TMT 2021 Comparisons

Last Updated February 19, 2021

Law and Practice

Authors



Rato, Ling, Lei & Cortés – Advogados (Lektou) is a Macau SAR-based law firm with more than 30 years’ experience of legal practice. Services regularly provided by the firm include issuing legal opinions and advising on Macau law, helping international companies start their businesses in Macau, and assisting in the reorganisation of economic groups with connections to Macau. In 2016, Lektou partnered with Zhong Yin Law Firm, in the People’s Republic of China, and Fongs, in Hong Kong, to open a new office in Hengqin Island, Zhuhai, PRC – ZLF Law Firm. This is the first law office to unite firms from the two Special Administrative Regions and Mainland China.  In 2017, Lektou opened an office in Lisbon, Portugal, as part of its internationalisation strategy to position itself as a legal player in the platform between the PRC and Portuguese-speaking countries. The firm's academic and professional approach, its modern specialisation, together with the experience of its lawyers, are key to answering the increasing demands of the firm’s clients worldwide.

The processing of personal data in the Macau Special Administrative Region (MSAR or Macau) is subject to the legal regime of the Personal Data Protection Act (Law No 8/2005, dated 22 August 2005, or PDPA), which defines personal data as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”. Sensitive personal data is further defined as “data related to philosophical or political beliefs, membership of a political or trade union association, religious belief, private life and racial or ethnic origin, health and sex life, including genetic data”. Specific stipulations relating to this legislation are indicated in 6 Key Data Protection Principles. With regards to cloud computing, there is currently no specific regulation on this matter in Macau.

The Personal Data Protection Act (PDPA)

The processing of personal data under the PDPA is subject to key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specified, explicit and legitimate purposes, and proportionality, among others, and may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law.

The Macau Office for Personal Data Protection (OPDP) must be notified in writing within eight days of the start of any processing of personal data under the PDPA (either wholly or partly executed by automatic means), without prejudice to the cases where prior authorisation must be sought.

Whenever data is retrieved directly from the data subject, the person responsible for processing the data, or their representative, must provide the data subject with the information set out in the PDPA (eg, the identity of the controller and their representative, if any; the purpose of the processing; and other ancillary information), and the documents used to retrieve the personal data must contain such information. Also, in the case of data collection in open networks, the data subject must be informed that their personal data may circulate in the network without security, at the risk of being seen and used by unauthorised third parties. 

The Office for Personal Data Protection (OPDP)

In the case of cloud computing, the data is likely to be stored in servers abroad – in the case of the transfer of personal data to a destination outside Macau, the PDPA determines that such transfer can only take place if the provisions of said law are respected and if the legal system of the destination ensures an adequate level of protection. Said analysis is made on a case-by-case basis by the OPDP.

The transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the OPDP if the data subject has given their unequivocal consent for the transfer or if the transfer is necessary for the purposes set out in the law. It should be noted, however, that regarding sensitive data, as well as credit and solvency, the need for authorisation by the OPDP overrides the simple notification procedure, and the transfer cannot take place without such previous authorisation being obtained.

Regarding specific industries such as banking and finance, the Macau Financial System Legal Regime (Decree-Law No 32/93/M, dated 5 July 1993, or “RJSF”) stipulates that the members of the governing bodies of credit institutions, their workers, auditors, experts, agents and other persons who provide services to them, whether on a permanent or accidental basis, may not reveal or use, for their own or someone else's benefit, information on knowledge which has come to them from the exercise of their functions, and which includes in the information subject to secrecy the names and other data relating to customers, deposit accounts and their movements, investment of funds and other banking transactions. Such duty of secrecy shall survive even after the functions referred to above have ended.

Risk and Liability

Blockchain technology is currently not regulated in Macau – therefore, the risks and liabilities when launching or using such technology will largely depend on the specific type of information concerned and on the particular industry using such technology.

Intellectual Property

Intellectual property in Macau is governed by two main laws – the Industrial Property Legal Regime (Decree-Law No 97/99/M, dated 13 December 1999, or “RJPI”), which covers inventions, patents, industrial designs, trade marks, layout designs of integrated circuits, commercial names and designations, etc, and the Copyright Law (Decree-Law No 43/99/M, dated 16 August 1999), which protects original intellectual creations in the literary, scientific or artistic domains, inter alia, computer software.

The intellectual property of blockchain technology would largely be covered in Macau under the general umbrella of the RJPI, under the patent of computer-implemented inventions. However, unlike the grant rate of patent families relating to blockchain technology in Mainland China, there does not appear to be any such grant in Macau, which demonstrates the incipient character of such intellectual property in the MSAR. 

Data Privacy

As indicated above, the inclusion of personal data in blockchain technology would conflict with the mandatory stipulations of the PDPA, the general principles of which determine inter alia that the processing of personal data must strictly observe privacy rights and the rights, freedoms and guarantees set out in the Macau Basic Law. Also, the PDPA requires that personal data must be: 

  • processed lawfully and with respect for the principle of good faith and the general principles set out in the PDPA;
  • collected for specific, explicit and legitimate purposes directly related to the exercise of the activity of the controller, and not subsequently treated in a manner incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which it is being collected and subsequently treated;
  • accurate and, if necessary, updated, taking appropriate measures to ensure that inaccurate or incomplete data is erased or rectified, and taking into account the purposes for which it was collected or for which it is being processed; and
  • preserved in such a way as to allow the identification of its holders only for the period necessary for the purposes of its collection or further processing purposes.

Since blockchain is, by design, a public and verifiable ledger of transactions, the personal data included in such record would likely contravene the mandatory stipulations of the PDPA. While the express authorisation of the data subject on this matter could potentially resolve the problem of the public availability of personal data, it does not solve the permanency and lack of specific purpose of the processing of such information.

Therefore, with regard to personal data in blockchain technology, the only possible solution would entail specific legislative authorisation of the data to be used, as well as an authoritative opinion on the matter by the OPDP. Personal data used in blockchain technologies must, in any event, be kept to an absolute minimum, accompanied by the necessary unequivocal consent of the data subject (and mandatory notification/authorisation of the OPDP).

Service Levels

There is currently not enough information on the usage of blockchain technology in Macau to assess service levels. 

Jurisdictional Issues

As per the above, blockchain technology is currently not regulated in Macau – therefore, the jurisdictional issues surrounding such technology will largely depend on the specific information concerned and on the particular areas in which the information is used. 

Response

There is currently no specific legislation on big data, machine learning and artificial intelligence (AI) in the MSAR. However, the challenges presented by big data (ie, large amounts of data which include traditional enterprise/company data, machine-generated/sensor data and social data) may concern, on the one hand, the type of data being transferred and generally processed in several networks and, on the other, the need to ensure that these networks are secure and compliant with personal data protection and cybersecurity legislation.

Compliance with the PDPA

One of the biggest challenges for entrepreneurs is compliance with the PDPA with regard to the processing of personal data under its mandatory principles, such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specific purposes, and proportionality, among others, and the need to obtain the unequivocal consent of the data subject for the processing (or, alternatively, the need for processing for the purposes set out in the PDPA).

As big data necessarily includes large data sets which are often unorganised and may come from several jurisdictions with different personal data protection requirements, such challenge will force large corporations to have dedicated structures (such as chief data officers and ancillary teams or departments) to ensure that, in the processing of data, there is differentiation between general data and personal data, and that such processing is done in accordance with applicable legislation and the security measures provided therein.

Macau Cybersecurity Law

In relation to the Macau Cybersecurity Law (Law No 13/2019, dated 24 June 2019), which seeks to bolster the protection of computer systems regarding cybercrimes and cybersecurity threats against public and private operators of critical infrastructures (as defined in the law), the dedicated structures referred to in the previous paragraph will also need to comply with the general responsibilities and cybersecurity duties provided therein (namely, organisational duties; procedural, preventive and reactive duties; self-evaluation duties; and co-operation duties). 

As previously indicated, there is currently no specific legislation regarding machine learning and AI. Although the PDPA includes the right of the data subject not to be exposed to individual automated decisions, no further stipulations regulate the issue of automated decision-making. In this regard, and without prejudice to the principles and provisos of the law regarding personal data processing, it is incumbent on the local legislator to update the law so as to ensure that AI-driven decision-making is compatible with core legal principles such as transparency, accountability, legality, and protection of fundamental rights.

With regard to the internet of things (IoT) projects and the data circulating therein, the main piece of legislation which would restrict the scope of a project in such an area would be the PDPA and its stipulations regarding personal data. The processing of personal data through any such device would necessarily have to comply with the applicable stipulations of the law, ie, it must be performed in a transparent manner and in strict observance of privacy rights and of the rights, freedoms and guarantees enshrined in the Macau Basic Law and in applicable legislation, and it may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law. 

Personal v Sensitive Data

As previously indicated (and without prejudice to the cases where prior authorisation must be sought), the processing of personal data is generally subject to notification to the OPDP, which must be made in writing and within eight days of the start of processing. The processing of sensitive data, on the other hand, is generally forbidden, and can only take place if guarantees of non-discrimination and sufficient security measures (which include the general implementation by the data controller of appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction; accidental loss; unauthorised alteration, dissemination or access; as well as special safety procedures set out in the law) are provided, and in the cases indicated in the law, where the data subject’s explicit consent has been obtained. It is also dependent on prior authorisation by the OPDP.

The IoT may also involve the transfer of personal data abroad – in this regard, the PDPA stipulates that the transfer of personal data to a destination outside Macau can only take place if the provisions of the PDPA are respected and if the destination's legal system ensures an adequate level of protection. Said analysis is made on a case-by-case basis by the OPDP. However, the transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the OPDP if the data subject has given their unequivocal consent for the transfer or if the transfer is necessary for the purposes set out in the law.

There are currently no specific stipulations on IT service agreements in Macau, without prejudice to the general stipulations regarding data in general (regulated and protected under the general civil and commercial regime, as indicated here) and the stipulations on personal data protection (set out in the PDPA).

In accordance with the Cybersecurity Law, which established the general structure of the cybersecurity system of the MSAR (as indicated in 4 Legal Considerations for Internet of Things Projects), public and private operators of critical infrastructures defined in the law are subject to the general responsibilities and cybersecurity duties (organisational duties; procedural, preventive and reactive duties; self-evaluation duties; and co-operation duties) set out therein. 

The organisational duties of private operators of critical infrastructures, within the scope of their organisation, are to:

  • create cybersecurity management units capable of implementing the respective internal protection measures;
  • provide cybersecurity management units with the appropriate human, financial, material and patrimonial means;
  • designate the main person responsible for cybersecurity and the respective substitute, from among individuals with the proper suitability and professional experience, and with habitual residence in the MSAR;
  • make sure that the principal responsible for cybersecurity and their replacement are permanently reachable by the Cybersecurity Incident Alert and Response Centre (CARIC); and
  • establish complaints and denunciation mechanisms related to cybersecurity. 

The duties of private operators of critical infrastructures, in terms of procedures and prevention and response to cybersecurity incidents, are to:

  • establish a cybersecurity management regime and respective internal operating procedures;
  • adopt, in accordance with the cybersecurity management regime and applicable technical standards, internal measures for protection, monitoring, alert and response to cybersecurity incidents;
  • inform CARIC of the occurrence of cybersecurity incidents and inform the respective supervisory entity of the fact, as well as immediately initiate actions to respond to serious incidents; and
  • monitor and record the health of the network. 

The duties of private operators of critical infrastructures, regarding self-assessment and reporting, are to:

  • assess, by themselves or through specialised entities, the security and risks existing in their networks and systems; and
  • submit an annual cybersecurity report to the respective supervisory entity, mentioning, inter alia, any recorded incidents, the results of the assessment referred to in the previous bullet point and the improvement measures taken.

The duties of private operators of critical infrastructures, as well as their administrators, managers or representatives, with regard to collaboration with CARIC and supervisory entities are to:

  • allow the representatives of those services to enter their premises, provide them with access to their networks and provide them with the information they request, to the extent necessary to verify compliance with the procedural, preventive and reactive duties referred to above; and
  • provide the support and collaboration necessary to ensure the good management of cybersecurity.

Therefore, any IT service agreement entered into with a local organisation defined as a private operator of critical infrastructures under the Cybersecurity Law must encompass (and comply with) the duties and responsibilities set out above.

Furthermore, and should the IT service agreement touch upon personal data, it is likely that the local entity shall be either the data controller (understood as the natural or legal person, the public entity, the service or any other body that, individually or together with others, determines the purposes and means of processing of personal data under the PDPA) or a subcontractor/processor (classified in the PDPA as the natural or legal person, the public entity, the service or any other body that processes personal data on behalf of the controller). Processing of personal data is defined by the PDPA as “any operation or set of operations performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

A Local Entity as Data Controller

Should the local entity be the data controller, then it is bound by the obligations set out in the PDPA as indicated above, inter alia, with regard to the need to obtain the unequivocal consent of the data subject and to provide all the necessary information, as well as to ensure that the subcontractor implements the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of implementation.

A Subcontractor as Data Processor

Where processing of data is carried out on behalf of the data controller (eg, by a local entity), the data controller must choose a subcontractor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing of the data, and must further ensure compliance with those measures. The processing by a subcontractor must be governed by a contract or legal act, binding the subcontractor to the data controller and stipulating in particular that the subcontractor shall act only on instructions from the data controller, and that the obligations set out in the PDPA regarding data security measures shall also be incumbent on the subcontractor. For the purposes of keeping proof, the parties to the contract or the legal act relating to data protection and the requirements relating to the data security measures must be in writing in a document with legally recognised probative value.

Core Rules Regarding Data Protection

Data protection regimes in Macau differ according to the data subject – as indicated above, personal data is regulated by the PDPA, which defines personal data as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”. The PDPA therefore only protects individual’s data as described therein, under the key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law), collection limited to specific purposes, and proportionality, among others, and the requirement that the data subject must give their unequivocal consent, or that the processing is necessary for the purposes set out in the law.

Conversely, data in general is regulated and protected under the general civil and commercial regime, inter alia, under the unfair competition stipulations set out in the Macau Commercial Code (Decree-Law No 40/99/M, dated 3 August, or “MComC”), which determine that the disclosure or exploitation, without the authorisation of the holder, of industrial secrets or any other business secrets to which it has been given legitimate access, but with a duty of secrecy, or which it has accessed illegitimately, is considered unfair, namely as a result of any of the conduct provided for in the MComC regarding the promotion and exploitation of contractual breaches.

For the purposes of unfair competition stipulations, any technical or commercial information that has practical use and provides economic benefit to the holder, which is not publicly known, and for which the holder has taken appropriate security measures to guarantee its confidentiality, shall be considered a business secret.

Distinction between Companies/Individuals

As previously indicated, companies cannot be the holders of personal data, only individuals – hence, data which pertains to companies (or commercial entrepreneurs, either natural or legal persons) is protected under the commercial regime, whereas personal data is regulated under the PDPA.

Without prejudice to the stipulations on unfair competition and on the processing of personal data (as indicated in the paragraph below), there is currently no specific legislation in Macau on the processing of data in general.

Processing of Personal Data

As indicated earlier in this section, personal data protection in Macau is regulated by the PDPA, which defines the processing of personal data as “any operation or set of operations performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” and subjects such processing to key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law) and collection limited to specific purposes, among others.

The general rule for processing personal data under the PDPA is that it may only be carried out if the data subject (ie, the individual to whom the data being processed pertains) has given their unequivocal consent (understood as any freely given, specific and informed indication of their will and acceptance of their personal data being processed) or if the processing is necessary for the:

  • execution of a contract or contracts to which the data subject is party, or for prior arrangements to the formation of the contract or declaration of negotiation, at the data subject’s request;
  • compliance with a legal obligation to which the controller is subject;
  • protection of the data subject’s vital interests, if they are physically or legally incapable of giving their consent;
  • execution of a public interest mission or when exercising powers of public authority in which the controller (or a third party to whom the data is transmitted) is invested; or
  • pursuit of the legitimate interests of the controller or third party to whom the data is transmitted, provided that the interests or rights, freedoms and guarantees of the data subject do not prevail over these interests.

Any processing of personal data, either wholly or partly executed by automatic means, must be notified in writing within eight days of the start of the processing, to the OPDP, without prejudice to the cases subject to prior authorisation by the regulator.

Regarding the collection of personal data directly from the data subject, the latter has a right to information vis-à-vis the data controller or its representative, which must be contained in the document which serves as the basis for the collection of personal data, and which includes:

  • the identity of the data controller and, where necessary, their representative;
  • the purposes of the data processing;
  • other information, such as:
    1. the recipient or categories of recipients of the data provided;
    2. the compulsory or optional nature of the response, as well as the potential consequences of failure to reply;
    3. the existence and conditions of the right of access and rectification of data, to the extent that they are required, taking into account the specific circumstances of data collection, to ensure the data subject fair processing of the same.

Processing of sensitive personal data

The PDPA further forbids the processing of data deemed as sensitive, which includes data concerning political or philosophical beliefs, religious faith, trade union or political membership, racial or ethnic origin, and data concerning health or sex life, including genetic information. The processing of such data can only take place if guarantees of non-discrimination and sufficient security measures (indicated in the PDPA) are provided, and in the cases indicated in the law, which include obtaining the data subject’s explicit consent. Also, the processing of sensitive data cannot take place without previous authorisation by the OPDP, and the same goes for the processing of data regarding the credit and solvency of the concerned data subject.

With regard to sensitive data, the PDPA further demands that, aside from the general request for the implementation by the data controller of appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, dissemination or access, the data controller must further employ special safety procedures, which include appropriate measures to safeguard personal data under the law, and to ensure that the respective system guarantees the logical separation of data on health and sex life, including genetic data, from other personal data.

Transfer of personal data abroad

The PDPA stipulates that the transfer of personal data to a destination outside Macau can only take place if the provisions of the PDPA are respected and if the destination's legal system ensures an adequate level of protection. Said analysis is made on a case-by-case basis by the OPDP. However, the transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the OPDP if the data subject has given their unequivocal consent for the transfer or if the transfer is necessary for the purposes set out in the law (which include, inter alia, cases where the transfer is necessary for the execution of a contract between the data subject and the controller, or prior arrangements to the formation of the contract, at the data subject’s request; or for the conclusion or performance of a contract concluded in the interest of the data subject between the person responsible for the data processing and a third party).

Under the Macau Labour Relations Law (Law No 7/2008, dated 18 August 2008, or “LRL”), the work conditions that regulate an employment relationship are established by general mandatory norms specific to the sector in question, by company regulations and by the employment contract. Furthermore, within the limits arising from the employment relationship and the norms that regulate it, the employer has the right to set the terms under which the work must be performed, and for that purpose can draft company regulations containing rules of organisation and discipline at work. These do not prejudice the due respect for the technical autonomy of the worker whose professional regulation requires it. It is up to the employer to publicise the content of such company regulations, so that employees can, at all times, be aware of this content and have access to a copy of it.

Conversely, as indicated in 6 Key Data Protection Principles, the processing of personal data is regulated by the PDPA, and it is subject to key mandatory principles such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law), collection limited to specific purposes, among others, and the requirement that processing of personal data may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law. 

Therefore, whenever the use of company computer resources involves the personal data of employees (by monitoring phone calls, emails, internet page views, video calls, etc), it also entails the collection and processing of personal data under the PDPA (understood as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”).

In this regard, any monitoring of employees or limiting of their use of company resources which may entail personal data processing will necessarily be restricted by the stipulations of the PDPA, that is, it will have to take place in a transparent and lawful manner, respecting private life and fundamental rights under the Macau Basic Law and the PDPA. The processing of personal data as per the above must therefore have a lawful purpose (ie, it must be necessary to guarantee the safety of employees or the good functioning of the company), it must take place in a lawful manner, with adequate and transparent means for the prosecution of its objectives and restricted retention of personal data (the OPDP suggests a period of three months, with a maximum limit of six), and a limited scope of action, restricted to the professional activities of employees.

Under the PDPA, as indicated, the unequivocal consent of the data subject must be sought, and the rights and guarantees set out in the law must be fully applied. Therefore, the data subject must be duly informed of the identity of the data controller and, where necessary, of their representative, of the purpose of the data treatment, and of other ancillary information set out in the PDPA. The data subject is also entitled to access their personal data as per the law, and may oppose the processing of their data in justifiable and legitimate cases.

To avoid excessive and unjustified use of company tools for private purposes, and in light of the mandatory stipulations of the PDPA, as well as the opinion of the OPDP on this matter, the best approach to counteract such situation would therefore be the application of preventive tools (ie, limitation of usage of certain programs and browsers by employees, the use of firewalls, etc) instead of post-factum monitoring of data, which would inevitably contravene the stipulations of personal data legislation.

The telecommunications sector in Macau is framed by Law No 14/2001, of 20 August 2001 (the “Telecommunications Act”), which defines the basis of the telecommunications policy of the MSAR, as well as the general framework for the establishment, management and operation of telecommunications networks and the provision of telecommunications services. The provisions of said law do not, however, apply to television and sound broadcasting services, terrestrial or satellite, which are subject to specific legislation. Telecommunications under the law is defined as the transmission, emission or reception of symbols, signs, writing, images, sounds or information of any nature by wire, radio, electricity or other electromagnetic systems. The law further determines that the establishment, management and operation of telecommunications networks and the provision of telecommunications services are in the public interest, and can only be pursued by public or private entities duly authorised to that effect under the terms of the applicable regulations.

The Telecommunications Act also stipulates the objectives of such policy, which include:

  • to gradually liberalise the installation of public telecommunications networks and the provision of public-use telecommunications services;
  • to ensure access to telecommunications by the whole population, at reasonable tariffs and prices, in a non-discriminatory manner and at a level of quality and efficiency that meets their needs, and also their economic and social activities;
  • to ensure the existence and availability of the universal telecommunications service;
  • to ensure equality and transparency of conditions of competition by promoting the diversification of services in order to increase supply and achieve quality standards compatible with the requirements of users; and
  • to ensure the inter-operability of public telecommunications networks, as well as the portability of the customer's number, among others.

It is incumbent upon the government to oversee and supervise telecommunications and the activities of telecommunications operators, without prejudice to the specific competencies of the Macau Post Office.

Licensing of Telecommunications Services

On the licensing of telecommunications services, Administrative Regulation No 32/2000, of 11 September 2000, defines the legal regime for provisional licensing of the activities of public network operators and the provision of telecommunications services for public land mobile use, up to a maximum of three licences, operating in certain frequency bands, and with the adoption of the concepts established by the International Telecommunication Union (ITU). The operation of public telecommunications networks and the provision of telecommunications services for public land mobile use are further defined by the Administrative Regulation No 7/2002, of 15 April 2002, which establishes that said activities are subject to licensing.

The allocation of licences is subject to a public tender, which can be limited with prior qualification, under the terms of the specific regulation of each tender, to be approved by executive order. The bidding regulation defines the terms of the respective procedure, including any prior qualification, as well as the information set out in the law (which includes the amount and method of providing the provisional bond to guarantee the link assumed with the submission of applications and the obligations inherent to the tender, as well as the final bond). The licensed entities are further subject to the payment of:

  • fees for issuing and renewing the licence; and
  • annual operating fees, corresponding to a percentage of gross operating revenue from services provided under licensed activities, to be determined by order of the chief executive, to be published in the Official Bulletin.

The fees related to the use of the radio spectrum, on the other hand, are set out in Administrative Regulation No 8/2006, dated 12 June 2006.

Voice-Over-IP and Instant Messaging

On specific technologies such as voice-over-IP and instant messaging, the applicable legislation would be the Administrative Regulation No 24/2002, of 4 November 2002, which subjects the provision of internet services to prior licensing, to be requested from the chief executive by filing an application with the Macau Post Office, signed by a person with the power to bind the applicant, and whose respective signature and the quality thereof must be certified by a notary. The application must contain the following documents:

  • proof that the applicant is a commercial company duly incorporated in the MSAR, whose scope of business includes the provision of internet services;
  • proof that the applicant has the necessary technical capacity and experience adequate to the fulfilment of the obligations and further specifications of the licence the applicant proposes to obtain, having, namely, a body of qualified personnel for the development of the activity;
  • proof that the applicant has adequate financial and economic capacity;
  • proof that the applicant has up-to-date and adequate accounting of the analysis required for the project they wish to develop;
  • a detailed proposal relating to the operation of the services, presented as a technical plan to be developed, that must contain, namely, the configuration of the technological systems to be used, with reference to access methods and the necessary equipment, as well as planning of the development of the systems and services;
  • an economical and financial plan that includes the price system to be adopted;
  • the applicant’s organisational structure, including the identities and CVs of its main responsible personnel, as well as, where possible, financial statements and audit reports in relation to the accounts of the three prior fiscal years; and
  • any other elements that the applicant deems relevant for a decision on its request. 

The licence shall specify the applicable fees and their respective payment period. Namely, the provider is subject to licence issuance and renewal rates of MOP2,000, and to an annual operating fee of MOP1,000 from the year after the licence is issued, to be paid during the month of January each year. These fees do not exempt the service provider from the payment of other fees and taxes that are legally owed. 

It should be noted, however, that the use of such technologies through internet connection by existing, duly licensed telecommunications entities should not require any further licensing, without prejudice to the applicable telecoms rules.

RFID Tags

Regarding RFID tags, the Decree-Law No 18/83/M, dated 12 March, subjects the possession of radio equipment that can transmit, receive or transmit/receive, as well as the establishment or use of a radio station or network, to prior government authorisation. However, exceptions to this rule are reduced radio equipment power and short range, included in categories set out in Chief Executive Order No 198/2014, dated 14 July 2014, as well as the receivers of the radio and television broadcasting service. Therefore, RFID tags in the 13.553–13.567 MHz and 920–925 MHz frequency bands, with a maximum equivalent isotropically radiated power (PIRE) of 1 W, are exempt from prior government authorisation. 

Broadcasting in the MSAR is framed by Law No 8/89/M, of 4 September 1989, which establishes the legal regime for radio and television broadcasting, with the purposes set out therein. Television broadcasting is defined as a public service and is exercised under a concession contract, whereas the activity of sound broadcasting is subject to the licensing regime, the exercise of which depends on the attribution of a licence. Both awards are normally preceded by a public tender. 

Radio Broadcasting Concessions 

In accordance with Law No 8/89/M, the broadcast of sound/radio is subject to the granting of a licence to operate in the radio-electric public domain spectrum of the MSAR. Sound broadcast radios may be held in the following bands: 

  • hectometric waves (medium), modulated amplitude: band between 526.5 kHz and 1606.5 kHz; and 
  • metric waves (very short), modulated frequency: band between 87 MHz and 108 MHz.  

In accordance with Law No 8/89/M, the chief executive may also allocate other frequency bands of the broadcasting service which are already available or which, as a consequence of technological development, have been added to the International Frequency Allocation Plan. It appears that, to date, no such other frequencies have been included in regulation. 

Regarding the administrative procedures related to radio communication services, Decree-Law No 48/86/M, of 3 November 1986, establishes the rules by which said administrative procedures shall be governed, in particular with regard to:  

  • the concession, installation and operation of radio communications networks or stations;  
  • radio operators;  
  • the approval of radio communications equipment; and  
  • the commercialisation of radio communications equipment. 

The granting of permits for the activity of radio broadcasting under Law No 8/89/M is preceded by a public tender, except when ponderous and duly justified reasons advise a direct award. The radio broadcasting activity can be carried out by any legal person that has its headquarters in Macau and offers guarantees of suitability, technical qualification and financial capacity. The Social Communication Office (Gabinete de Comunicação Social) is the competent entity that organises the processes related to the granting of permits, and an application for a permit must be accompanied by the following elements:  

  • justification note of the request;  
  • demonstration of the economic and financial viability of the project;  
  • detailed description of the activity to be carried out, with emphasis on the broadcasting time and the schedule map;  
  • design of the facilities, including equipment, antennas and studios; and 
  • statutes of the applicant. 

The permit is valid for five years and can be renewed, for equal periods of time, at the request of the respective holder. The attribution and transmission of permits, as well as the respective alterations, renewals or substitutions, in case of loss or unusability, are subject to the payment of fees, determined in the General Table of Fees and Fines Applicable to Radio Services approved by Administrative Regulation No 16/2010, dated 12 July 2010. 

Television Broadcasting Concessions

As with radio broadcasting, the granting of television broadcasting concessions under Law No 8/89/M is also preceded by a competitive bidding process, except when weighted and duly justified reasons advise direct concession. Television broadcasting activity can be granted to any legal person that is incorporated in corporate form and has its headquarters in Macau, for the purpose of exercising the activity to be granted, and offers guarantees of suitability, technical qualification and financial capacity. 

The television broadcasting concession contract may authorise the concessionaires to carry out other complementary activities related to the main activity, by themselves or in association with other entities, namely those indicated by law, and in exceptional cases, concessionaires may be legal persons of public law or public utility. 

Television broadcasting concessions must have a fixed term, to be determined according to the business plan to be developed and the time necessary for the amortisation of the capital invested by the concessionaires, and sub-concession is not allowed. Concessionaires are obliged to fulfil the duties indicated in the law, namely, they are obliged to make the necessary investments to guarantee full coverage, in good technical conditions, of the areas of Macau that are defined in the concession contract, which must establish the amount of investment to be made, the plan and the overall timetable for its implementation. 

For the concession, a fee is due, to be determined in the respective contract, without prejudice to any initial grace period established in the contract. Concession contracts may also establish forms of remuneration other than payment in cash, namely, the use of issuance time by grantor. 

Furthermore, the licensing regime for satellite television broadcasting activity is regulated by Decree-Law No 3/98/M, dated 19 January 1998, with regard to: 

  • installation and operation of satellite television broadcasting telecommunications systems; and 
  • provision of satellite television broadcasting telecommunications services. 

A licence for the installation and operation of the system or for the provision of telecommunications services for satellite television broadcasting may be requested by telecommunications companies with headquarters and a place of effective management in Macau, and which demonstrate technical suitability and adequate economic and financial capacity. The licence is requested through the Macau Post Office, which is the competent entity to organise and instruct the licensing process and analyse the request, and it is assigned by order of the chief executive, who sets out, on a case-by-case basis, the terms and conditions for exercising the activity. 

The holder of a licence to exercise the activity of satellite television broadcasting is required to pay the following fees to the Macau Post Office:  

  • installation and operation of the system: from MOP100,000–1,000,000, depending on the complexity and purpose of the system;  
  • provision of the service: MOP100,000 for each broadcast programme; and  
  • an annual operating fee, corresponding to 3% of the respective gross operating revenues from licensed systems or services and subsidiary activities. 

Online Video Channels 

Online video channels such as YouTube would fall under the scope of Administrative Regulation No 24/2002, of 4 November 2002, which subjects the provision of internet services to prior licensing – however, as previously indicated, the use of such technologies through internet connection by existing, duly licensed telecommunications entities should not require any further licensing, without prejudice to the applicable telecoms rules. 

No specific legislation on encryption currently exists in Macau – however, concerning sensitive personal data (see definition in 1 Cloud Computing), the PDPA mandates that, aside from the general request for the implementation by the data controller of appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, dissemination or access, the data controller must further employ special safety procedures, which include appropriate measures to:  

  • prevent unauthorised access to the premises used for the processing of such data;  
  • prevent data media from being read, copied, altered or removed by an unauthorised person;  
  • prevent unauthorised entry and unauthorised disclosure, alteration or deletion of entered personal data;  
  • prevent automated data processing systems from being used by unauthorised persons through data transmission facilities;  
  • ensure that authorised persons can only access the data covered by the authorisation;  
  • ensure the verification of entities to whom personal data may be transmitted through data transmission facilities;  
  • ensure that there is a posteriori knowledge, within a period appropriate to the nature of the treatment (to be laid down by regulation applicable to each sector), of what personal data is introduced when and by whom; and 
  • prevent the data from being read, copied, altered or deleted in an unauthorised manner during the transmission of personal data and during the transportation of its medium (ie, written on paper or stored in electronic form). 

Aside from the security measures laid out above, the OPDP may determine that, in cases where the circulation of sensitive personal data in a network may jeopardise the rights, freedoms and guarantees of the respective holders, the transmission shall be encrypted. 

Furthermore, the regulation on technical specifications related to the guarantee levels of user account systems (as per Chief Executive Order No 300/2018, dated 27 December 2018), establishes the specifications applicable, within the scope of a user account system, to the various procedures that organise and allow verification, by electronic means, of the user's identity. These technical specifications cover the following subjects:  

  • indication of the groups of elements of a user account system;  
  • indication of the guarantee levels of the groups of elements and the means of electronic identification;  
  • definition of the processes to be performed in each group of elements; and  
  • criteria and guidelines for achieving guarantee levels in each process. 

The only reference in the specifications to data encryption concerns the processes and measures included in the authentication phase (in particular, when using electronic identification means for authentication), which may include, inter alia, the use of authentication mechanisms and protocols that do not include passwords in communications on the network or, in exceptional circumstances, when it is necessary to authenticate on the network, encrypt data before sending, and use encrypted sessions. In any event, the use of encryption does not exempt an organisation from the applicable rules. 

Relief Programmes 

Following the economic crisis brought by the COVID-19 virus, the Macau government enacted a series of relief measures, namely publishing Administrative Regulation No 15/2020, dated 11 May 2020, which granted exemption from the payment of various rents, salaries and administrative fees, to mitigate the negative impact of the virus on the MSAR’s different activities. 

Specifically regarding the TMT sector, Administrative Regulation No 15/2020 provided an exemption, during the year 2020, from the payment of the fees set out in the General Table of Fees and Fines Applicable to Radio Services (under Administrative Regulation No 16/2010, dated 12 July 2010), among other exemptions. 

In order to further alleviate the impact caused by the COVID-19 epidemic, the government also implemented several measures of economic support, of a cross-sectional nature, including Administrative Regulation No 19/2020, dated 29 May 2020, which establishes the requirements and rules for granting financial support to workers, self-employed professionals and operators of commercial establishments, and Administrative Regulation No 33/2020, dated 24 August 2020, which establishes the requirements and rules regarding subsidised training plans and the allocation of the respective training allowance, etc. 

Personal Data Processing 

As the identification and monitoring of any case or suspected case of infection would necessarily entail the processing of personal data (which includes not only identification data but also general health data, such as health status, temperature, symptoms, etc), and in order to provide sufficient legal backing in light of the general obligation to notify the OPDP under the PDPA and to clarify the legal landscape on the exceptions to the notification rule, the OPDP provided three authorisations on this matter on 15 April 2020. 

Authorisation No 01/2020

Authorisation No 01/2020 concerns the processing of personal data of people entering and leaving establishments for the purpose of implementing measures for the prevention and control of communicable diseases, and especially to comply with the decrees and instructions issued by the competent authorities (ie, the Macau Health Services) under Law No 2/2004, dated 8 March 2004 (Law on communicable disease prevention, control and treatment). This authorisation limits the data which may be processed under the exception and further stipulates the length of data retention period (as a rule, six months from the day following data collection, or 30 days from the date on which the relevant measures cease to be implemented), the recipients of the data, the applicable security measures and the exercise of rights of access and rectification of data (which should be free, unless otherwise stipulated). 

The authorisation specifically rules out the possibility of interconnection of data and exempts the relevant entities from notifying the OPDP if there is no transfer of data (specified in the authorisation) abroad – however, the processing of such data which involves transfer of data abroad may still take place by means of a simplified notification form, which has the validity of three years, after which the relevant entity must renew the notification. Authorisation No 01/2020 also clarified that it would come into force on the day following its publication (ie, 16 April) but its effects are retroactive to 1 January 2020, which regularises the lack of notification from all entities concerned. 

Authorisation No 02/2020

Authorisation No 02/2020 concerns the processing of identifying biometric data for attendance purposes, and like Authorisation No 01/2020, also restricts the data which may be processed (specifically, name, internal identification document number, photograph, date and time of entry and departure, duties, position, professional status and workplace, with reference to fingerprints or palm prints and, in the case of medical, social service or scientific research institutions, facial geometry and sound, among others) and determines that the consent of the data subject must be obtained upon collection of biometric data. 

Authorisation No 02/2020 also generally rules out the possibility of interconnection of data (without prejudice to the processing of registered attendance data for administrative management purposes, provision of remuneration, benefits and perks, as well as security) and sets out the length of data retention period (30 days from the date of termination of the relationship between the data subject and the controller, for biometric data, and for up to five years from the date of termination of the relationship between the data subject and the controller for other data), as well as the authorised recipients of the data. 

Authorisation No 03/2020

Finally, Authorisation No 03/2020 concerns the processing of identifying biometric data for security purposes, and essentially follows the stipulations set out in Authorisation No. 02/2020 indicated above. However, the consent of data subjects is no longer a clear obligation when taking samples of biometric data referred to in the authorisation, but simply a recommendation for the data processor. Also, regarding biometric data of persons who are unable to pass an identification procedure, and who have the intention to enter internal areas with restricted access or use facilities and equipment for restricted use, the authorisation provides that the data must be deleted as soon as possible and within 24 hours, or up to one year if the data processor is a medical, social service or scientific research institution). 

Rato, Ling, Lei & Cortés – Advogados (Lektou)

Avenida da Amizade, 555 – Macau
Landmark Office Tower
23rd Floor
Macau SAR

+85 3879 75607

+85 3285 62322

mail@lektou.com www.lektou.com
Author Business Card

Law and Practice in Macau

Authors



Rato, Ling, Lei & Cortés – Advogados (Lektou) is a Macau SAR-based law firm with more than 30 years’ experience of legal practice. Services regularly provided by the firm include issuing legal opinions and advising on Macau law, helping international companies start their businesses in Macau, and assisting in the reorganisation of economic groups with connections to Macau. In 2016, Lektou partnered with Zhong Yin Law Firm, in the People’s Republic of China, and Fongs, in Hong Kong, to open a new office in Hengqin Island, Zhuhai, PRC – ZLF Law Firm. This is the first law office to unite firms from the two Special Administrative Regions and Mainland China.  In 2017, Lektou opened an office in Lisbon, Portugal, as part of its internationalisation strategy to position itself as a legal player in the platform between the PRC and Portuguese-speaking countries. The firm's academic and professional approach, its modern specialisation, together with the experience of its lawyers, are key to answering the increasing demands of the firm’s clients worldwide.