Contributed By Rato, Ling, Lei & Cortés - Advogados
Data privacy and personal data protection are two rights enshrined by the Macau Special Administrative Region (Macau SAR/MSAR) legal framework, which covers these two separate but related rights in a systematic and extensive manner.
The most relevant pieces of legislation addressing data protection and data privacy issues in Macau are:
The last of these is an ordinance inspired by the European legislation on data protection, namely the European Union Data Protection Directive of 1995, and sets the legal framework for the protection of personal data in Macau SAR.
Other legislation affecting this area that should be noted includes:
Following the international trend for amendments and updates of legal frameworks on data protection matters, as well as the continued domestic and international interest in the area , it is also expected, that the Macau DPA may soon be amended to better deal with the implications and challenges of the digital age.
The GPDP is the government entity responsible and accountable for monitoring and enforcing compliance with DPA provisions, and for establishing an adequate confidentiality system and monitoring its enforcement.
There are two different types of administrative process: notification and authorisation.
Under the DPA, the data controller, or his or her representative, if any, must notify the public authority in writing within eight days after the start of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.
The public authority may authorise the simplification of, or exemption from, notification for particular categories of processing which are unlikely, taking account of the data to be processed, to adversely affect the rights and freedoms of the data subjects. In allowing this simplification or exemption, the authority will also consider the speed, economy and efficiency of the relevant processing.
The authorisation of simplification shall be published in the Official Gazette of the Macau SAR and must specify the purposes of the processing, the data or category of data to be processed; the category or categories of data subjects; the recipients, or categories of recipients, to whom the data may be disclosed; and the length of time the data is to be stored.
There are exemptions from notification, such as those for processing whose sole purpose is the keeping of a register which according to laws or administrative regulations is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest.
Processing of data deemed as sensitive –– which includes data concerning political or philosophical beliefs, religious faith, trade union or political membership, racial or ethnic origin, and data concerning health or sex life, including genetic information – is subject to authorisation and can only be made if guarantees of non-discrimination and sufficient security measures (indicated in the DPA) are provided; and, in the cases indicated in the law, which include the obtainment of the data subject’s explicit consent. The same applies to processing of data relating to the credit and solvency of the concerned subject.
Applications for opinions, authorisations and notifications submitted to the GPDP shall include the following information:
The DPA is strongly influenced by EU rules, which have long been considered the gold standard in data protection law, being in its scope quite similar to the laws of EU jurisdictions, particularly Portugal (which administered Macau until 1999). The law in force in this area is very similar to the one in force in Portugal until 2018, when the GDPR was enacted.
This issue does not arises in the Macau SAR jurisdiction.
As previously described, Macau SAR’s legal framework is strongly inspired by EU legislation and therefore utilises the same approach as other EU-influenced legal frameworks. In terms of enforcement, two different phases have been known since DPA was enacted.
Firstly, despite enactment, Macau authorities were not proactive in terms of assessing data protection compliance. The legal framework was already in place but neither Macau authorities nor the general population were sensitive in relation to the treatment and processing of personal data and to personal data protection. In the second and more recent stage, despite no changes in the existing legal framework taking place, the approach of the Macau authorities has altered and, consequently, local government has become very proactive in terms of data protection rights.
There have been no changes in the existing legal framework in the past 12 months.
Notwithstanding the silence of the Macau legislature, it seems that the GPDP may change from its current status to a more powerful entity within the Macau SAR government. Since its establishment, the GPDP has existed as a project office. However, it is often suggested that it may change to a commission, similar to those which exists to fight corruption or conduct audits, or even to an independent public bureau with administrative autonomy.
Data Protection Officers
The existing legal framework – including the GPDP guidelines – does not require the appointment of privacy or data protection officers. If private entities decide to create this position, they may freely proceed with their own rules.
Internal/External Privacy Policies
Under Article 15 of the DPA, the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Some of the major companies operating in Macau SAR – eg, gaming operators, banking and insurance institutions and concessionaires of public services, such as electricity or communications – are required by the GPDP to put in place data protection policies.
Requirement to Allow Data Subject Access to Data, etc
Access to data
The DPA assures the right of the data subject to information regarding the identity of the data controller or its representative, the purposes of processing and other ancillary information (Article 10 of the DPA), as well as the right of access to all his or her data (Article 11 of the DPA).
Correction and deletion
The right of access includes the right to rectify, delete or block data whose processing does not comply with the DPA, including in regard to the incomplete or inexact character of that data (Article 11, paragraph 1, subparagraph 4 of the DPA).
Objection to processing
The data subject has the right to object at any time, where lawful and serious reasons relating to his or her specific case obtain, to his or her data being the subject of processing, in which case, under that justified objection, the processing shall not concern such data (Article 12, paragraph 1 of the DPA).
Objection to marketing
The data subject also has the right to object, on request and free of charge, to the processing of personal data concerning him or her for direct marketing or any other form of commercial prospecting, and also has the right to be previously informed of any transfer of data to third parties for the purposes of direct marketing or use by third parties, as well as the right to object, free of charge, to that transfer or use (Article 12, paragraph 2 of the DPA).
Use of Data Pursuant to Anonymisation
As described above, the data subject is entitled to refuse his or her own data being processed and/or marketed by the entities collecting his or her personal data.
The Concept of “Injury” or “Harm” in Data Protection Law
“Injury” or “harm” concepts shall be relevant for compensation purposes as, under standard liability rules, those suffering injuries and/or harms caused by third parties may be entitled to receive compensation for the losses or harms suffered. For the breach of DPA provisions it shall not be mandatory to suffer the said losses or harms. Data processors using personal data without the consent of the data subject will be in immediate breach of the law regardless of the extent (or lack thereof) of the harms or injuries caused to the subject and, therefore, may be liable for such conduct.
The concept of “sensitive data” is defined under Article 7 of the DPA, which prohibits the processing of personal data concerning political or philosophical beliefs, political or trade union membership, religious faith, private life, racial or ethnic origin, as well as the processing of data concerning a data subject's health and sex life, including genetic information, with the exceptions foreseen by the DPA.
Under the DPA, data shall be collected for specific, determined and lawful purposes which must be directly related to the activity of the data controller, and cannot be subsequently processed in a way that is incompatible with those purposes (Article 5, paragraph 1, and subparagraph 2 of the DPA). Again, the processing of personal data may only be carried out if the data subject has given his or her unequivocal consent, or if the processing is necessary to the cases referred to in Article 6 of the DPA. Hence, if the entity has declared marketing communications as one of the purposes of processing, and if the data subject has given his or her consent to such a purpose, such processing is lawful under the DPA. Marketing communication includes any means of marketing a certain product or service, namely via voice communications, SMS, email, etc.
Macau citizens under the age of 18 do not have the capacity to provide the express consent required by the DPA. Minors may be represented by parents provided that the data is not to be used for illegal purposes. Ultimately the minor can be represented by the Public Prosecutor's Office if any disputes arise from the consent provided by one or both of the parents.
Video and Television
The DPA applies to video surveillance and to other means of capturing, processing and disseminating sounds and images capable of identifying individuals, whenever the controller is domiciled or headquartered in MSAR, or uses a provider of access to computer and telematics networks established there (Article 3, paragraph 3 of the DPA).
No other specific stipulations exist for video surveillance, apart from Law No 2/2012 which establishes the legal framework of video surveillance in public spaces by the security forces and services of the MSAR.
As the use of CCTV is a separate processing of data, it shall require a separate notification to the GPDP under the law.
Under the DPA, the processing of data can only take place if the data subject has given his or her unequivocal consent to the transfer, or if that transfer is necessary under the cases provided by law.
As the consent of the data subject is not feasible in such situations, the DPA also allows for the processing of data if such processing is necessary for pursuing the legitimate interests of the data controller or the third party to whom the data is communicated, insofar as the interests, rights, freedoms and guarantees of the data subject do not prevail.
Social Media, Search Engines, Large Online Platforms
There are no specific provisions for social media, search engines and large online platforms under the Macau legal framework. Two of the general data protection and privacy issues that might affect them are discussed below.
Right to be forgotten (or of erasure)
There is no such specific right under the Macau legal framework. Nevertheless, data shall be kept in a way which allows the identification of its owner only for the duration necessary for the purposes of collection or subsequent processing (Article 5, paragraph 1, subparagraph 5 of the DPA). This means that retention time shall not be unlimited but restricted to the scope of collection. In a certain manner it may qualify as a right similar to the “right to be forgotten”.
Hate speech, disinformation, abusive material, political manipulation
These type of matters are treated under the Macau legal framework but are not dealt with specifically by the DPA or by similar legislation. These matters are addressed by the Macau Criminal Code under which such conduct may be considered a criminal offence and subject to pecuniary or imprisonment penalties.
Other Key Examples
Financial data – the processing of data regarding credit and solvency is subject to the authorisation of the OPDP using the same process as is employed for sensitive data.
Health data – this is considered sensitive data and subject to authorisation.
The internet – privacy policies are not required but consent shall be given by the owner of the data.
Behavioural advertising – consent is required.
The data subject has the right to object, on request and free of charge, to the processing of personal data concerning him or her for direct marketing or any other form of commercial prospecting, and also has the right to be previously informed of any transfer of data to third parties for the purposes of direct marketing or use by third parties, as well as the right to object, free of charge, to such transfer or use (Article 12, paragraph 2 of the DPA).
Online advertisements using, for instance, the data subject's personal email, without the prior express consent of the data subject, may be subject to administrative offence procedures and to the payment of a fee.
Any advertisement using email accounts obtained without the consent of the data subject may be subject to administrative offence procedures.
There are no special laws or considerations regarding workplace privacy in Macau SAR. The general data protection laws are applicable to this specific matter.
In order to start proceedings on alleged violations, the regulator must first take into account the actions of the alleged infringers, including the type of action and the intention of the agent, under the general administrative standards.
Non-compliance with the special security measures set out in Article 16 of the DPA, for sensitive data processing and for the creation and maintenance of records regarding suspicion of illegal activity, criminal offences and administrative offences, is an administrative offence which may entail a fine between MOP4,000 and MOP40,000.
Although the DPA provides penalties for undue access, as well as for tampering or destruction of personal data, it does not specifically provide for security breaches by the data controller. It should be noted, however, that the DPA mandates that the data controller shall present the notification/authorisation request with a general description of the security measures indicated above, so that the GPDP may evaluate the adequacy of such measures. If the GPDP notifies the above-mentioned entity to address any insufficiency in the security measures and no remedy is taken, then a fine of between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons may be imposed. Other potential enforcement penalties are outlined below.
Non-compliance with notification of data processing in breach of the terms set out in Article 23 of the DPA, providing false information after notification by the GPDP and maintaining access to open data transmission networks for data controllers which do not comply with the provisions of the DPA are all punishable by administrative sanction. This will take the form of a fine between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons; the fines are increased to twice the amount indicated above if the data is subject to previous authorisation.
Non-compliance with stipulations of the DPA regarding:
Administrative sanction: a fine between MOP4,000 and MOP40,000.
Non-compliance with stipulations of the DPA regarding:
Administrative sanction: a fine between MOP8,000 and MOP80,000.
Non-compliance with stipulations of the DPA regarding:
Criminal sanction: imprisonment up to one year or a fine up to 120 days. The sanction is increased to twice the duration indicated above if the data involved is sensitive (Article 7 of the DPA) or suspicions of illegal activities, criminal offences and administrative offences (Article 8 of the DPA).
Access in any way to personal data whose access is forbidden to said individual/entity. The sanction is increased to twice the duration indicated when access:
Criminal sanction: imprisonment up to one year or a fine up to 120 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated in the cases provided.
Deletion, destruction, damaging, suppression or modification of personal data without proper authorisation, rendering the data unusable or affecting its ability to be used is punishable with a criminal sanction: imprisonment up to two years or a fine up to 240 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated if the damage resulting therefrom is particularly serious. If the agent acts with negligence, the sanction is, in both of the cases provided above, imprisonment for up to one year or a fine up to 120 days.
Qualified disobedience regarding notification to interrupt, cease or block the processing of personal data, or in cases of:
Criminal sanction: imprisonment for up to two years or a fine up to 240 days.
The general rules of the Macau Civil Code and the Macau Civil Procedure Code also apply for alleged privacy or data protection violations.
The Criminal Code and the Criminal Procedure Code are the two relevant laws in relation to access to data for law enforcement agencies. In both, access to data access is subject to approval by a court judge.
As noted above, in 3.1 Laws and Standards for Access to Data for Serious Crimes, the Criminal Code and the Criminal Procedure Code are the two relevant laws in relation to access to data for crimes. In both, access to data is subject to approval by a court judge.
This issue does not arise in the Macau SAR jurisdiction.
The most discussed privacy issues in Macau are mostly related to the widely expected change to the status of the GPDP. The importance and visibility of data protection matters in Macau civil society, as well as the public authorities' commitment to addressing these issues, would justify granting the GPDP the status (as well as the relevant powers ) of a Committee similar to the ones existing for corruption and public audit matters. Another topic of discussion is the publication of the list of jurisdictions that ensure an adequate level of data protection. This list has been referred to in the DPA since its enactment but, as of today, is still to be released.
The transfer of personal data overseas can only take place in accordance with DPA provisions and provided that the jurisdiction to which the data is going to be transferred ensures an adequate level of protection. This level of protection is assessed by the GPDP on a case-by-case basis (Article 19 of the DPA) as, up to now, the GPDP has not published a list of jurisdictions capable of ensuring the level of protection that is imposed by the DPA.
The transfer of data overseas may be possible under the various exceptions provided by the DPA. These include the necessity of such a transfer for the formation of a contract between the data subject and the data controller and for preliminary measures for the formation of that contract at the request of the data subject, among others.
However, the most common exception to the rule indicated above is the obtaining of the data subject’s express and unequivocal consent to such a transfer (Article 20, paragraph 1 of the DPA).
As no list of jurisdictions ensuring an adequate level of protection currently exists in Macau, the transfer of personal data abroad is subject to previous authorisation by the GPDG, as indicated above. If express and unequivocal consent from the data subject is obtained, or if the situation under analysis falls under one of the exceptions provided by the DPA, a simple notification is sufficient and complies with the legal provisions.
No timeframe currently exists for the procedure of assessment of the level of protection of a given legal order by the GPDP.
The international transfer of data is subject to the requirements referred to above, in 4.1 Restrictions on International Data Issues.
This issue does not arises in the Macau SAR jurisdiction.
Organisations collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations are not exempted from the standard requirements set out under the DPA and shall be subject to the same penalties in case of breach of the existing laws.
This issue does not arises in the Macau SAR jurisdiction.
Big Data Analytics
Big data constitutes an example of the interconnection of data, which is defined as “data processing which consists in the possibility of correlating data in a file, with the data in a file or files kept by another or other controllers, or kept by the same controller for other purposes”.
As stated above, the interconnection of data is subject to previous authorisation by the OPDP, without prejudice to legal or regulatory exceptions (Articles 9 and 22 of the DPA).
Under the DPA, profiles involving the personal data of individuals shall be built and processed in a lawful way and in compliance with the principle of good faith, as well as with the principles enunciated in Article 2 of the DPA, which include the respect of rights, freedoms and guarantees in Macau SAR, and in international instruments and in existing legislation (Article 5, paragraph 1, subparagraph 1 of the DPA).
Article 6 of the DPA further provides that the processing of personal data may only be carried out if the data subject has given his or her unequivocal consent, or if the processing is necessary to the:
Other Key Principles
The DPA stipulates that data shall be exact and, if necessary, shall be updated, with the obligation to ensure that inexact or incomplete data is erased or amended, in compliance with the purposes for which that data was collected or subsequently processed (Article 5, paragraph 1, subparagraph 5 of the DPA).
Purpose limitation – data shall be collected for specific, determined and lawful purposes, which are directly related to the activity of the data controller, and cannot subsequently be processed in a way that is incompatible with those purposes (Article 5, paragraph 1, subparagraph 2 of the DPA).
Data minimisation – no specific stipulation, this principle is included in Article 5, paragraph 1, subparagraph 3 of the DPA (see “proportionality” below).
Proportionality – data shall be adequate, pertinent and non-excessive in relation to the purposes for which it is collected and processed (Article 5, paragraph 1, subparagraph 3 of the DPA).
Retention – data shall be kept in a way which allows the identification of its owner only for the duration necessary for the purposes of collection or subsequent processing (Article 5, paragraph 1, subparagraph 5 of the DPA).
Facial recognition, biometric data and geolocation – despite the absence of specific provisions in the Macau SAR applicable legislation, systems that contain these features shall be considered as personal data collecting and processing systems and therefore should follow the same operational requirements.
Drones – these devices are subject to the limitations referred to above if collecting personal data – in addition, there are requirements imposed by Macau Civil Aviation authorities who limit the operation of the devices and require the issuance of an appropriate licence.
Pursuant to the Macau authorities increasing concern with data protection matters, most relevant corporations in Macau, including gaming operators, banks, insurances companies and public services concessionaires have also increased their awareness of the topic, which in many cases has also made these players change their attitude towards the matter. It is therefore now common to find internal policies supervising the use and processing of personal data within some of those entities and it is also common to find some of these entities appointing Data Protection Officers despite the absence of a legal requirement to enact either of these measures.
There are no significant audits, investigations or penalties imposed for alleged privacy or data protection violations.
The legal standards are those included in the Macau Administrative Procedure Code and any investigation or audit shall follow the legal principles.
There are no specific regulations on this matter in Macau.
It is possible, under certain circumstances, for penalties to be published after the court decisions are taken. Such disclosure shall be considered an accessory sanction to the principle penalty imposed.
Cybersecurity law will enter in force very soon and it is expected that the DPA will be revised in order to put it in line with the GDPR.