or rectified, and taking into account the purposes for which it was collected or for which it is further processed; and
  • preserved in such a way as to allow the identification of its holders only for the period necessary for the purposes of the collection or further processing purposes.

Since blockchain is by design a public and verifiable ledger of transactions, the personal data included in such record would likely contravene the mandatory stipulations of the PDPA. While the authorisation of the data subject could potentially resolve the problem of the public availability of personal data, it does not solve the permanency and lack of specific purpose of the processing of such information.

Therefore, with regard to personal data in blockchain technology, the only possible solution would entail a specific legislative authorisation of the data to be used, as well as an authoritative opinion on the matter by the OPDP. Personal data used in blockchain technologies must, in any event, be kept to an absolute minimum, accompanied by the necessary unequivocal consent of the data subject (and mandatory notification/authorisation of the OPDP).

Service Levels

There is not enough information on the usage of blockchain technology in Macau to assess service levels.

Jurisdictional Issues

As per the above, blockchain technology is currently not regulated in Macau – therefore, the jurisdictional issues surrounding such technology will largely depend on the specific areas in which the information is used.

There is currently no specific legislation on the matters of big data, machine learning and artificial intelligence (AI) in the MSAR. However, the challenges presented by big data (ie, large amounts of data which include traditional enterprise/company data, machine-generated/sensor data and social data) touch upon the type of data being transferred and generally processed in several networks, on the one hand, and, on the other, the need to ensure that these networks are secure and compliant with cybersecurity legislation.

Compliance with the PDPA

One of the biggest challenges for entrepreneurs is therefore compliance with the PDPA with regard to the processing of personal data under mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specific purposes, among others, and the subjection of processing to the unequivocal consent of the data subject, or to the need for processing for the purposes set out in the PDPA. As big data necessarily includes large data sets which are often unorganised and may come from several jurisdictions with different personal data protection requirements, such challenge will force large corporations to have dedicated structures (such as chief data officers and ancillary teams or departments) to ensure that in the processing of data there is differentiation between general and personal data, and that such processing is done in accordance with applicable legislation and the security measures provided therein.

Macau Cybersecurity Law

In relation to the Macau Cybersecurity Law (Law No 13/2019, dated 24 June), which seeks to bolster the protection of computer systems regarding cyber-crimes and cybersecurity threats against public and private operators of critical infrastructures as defined in the law, the dedicated structures referred to in the previous paragraph will also need to comply with the general responsibilities and cybersecurity duties provided therein (namely, organisational duties; procedural, preventive and reactive duties; self-evaluation duties; and co-operation duties).

As previously indicated, there is currently no specific legislation regarding machine learning and AI. Although the PDPA includes the right of the data subject not to be subject to individual automated decisions, no further stipulations regulate the issue of automated decision-making. In this regard, and without prejudice to the principles and provisos of the law regarding personal data processing, it is incumbent on the local legislator to update the law so as to ensure that AI-driven decision-making is compatible with core legal principles such as transparency, accountability, legality, and protection of fundamental rights.

With regards to the internet of things (IoT) projects and the data circulating therein, the main piece of legislation which would restrict the scope of a project in such an area would be the PDPA and its regulations on personal data. The processing of personal data through any such device would necessarily have to comply with the applicable stipulations of the law, ie, it must be performed in a transparent manner and in strict observance of privacy rights and of the rights, freedoms and guarantees enshrined in the Macau Basic Law and in applicable legislation, and may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law.

Personal v Sensitive Data

It should also be underlined that the processing of personal data is subject to notification to the OPDP, which must be made in writing and within eight days of the start of processing. The processing of sensitive data, on the other hand, is generally forbidden, and can only take place if guarantees of non-discrimination and sufficient security measures (which include the general implementation by the data controller of appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, dissemination or access, as well as special safety procedures set out in the law) are provided, and in the cases indicated in the law, which include obtaining the data subject’s explicit consent. It is also dependent on prior authorisation by the OPDP.

The IoT may also involve the transfer of personal data abroad – in this regard, the PDPA stipulates that the transfer of personal data to a destination outside Macau can only take place if the provisions of the PDPA are respected and if the destination's legal system ensures an adequate level of protection. Said analysis is made on a case-by-case basis by the OPDP. However, the transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the OPDP if the data subject has given their unequivocal consent for the transfer or when the transfer is necessary for the purposes set out in the law.

Cybersecurity Law

Although the MSAR recently enacted the Cybersecurity Law (Law No 13/2019, dated 24 June), drafted to follow through with the MSAR Government Policy Address of 2016, which identified the lack of protection of computer systems regarding cyber-crimes and cybersecurity threats, this piece of legislation is still a framework law and does not set out any specific provision on interconnected devices, but only establishes the general structure of the cybersecurity system of the MSAR.

The cybersecurity system set out in the Cybersecurity Law therefore has an administrative nature with a preventive purpose and applies to public and private operators of critical infrastructures (eg the chief executive office, last instance court and prosecutor’s office, the support services to the LegCo, public services of the MSAR, etc as public operators of critical infrastructures; and companies with a public concession or in any way licensed, awarded or authorised in the following areas: water supply, banks, hospitals, fuel and food supply, energy and gas supply, public transportation, TV and radio, casinos, telecommunications, and commercial companies publicly wholly owned as private operators of critical infrastructures).

The Cybersecurity Law defines entities with a general nature (Permanent Commission for Cybersecurity/CPC, Alert and Response Centre for Cybersecurity Incidents/CARIC) and entities with a sectoral nature (public entities exercising supervision duties), and specifies their general responsibilities and cybersecurity duties (organisational duties; procedural, preventive and reactive duties; self-evaluation duties; and co-operation duties), in order to ensure the normal functioning of the networks and computer systems used by critical infrastructure operators and the integrity, confidentiality and availability of computer data in Macau. Therefore, the law does not include specific security measures, which should however be forthcoming and affect, inter alia, machine-to-machine communications, communications secrecy and data protection.

There are currently no specific stipulations on IT service agreements in Macau, without prejudice to the general stipulations regarding data in general (regulated and protected under the general civil and commercial regime, as indicated here) and the stipulations on personal data protection (set out in the PDPA).

In accordance with the Cybersecurity Law, which established the general structure of the cybersecurity system of the MSAR (as indicated in 4 Legal Considerations for Internet of Things Projects), the public and private operators of critical infrastructures defined in the law are subject to the general responsibilities and cybersecurity duties (organisational duties; procedural, preventive and reactive duties; self-evaluation duties; and co-operation duties) set out therein.

The organisational duties of private operators of critical infrastructures, within the scope of their organisation, are to:

  • create cybersecurity management units capable of implementing the respective internal protection measures;
  • provide cybersecurity management units with the appropriate human, financial, material and patrimonial means;
  • designate the main person responsible for cybersecurity and the respective substitute, from among individuals with the proper suitability and professional experience, and with habitual residence in the MSAR;
  • make sure that the principal responsible for cybersecurity and their replacement are permanently reachable by CARIC; and
  • establish complaints and denunciation mechanisms related to cybersecurity.

The duties of private operators of critical infrastructures, in terms of procedures and prevention and response to cybersecurity incidents, are to:

  • establish a cybersecurity management regime and respective internal operating procedures;
  • adopt, in accordance with the cybersecurity management regime and applicable technical standards, internal measures for protection, monitoring, alert and response to cybersecurity incidents;
  • inform CARIC of the occurrence of cybersecurity incidents and inform the respective supervisory entity of the fact, as well as immediately initiate actions to respond to serious incidents; and
  • monitor and record the health of the network.

The duties of private operators of critical infrastructures, regarding self-assessment and reporting, are to:

  • assess, by themselves or through specialised entities, the security and risks existing in their networks and systems; and
  • submit an annual cybersecurity report to the respective supervisory entity, mentioning, inter alia, any recorded incidents, the results of the assessment referred to in the previous paragraph and the improvement measures taken.

The duties of private operators of critical infrastructures, as well as their administrators, managers or representatives, with regard to collaboration with CARIC and supervisory entities are to:

  • allow the representatives of those services to enter their premises, provide them with access to their networks and provide them with the information they request, to the extent necessary to verify compliance with the procedural, preventive and reactive duties referred to above; and
  • provide the support and collaboration necessary to ensure the good management of cybersecurity.

Therefore, any IT service agreement entered into with a local organisation defined as a private operator of critical infrastructures under the Cybersecurity Law must encompass (and comply with) the duties and responsibilities set out above.

Furthermore, and should the IT service agreement touch upon personal data, it is likely that the local entity shall be either the data processor (understood as the natural or legal person, the public entity, the service or any other body that, individually or together with others, determines the purposes and means of processing of personal data under the PDPA) or a subcontractor (classified in the PDPA as the natural or legal person, the public entity, the service or any other body that processes personal data on behalf of the controller). Processing of personal data is defined by the PDPA as “any operation or set of operations performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

A Local Entity As Data Processor

Should the local entity be the data processor, then it shall be bound by the obligations set out in the PDPA as indicated above, inter alia, with regards to the need to obtain the unequivocal consent of the data subject and to provide all necessary information, as well as to ensure that the data controller implements the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensurea level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation.

A Subcontractor As Data Processor

Where processing of data is carried out on behalf of the data controller (be it by the local entity or otherwise), the data controller must choose a subcontractor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing of the data, and must ensure compliance with those measures. The processing by a subcontractor must be governed by a contract or legal act, binding the subcontractor to the data controller and stipulating in particular that the subcontractor shall act only on instructions from the data controller, and that the obligations set out in the PDPA regarding data security measures shall also be incumbent on the subcontractor. For the purposes of keeping proof, the parties to the contract or the legal act relating to data protection and the requirements relating to the data security measures must be in writing in a document with legally recognised probative value.

Core Rules Regarding Data Protection

Data protection regimes in Macau differ according to the data subject – as indicated above, personal data is regulated by the PDPA, which defines personal data as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”. The PDPA therefore only protects individual’s data as described therein, under the key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law), collection limited to specific purposes, among others, and the requirement that the data subject must give their unequivocal consent, or that the processing is necessary for the purposes set out in the law.

Conversely, data in general shall be regulated and protected under the general civil and commercial regime, inter alia, under the unfair competition stipulations set out in the Macau Commercial Code (Decree-Law No 40/99/M, dated 3 August, known as the MComC), which determine that the disclosure or exploitation, without the authorisation of the holder, of industrial secrets or any other business secrets to which it has been given legitimate access, but with a duty of secrecy, or which it has accessed illegitimately, is considered unfair, namely as a result of any of the conduct provided for in the following article.

For the purposes of unfair competition stipulations, any technical or commercial information that has practical use and provides economic benefits to the holder, which is not publicly known, and for which the holder has taken appropriate security measures to guarantee its confidentiality, shall be considered a business secret.

Distinction Between Companies/Individuals

As previously indicated, companies cannot be the holders of personal data, only individuals – hence, data which pertains to companies (or commercial entrepreneurs, either natural or legal persons) shall be protected under the commercial regime, whereas personal data shall be regulated under the PDPA.

General Processing of Data

Without prejudice to the stipulations on unfair competition and on processing of personal data (as indicated in the paragraph below), there is currently no specific legislation in Macau on the processing of data in general.

Processing of Personal Data

As indicated earlier in this section, personal data protection in Macau is regulated by the PDPA, which defines the processing of personal data as “any operation or set of operations performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” and subjects such processing to key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law) and collection limited to specific purposes, among others.

The general rule for processing personal data under the PDPA is that it may only be carried out if the data subject (ie, the individual to whom the data being processed pertains) has given their unequivocal consent (any freely given, specific and informed indication of their will and acceptance of their personal data being processed) or if the processing is necessary for the:

  • execution of a contract or contracts in which the data subject is party, or for prior arrangements to the formation of the contract or declaration of negotiation, at the data subject’s request;
  • compliance with a legal obligation to which the controller is subject;
  • protection of the data subject’s vital interests, if they are physically or legally incapable of giving their consent;
  • execution of a public interest mission or when exercising powers of public authority in which the controller (or a third party to whom the data is transmitted) is invested; or
  • pursuit of the legitimate interests of the controller or third party to whom the data is transmitted, provided that the interests or rights, freedoms and guarantees of the data subject shall not prevail over these interests.

Any processing of personal data, either wholly or partly executed by automatic means, must be notified in writing within eight days of the start of the processing, to the OPDP.

The PDPA further forbids the processing of data deemed as sensitive, which includes data concerning political or philosophical beliefs, religious faith, trade union or political membership, racial or ethnic origin, and data concerning health or sex life, including genetic information. The processing of such data can only be made if guarantees of non-discrimination and sufficient security measures (indicated in the PDPA) are provided, and in the cases indicated in the law, which include obtaining the data subject’s explicit consent. Also, the processing of sensitive data cannot take place without previous authorisation by the OPDP, and the same goes for the processing of data regarding the credit and solvency of the concerned data subject.

With regard to sensitive data, the PDPA further demands that, aside from the general request for the implementation by the data controller of appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, dissemination or access, the data controller must further employ special safety procedures, which include appropriate measures to safeguard personal data under the law, and to ensure that the respective system guarantees the logical separation of data on health and sex life, including genetic data, from other personal data.

Regarding the collection of personal data directly from the data subject, the latter has a right to information vis-à-vis the data controller or its representative, which must be contained in the document which serves as the basis for the collection of personal data, and which includes:

  • the identity of the data controller and, where necessary, of their representative;
  • the purposes of the data treatment;
  • other information, such as:
    1. the recipient or categories of recipients of the data provided;
    2. the compulsory or optional nature of the response, as well as the potential consequences of failure to reply;
    3. the existence and conditions of the right of access and rectification of data, to the extent that they are required, taking into account the specific circumstances of data collection, to ensure the data subject fair processing of the same.

The PDPA stipulates that the transfer of personal data to a destination outside Macau can only take place if the provisions of the PDPA are respected and if the destination's legal system ensures an adequate level of protection. Said analysis is made on a case-by-case basis by the OPDP. However, the transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the OPDP if the data subject has given their unequivocal consent for the transfer or when the transfer is necessary for the purposes set out in the law (which include, inter alia, when the transfer is necessary for the execution of a contract between the data subject and the controller or prior arrangements to the formation of the contract, at the data subject’s request; or for conclusion of performance of a contract concluded in the interest of the data subject between the person responsible for the data processing and a third party).

As indicated in 6 Key Data Protection Principles, the processing of personal data is regulated by the PDPA, and it is subject to key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law), collection limited to specific purposes, among others, and the requirement that it may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law.

With regards to company computer resources, although they are considered, prima facie, property of the company, whenever they involve the personal data of employees (by monitoring phone calls, emails, internet page views, video calls, etc), they also entail the collection and processing of personal data under the PDPA (understood as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”).

In this regard, any monitoring of employees or limiting of their use of company resources which may entail personal data processing will necessarily be restricted by the stipulations of the PDPA, inter alia, it will have to take place in a transparent and lawful manner, respecting private life and fundamental rights under the Macau Basic Law and the PDPA. The processing of personal data as per the above must therefore have a lawful purpose (ie, it must be necessary to guarantee the safety of employees or the good functioning of the company), it must take place in a lawful manner, with adequate and transparent means for the prosecution of its objectives and restricted retention of personal data (the OPDP suggests a period of three months, with a maximum limit of six), and a limited scope of action, restricted to the professional activities of employees.

Under the PDPA, as indicated, the unequivocal consent of the data subject must be sought, and the rights and guarantees set out in the law must be fully applied. Therefore, the data subject must be duly informed of the identity of the data controller and, where necessary, of their representative, of the purposes of the data treatment, and of other ancillary information set out in the PDPA. The data subject is also entitled to access their personal data as per the law, and may oppose the processing of their data in justifiable and legitimate cases.

For the avoidance of excessive and unjustified use of company tools for private purposes, and in light of the mandatory stipulations of the PDPA, as well as the opinion of the OPDP on this matter, the best approach to counteract such situation would therefore be the application of preventive tools (ie limitation of usage of certain programs and browsers by employees, the use of firewalls, etc) instead of post-factum monitoring of data, which would inevitably contravene the stipulations of personal data legislation.

The telecommunications sector in Macau is framed by Law No 14/2001, of 20 August (Telecommunications Act), which defines the basis of the telecommunications policy of the MSAR, as well as the general framework for the establishment, management and operation of telecommunications networks and the provision of telecommunications services. The provisions of said law do not, however, apply to television and sound broadcasting services, terrestrial or satellite,  which are subject to specific legislation. Telecommunications under the law is defined as the transmission, emission or reception of symbols, signs, writing, images, sounds or information of any nature by wire, radio, electricity or other electromagnetic systems. The law further determines that the establishment, management and operation of telecommunications networks and the provision of telecommunications services are in the public interest, and can only be pursued by public or private entities duly authorised to that effect under the terms of the applicable regulations.

The Law No 14/2001 also stipulates the objectives of such policy, which include:

  • to gradually liberalise the installation of public telecommunications networks and the provision of public-use telecommunications services;
  • to ensure access to telecommunications to the whole population, at reasonable tariffs and prices, in a non-discriminatory manner and in conditions of quality and efficiency that meet their needs, and also to economic and social activities;
  • to ensure the existence and availability of the universal telecommunications service;
  • to ensure equality and transparency of conditions of competition by promoting the diversification of services in order to increase supply and achieve quality standards compatible with the requirements of users; and
  • to ensure the interoperability of public telecommunications networks, as well as the portability of the customer number, among others.

It is incumbent upon the government to oversee and supervise telecommunications and the activities of telecommunications operators, without prejudice to the specific competencies of the Macau Post Office.

Interconnection of Public Telecommunications Networks

Furthermore, the Administrative Regulation No 15/2002, of 12 August, establishes the regime for the management and allocation of several telecommunications numbering resources, and the Administrative Regulation No 41/2004, of 22 December, establishes the regime of interconnection of public telecommunications networks. This interconnection is established in an environment of equal conditions of competition, in order to ensure that it is carried out in a timely and reasonable manner, ensuring in particular the inviolability and confidentiality of communications, the non-discrimination in the provision of interconnection, the interoperability of telecommunications services, and the integrity of telecommunications networks, installations and equipment assigned to the interconnection.

Licensing of Telecommunications Services

On the licensing of telecommunications services, the Administrative Regulation No 32/2000, of 11 September, defines the legal regime for provisional licensing of the activities of public network operators and the provision of telecommunications services for public land mobile use, up to a maximum of three licences, operating in certain frequency bands, and with the adoption of the concepts established by the International Telecommunication Union (ITU). The operation of public telecommunications networks and the provision of telecommunications services for public land mobile use are further defined by the Administrative Regulation No 7/2002, of 15 April, which establishes that said activities are subject to licensing. 

The allocation of licences is subject to a public tender, which can be limited with prior qualification, under the terms of the specific regulation of each tender, to be approved by executive order. The bidding regulation shall define the terms of the respective procedure, including any prior qualification, as well as the information set out in the law (which includes the amount and method of providing the provisional bond to guarantee the link assumed with the submission of applications and the obligations inherent to the tender, as well as the final bond). The licensed entities are further subject to the payment of:

  • fees for issuing and renewing the licence; and
  • annual operating fees, corresponding to a percentage of gross operating revenue from services provided under licensed activities, to be determined by order of the chief executive, to be published in the Official Bulletin.

The fees related to the use of the radio spectrum, on the other hand, are set out in Administrative Regulation No 8/2006, dated 12 June.

Voice-over-IP and Instant Messaging

On specific technologies such as voice-over-IP and instant messaging, the applicable legislation would be the Administrative Regulation No 24/2002, of 4 November, which subjects the provision of internet services to prior licensing, to be requested from the chief executive by filing an application with the Bureau of Telecommunications Regulation (DSRT) within the Macau Post Office, signed by a person with powers to bind the applicant, which respective signature and quality must be certified by a notary. The application must contain the following documents:

  • proof that the applicant is a commercial company duly incorporated in the MSAR, whose scope of business includes the provision of internet services;
  • proof that the applicant has the necessary technical capacity and experience adequate to the fulfilment of the obligations and further specifications of the licence the applicant proposes to obtain, having, namely, a body of qualified personnel for the development of the activity;
  • proof that the applicant has adequate financial and economic capacity;
  • proof that the applicant has updated and adequate accounting of the analysis required for the project they wish to develop;
  • a detailed proposal relating to the operation of the services, presented as a technical plan to be developed, that must contain, namely, the configuration of the technological systems to be used, with reference to access methods and the necessary equipment, as well as planning of the development of the systems and services;
  • an economical and financial plan that includes the price system to be adopted;
  • the applicant’s organisational structure, including the identities and resumes of its main responsible personnel, as well as, where possible, financial statements and audit reports in relation to the accounts of the prior three fiscal years; and
  • any other elements that the applicant deems relevant for a decision on its request.

The licence shall specify the applicable fees and their respective payment period. Namely, the provider is subject to licence issuance and renewal rates of MOP2,000, and to an annual operating fee of MOP1,000 from the year after the licence is issued, to be paid during the month of January each year. These fees do not exempt the service provider from the payment of other fees and taxes that are legally owed.

It should be noted, however, that the use of such technologies through internet connection by existing, duly licensed telecommunications entities should not  require any further licensing, without prejudice to the applicable telecoms rules.

RFID Tags

Regarding RFID tags, the Decree-Law No 18/83/M, dated 12 March, subjects the possession of a radio transmitting, receiving or transmitting/receiving radio equipment, as well as the establishment or use of a radio station or network, to prior government authorisation. However, exceptions to this rule are reduced radio equipment power and short range, included in categories set out in the Chief Executive Order No 198/2014, dated 14 July, as well as the receivers of the radio and television broadcasting service. Therefore, RFID tags in the 13.553–13.567 MHz and 920–925 MHz frequency bands, with a maximum equivalent isotropically radiated power (PIRE) of 1 W, are exempt from prior government authorisation.

Broadcasting in the MSAR is framed by Law No 8/89/M, of 4 September, which establishes the legal regime for radio and television broadcasting, with the purposes set out therein. Television broadcasting is defined as a public service and is exercised under a concession contract, whereas the activity of sound broadcasting is subject to the licensing regime, the exercise of which depends on the attribution of a licence. Both awards are normally preceded by a public tender. 

Radio Broadcasting Concessions

In accordance with Law No 8/89/M, the broadcast of sound/radio is subject to the granting of a licence to operate in the radio-electric public domain spectrum of the MSAR. Sound broadcast radios may be held in the following bands:

  • hectometric waves (medium), modulated amplitude: band between 526.5 kHz and 1606.5 kHz;
  • metric waves (very short), modulated frequency: band between 87 MHz and 108 MHz.

In accordance with the Law No 8/89/M, the chief executive may also allocate other frequency bands of the broadcasting service which are already available or which, as a consequence of technological development, have been added to the International Frequency Allocation Plan. It appears that, to date, no such other frequencies have been included in regulation.

Regarding the administrative procedures related to radio communication services, Decree-Law No 48/86/M, of 3 November, establishes the rules by which said administrative procedures shall be governed, in particular with regards to:

  • the concession, installation and operation of radio communications networks or stations;
  • radio operators;
  • the approval of radio communications equipment; and
  • the commercialisation of radio communications equipment.

The granting of permits for the activity of radio broadcasting is preceded by a public tender, except when ponderous and duly justified reasons advise a direct award. The radio broadcasting activity can be carried out by any legal person that has its headquarters in Macau and offers guarantees of suitability, technical qualification and financial capacity. The Social Communication Office (Gabinete de Comunicação Social) is the competent entity that organises the processes related to the granting of permits, and an application for a permit must be accompanied by the following elements:

  • justification note of the request;
  • demonstration of the economic and financial viability of the project;
  • detailed description of the activity to be carried out, with emphasis on the broadcasting time and the schedule map;
  • design of the facilities, including equipment, antennas and studios; and
  • statutes of the applicant.

The permit is valid for five years and can be renewed, for equal periods of time, at the request of the respective holder. The attribution and transmission of permits, as well as the respective alterations, renewals or substitutions, in case of loss or unusability, are subject to the payment of fees, determined in the General Table of Fees and Fines Applicable to Radio Services approved by the Administrative Regulation No 16/2010, dated 12 July.

Television Broadcasting Concessions

As with radio broadcasting, the granting of television broadcasting concessions is also preceded by a competitive bidding process, except when weighted and duly justified reasons advise direct concession. Television broadcasting activity can be granted to any legal person that is incorporated in corporate form and has its headquarters in Macau, for the purpose of exercising the activity to be granted, and offers guarantees of suitability, technical qualification and financial capacity.

The television broadcasting concession contract may authorise the concessionaires to carry out other complementary activities related to the main activity, by themselves or in association with other entities, namely those indicated by law, and in exceptional cases, concessionaires may be legal persons of public law or public utility.

Television broadcasting concessions must have a fixed term, to be determined according to the business plan to be developed and the time necessary for the amortisation of the capital invested by the concessionaires, and sub-concession is not allowed. Concessionaires are obliged to fulfil the duties indicated in the law, namely, they are obliged to make the necessary investments to guarantee full coverage, in good technical conditions, of the areas of Macau that are defined in the concession contract, which must establish the amount of investment to be made, the plan and the overall timetable for its implementation.

For the concession, a fee is due, to be determined in the respective contract, without prejudice to any initial grace period established in the contract. Concession contracts may also establish forms of remuneration other than payment in cash, namely, the use of issuance time by grantor.

Furthermore, the licensing regime for satellite television broadcasting activity is regulated by Decree-Law 3/98/M, dated 19 January, with regard to:

  • installation and operation of satellite television broadcasting telecommunications systems; and
  • provision of satellite television broadcasting telecommunications services.

A licence for the installation and operation of the system or for the provision of telecommunications services for satellite television broadcasting may be requested by telecommunications companies with headquarters and place of effective management in Macau, and which demonstrate technical suitability and adequate economic and financial capacity. The licence is requested through the Macau Post Office, which is the competent entity to organise and instruct the licensing process and analyse the request, and it is assigned by order of the chief executive, who sets out, on a case-by-case basis, the terms and conditions for exercising the activity.

The holder of a licence to exercise the activity of satellite television broadcasting is subject to payment, to the Macau Post Office, of the following fees:

  • installation and operation of the system: from MOP100,000–1,000,000, depending on the complexity and purpose of the system;
  • provision of the service: MOP100,000 for each broadcast programme; and
  • an annual operating fee, corresponding to 3% of the respective gross operating revenues from licensed systems or services and subsidiary activities.

Online Video Channels

Online video channels such as YouTube would fall under the scope of Administrative Regulation No 24/2002, of 4 November, which subjects the provision of internet services to prior licensing – however, as indicated here, the use of such technologies through internet connection by existing, duly licensed telecommunications entities should not require any further licensing, without prejudice to the applicable telecoms rules.

No specific legislation on encryption currently exists in Macau – however, concerning sensitive personal data (see 1 Cloud Computing for definition), the PDPA mandates that, aside from the general request for the implementation by the data controller of appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, dissemination or access, the data controller must further employ special safety procedures, which include appropriate measures to:

  • prevent unauthorised access to the premises used for the processing of such data;
  • prevent data media from being read, copied, altered or removed by an unauthorised person;
  • prevent unauthorised entry and unauthorised disclosure, alteration or deletion of entered personal data;
  • prevent automated data processing systems from being used by unauthorised persons through data transmission facilities;
  • ensure that authorised persons can only access the data covered by the authorisation;
  • ensure the verification of entities to whom personal data may be transmitted through data transmission facilities;
  • ensure that there is a posteriori, within a period appropriate to the nature of the treatment (to be laid down by regulation applicable to each sector), knowledge of what personal data is introduced when and by whom; and
  • prevent the data from being read, copied, altered or deleted in an unauthorised manner during the transmission of personal data and during the transportation of its medium (ie, written on paper of stored in electronic form).

Aside from the security measures laid out above, the OPDP may determine that, in cases where the circulation of sensitive personal data in a network may jeopardise the rights, freedoms and guarantees of the respective holders, the transmission shall be encrypted.

Furthermore, the regulation on technical specifications related to the guarantee levels of user account systems (Chief Executive Order No 300/2018, dated 27 December), establishes the specifications applicable, within the scope of a user account system, to the various procedures that organise and allow verification, by electronic means, of the user's identity. These technical specifications cover the following subjects:

  • indication of the groups of elements of a user account system;
  • indication of the guarantee levels of the groups of elements and the means of electronic identification;
  • definition of the processes to be performed in each group of elements; and
  • criteria and guidelines for achieving guarantee levels in each process.

The only reference in the specifications to data encryption concerns the processes and measures included in the authentication phase (in particular when using electronic identification means for authentication), which may include, inter alia, the use of authentication mechanisms and protocols that do not include passwords in communications on the network or, in exceptional circumstances, when it is necessary to authenticate on the network, encrypt data before sending, and use encrypted sessions. In any event, the use of encryption does not exempt an organisation from the applicable rules.

Rato, Ling, Lei & Cortés - Advogados (Lektou)

Avenida da Amizade, 555 – Macau
Landmark Office Tower
23rd Floor
Macau SAR

+85387975607

+85328562322

mail@lektou.com www.lektou.com
Author Business Card

Law and Practice in Macau

Authors



Rato, Ling, Lei & Cortés – Advogados (Lektou) is a Macau SAR-based law firm with more than 30 years’ experience of legal practice. Services regularly provided by the firm include issuing legal opinions and advising on Macau law, helping international companies start their businesses in Macau, and assisting in the reorganisation of economic groups with connections to Macau. In 2016, Lektou partnered with Zhong Yin Law Firm, in the People’s Republic of China, and Fongs, in Hong Kong, to open a new office in Hengqin Island, Zhuhai, PRC – ZLF Law Firm. This is the first law office to unite firms from the two Special Administrative Regions and Mainland China.  In 2017, Lektou opened an office in Lisbon, Portugal, as part of its internationalisation strategy to position itself as a legal player in the platform between the PRC and Portuguese-speaking countries. The firm's academic and professional approach, its update and specialisation, together with the experience of the lawyers of Lektou, will be key to answering the increasing demands of the firm’s clients worldwide.