Data privacy and personal data protection are two rights enshrined by the legal framework of the Macau Special Administrative Region (Macau SAR or MSAR), which covers these two separate but related rights in a systematic and extensive manner.
The most relevant pieces of legislation addressing data protection and data privacy issues in Macau are:
The latter is an act inspired by the former European legislation on data protection, namely the European Union Data Protection Directive of 1995, and sets the legal framework for the protection of personal data in Macau SAR.
Other legislation affecting this area that should be noted includes:
The government consistently includes a statement of priority in the annual policy address regarding the implementation of e-government, smart city and other areas involving sensitive digital technologies and artificial intelligence.
Notwithstanding this, since its enactment in 2005, the PDPA has not been amended. The international trend for amendments and updates of legal frameworks on data protection matters, as well as the continued domestic and international interest in the area (most recently, the enactment, by the People’s Republic of China, of a new Personal Information Protection Law), has raised some expectation that the PDPA may soon be amended to better deal with the implications and challenges of the digital age.
The OPDP is the government entity responsible and accountable for monitoring and enforcing compliance with PDPA provisions, and for establishing an adequate confidentiality system and monitoring its enforcement.
While the OPDP exercises powers covering a broad area of activities both in the private and in the public sectors, it does not currently possess a full legal basis and a status providing permanent independence. In view of this, the OPDP has not been granted admission as a member, and was admitted only as an observer at the 30th Conference of the Global Privacy Assembly in 2008.
There are two different types of administrative process: notification and authorisation.
Under the PDPA, the data controller, or their representative, if any, must notify the public authority in writing within eight days after the start of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. The public authority may authorise the simplification of, or exemption from, notification for particular categories of processing which, taking account of the data to be processed, are unlikely to adversely affect the rights and freedoms of the data subjects. In allowing this simplification or exemption, the authority will also consider the speed, economy and efficiency of the relevant processing.
The authorisation of simplification shall be published in the Official Gazette of the Macau SAR and must specify: the purposes of the processing; the data or category of data to be processed; the category or categories of data subjects; the recipients, or categories of recipients, to whom the data may be disclosed; and the length of time the data is to be stored.
There are exemptions from notification, such as those for processing whose sole purpose is the keeping of a register which, according to laws or administrative regulations, is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest.
The texts of these generic authorisations are available at the OPDP’s official website.
Prior authorisation by the OPDP is required for some types of processing. These include the processing of sensitive data (where it is not carried out pursuant to a legal provision or it is carried out without the explicit consent of the data subject), data related to the credit and solvency of the data subject, and the combination of data and further processing of data for purposes other than those originally stated by the controller.
For this purpose, sensitive data means personal data revealing philosophical or political beliefs, political association or trade union membership, religion, private life, and racial or ethnic origin, and data concerning health or sex life, including genetic data. The authorisations for these types of processing shall be granted only if the controller provides guarantees of non-discrimination and sufficient security measures (indicated in the PDPA).
Applications submitted to the OPDP for opinions, authorisations and notifications shall include the following information:
Without prejudice to the right to submit a complaint to the public authority, according to the law any person may have recourse to administrative and legal means to guarantee compliance with provisions of laws and regulations in the area of personal data protection.
The OPDP is empowered to enforce those provisions of the PDPA that are of an administrative nature (see 2.5 Enforcement and Litigation), under the PDPA and the Chief Executive Dispatch No 83/2007. Criminal cases are reported to, and handled by, the Public Prosecutor’s Office.
The PDPA is strongly influenced by the former EU rules, which have long been considered the gold standard in data protection law, and its scope is quite similar to the laws of EU jurisdictions, particularly Portugal (which administered Macau until 1999). The law in force in this area is very similar to the one in force in Portugal until 2018, prior to the enactment of the GDPR. Currently, no multilateral obligations apply.
This issue does not arise in the Macau SAR jurisdiction.
As described in 1.4 Multilateral and Subnational Issues, Macau SAR’s legal framework is strongly inspired by the former EU legislation and therefore utilises the same approach as other EU-influenced legal frameworks. The omnibus model is enshrined in the PDPA, with no specific rules for individual sectors of activity.
In terms of enforcement, two different phases have been observed under the PDPA. At first, despite enactment, Macau authorities were not proactive in terms of enforcing data protection compliance. The legal framework was already in place but the level of awareness among the general population was still low and the Macau authorities adopted a pedagogic stance in relation to the collection and processing of personal data. In the second and more recent stage, with an unchanged legal framework, the approach of the Macau authorities has become much more proactive in terms of data protection rights.
There have been no relevant changes in the existing legal framework in the past 12 months.
Since its establishment, the OPDP has existed as a project team. However, it is often suggested that it may change to a more permanent status. This project is currently not listed among the bills to be submitted in 2023 by the government to the Legislative Assembly.
Data Protection Officers
The existing legal framework – including the OPDP guidelines – does not require the appointment of privacy or data protection officers. If private entities decide to create this position, they may freely proceed with their own rules, under the applicable principles and stipulations of the PDPA.
Internal/External Privacy Policies
Under Article 15 of the PDPA, the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Some of the major companies operating in Macau SAR – eg, gaming operators, banking and insurance institutions and concessionaires of public services, such as electricity or communications – are required by the OPDP to put in place data protection policies.
Requirement to Allow Data Subject Access to Data, Etc
Access to data
The PDPA assures the right of the data subject to information regarding the identity of the data controller or its representative, the purposes of processing and other ancillary information (Article 10 of the PDPA), as well as the right of access to all their data (Article 11 of the PDPA).
Correction and deletion
The right of access includes the right to rectify, delete or block data whose processing does not comply with the PDPA, including in regard to the incomplete or inexact character of that data (Article 11, paragraph 1, subparagraph 4 of the PDPA).
Objection to processing
The data subject has the right to object at any time, where lawful and serious reasons relating to their specific case obtain, to their data being the subject of processing, in which case, under that justified objection, the processing shall not concern such data (Article 12, paragraph 1 of the PDPA). Such “serious reasons” are deemed to include the objection to the sale of personal data.
Objection to marketing
The data subject also has the right to object, on request and free of charge, to the processing of personal data concerning them for direct marketing or any other form of commercial prospecting, and also has the right to be previously informed of any transfer of data to third parties for the purposes of direct marketing or use by third parties, as well as the right to object, free of charge, to that transfer or use (Article 12, paragraph 2 of the PDPA).
Use of Data Pursuant to Anonymisation
Once personal data is subject to an effective process of anonymisation, it no longer qualifies as “personal data” for all PDPA purposes. The OPDP has paid some attention to this matter, reminding the public that there are always risks of non-compliance due to re-identification of the anonymised data. There is, however, no specific legislation on this matter.
The Concept of “Injury” or “Harm” in Data Protection Law
“Injury” or “harm” concepts shall be relevant for compensation purposes as, under standard liability rules, those suffering injuries and/or harms caused by third parties may be entitled to receive compensation for the losses or harms suffered. For the breach of PDPA provisions it shall not be mandatory to suffer the said losses or harms. Data processors using personal data without the consent of the data subject will be in immediate breach of the law regardless of the extent (or lack thereof) of the harms or injuries caused to the subject and, therefore, may be liable for such conduct.
The concept of “sensitive data” is defined under Article 7 of the PDPA, which prohibits, as a general rule, the processing of personal data revealing philosophical or political beliefs, political association or trade union membership, religion, private life, and racial or ethnic origin, and data concerning health or sex life, including genetic data.
Under the PDPA, data shall be collected for specific, determined and lawful purposes which must be directly related to the activity of the data controller, and cannot be subsequently processed in a way that is incompatible with those purposes (Article 5, paragraph 1, and subparagraph 2 of the PDPA). Again, the processing of personal data may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary to the cases referred to in Article 6 of the PDPA. Hence, if the entity has declared, for example, that marketing communications are one of the purposes of processing, and if the data subject has given their consent to that purpose, such processing is lawful under the PDPA. Marketing communications include any means of marketing a certain product or service: ie, via voice communications, SMS, email, etc.
Macau citizens under the age of 18 do not have the capacity to provide the express consent required by the PDPA. Minors may be represented by parents provided that the data is not to be used for illegal purposes. Ultimately, the minor can be represented by the Public Prosecutor’s Office if any disputes arise surrounding the consent provided by one or both of the parents. For all purposes, the degree of protection of children’s privacy in Macau is reinforced by the legal provisions defining the “superior interest of the child” as the main interpretative rule for legal matters concerning minors.
Video and Television
The PDPA applies to video surveillance and to other means of capturing, processing and disseminating sounds and images capable of identifying individuals, whenever the controller is domiciled or headquartered in the MSAR, or uses a provider of access to computer and telematics networks established there (Article 3, paragraph 3 of the PDPA). No other specific stipulations exist for video surveillance, apart from Law No 2/2012, which establishes the legal framework of video surveillance in public spaces by the security forces and services of the MSAR.
As the use of CCTV is a separate processing of data, it shall require a separate notification to the OPDP under the law. Under the PDPA, the processing of data can only take place if the data subject has given their unequivocal consent to the transfer, or if that transfer is necessary under the cases provided by law. As the consent of the data subject is not feasible in such situations, the PDPA also allows for the processing of data if such processing is necessary for pursuing the legitimate interests of the data controller or the third party to whom the data is communicated, in so far as the interests, rights, freedoms and guarantees of the data subject do not prevail.
Social Media, Search Engines, Large Online Platforms
There are no specific provisions for social media, search engines and large online platforms under the Macau legal framework. Two of the general data protection and privacy issues that might affect them are discussed below.
Right to be forgotten (or of erasure)
There is no such specific right under the Macau legal framework. Nevertheless, data shall be kept in a way which allows the identification of its owner only for the duration necessary for the purposes of collection or subsequent processing (Article 5, paragraph 1, subparagraph 5 of the PDPA). This means that retention time shall not be unlimited but restricted to the scope of collection. To an extent it may qualify as a right similar to the “right to be forgotten”.
Hate speech, disinformation, abusive material, political manipulation
These types of matters are treated under the Macau legal framework but are not dealt with specifically by the PDPA or by similar legislation. These matters are addressed by the Basic Law of Macau and, at the ordinary level, by the Macau Criminal Code, under which such types of conduct are criminal offences and subject to pecuniary penalties or imprisonment.
Rights to object to sale of data, tracking, etc
The data subject has the right to object at any time, where lawful and serious reasons relating to their specific case obtain, to their data being the subject of processing, in which case, under that justified objection, the processing shall not concern such data (Article 12, paragraph 1 of the PDPA). The concept of “serious reasons” is deemed to include the objection to the sale of personal data.
Other Key Examples
Other key examples include the following.
The data subject has the right to object, on request and free of charge, to the processing of personal data concerning them for direct marketing or any other form of commercial prospecting, and also has the right to be previously informed of any transfer of data to third parties for the purposes of direct marketing or use by third parties, as well as the right to object, free of charge, to such transfer or use (Article 12, paragraph 2 of the PDPA).
Online advertisements using, for instance, the data subject’s personal email, without the prior express consent of the data subject, may be subject to administrative offence procedures and to the payment of a fee. Any advertisement using email accounts obtained without the consent of the data subject may be subject to administrative offence procedures. The OPDP has adopted, in recent years, a strict enforcement attitude towards these infringements and severe monetary penalties have been applied.
There are no special laws or considerations regarding workplace privacy in Macau SAR. The general data protection laws are applicable to this specific matter.
In order to start proceedings relating to alleged violations, the OPDP must first take into account the actions of the alleged infringers, including the type of action and the intention of the agent, under the general administrative standards. Non-compliance with the special security measures set out in Article 16 of the PDPA – for sensitive data processing and for the creation and maintenance of records regarding suspicion of illegal activity, criminal offences and administrative offences – is an administrative offence which may entail a fine between MOP4,000 and MOP40,000.
Although the PDPA provides penalties for undue access, as well as for tampering with, or destruction of, personal data, it does not specifically provide for security breaches by the data controller. It should be noted, however, that the PDPA mandates that the data controller shall present the notification/authorisation request with a general description of the security measures indicated in the Internal/External Privacy Policies section of 2.1 Omnibus Laws and General Requirements, so that the OPDP may evaluate the adequacy of such measures. If the OPDP notifies the above-mentioned entity to address any insufficiency in the security measures and no remedy is taken, then a fine of between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons may be imposed. Other potential enforcement penalties are outlined below.
Civil Non-compliance With the PDPA
Non-compliance with notification of data processing in breach of the terms set out in Article 23 of the PDPA, providing false information after notification by the OPDP and maintaining access to open data transmission networks for data controllers which do not comply with the provisions of the PDPA are all punishable by administrative sanction. This will take the form of a fine between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons; the fines are increased to twice the amount indicated above if the data is subject to previous authorisation.
Non-compliance with stipulations of the PDPA regarding:
involve an administrative sanction of a fine between MOP4,000 and MOP40,000.
Non-compliance with stipulations of the PDPA regarding:
involve an administrative sanction of a fine between MOP8,000 and MOP80,000.
Criminal Non-compliance with the PDPA
Non-compliance with stipulations of the PDPA regarding:
involve a criminal sanction of imprisonment up to one year or a fine up to 120 days. Fines which are set in days are under the discretion of the court – each day’s fine corresponds to an amount between MOP50 and MOP10,000, which the court shall set according to the economic and financial situation of the convicted person and their personal expenses. The sanction is increased to twice the duration indicated above if the data involved is sensitive (Article 7 of the PDPA) or if illegal activities, criminal offences and administrative offences are suspected (Article 8 of the PDPA).
Access in any way to personal data whose access is forbidden to said individual/entity is forbidden. The sanction is increased to twice the duration indicated when access:
Such access is punishable with a criminal sanction of imprisonment up to one year or a fine up to 120 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated in the cases provided.
Deletion, destruction, damaging, suppression or modification of personal data without proper authorisation, rendering the data unusable or affecting its ability to be used is punishable with a criminal sanction: imprisonment up to two years or a fine up to 240 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated if the damage resulting therefrom is particularly serious. If the agent acts with negligence, the sanction is, in both of the cases provided above, imprisonment for up to one year or a fine up to 120 days.
Qualified disobedience regarding notification to interrupt, cease or block the processing of personal data, or in cases of:
involve a criminal sanction of imprisonment for up to two years or a fine up to 240 days.
The general rules of the Macau Civil Code and the Macau Civil Procedure Code also apply for alleged privacy or data protection violations.
The Criminal Code and the Criminal Procedure Code are the two relevant laws in relation to access to data for law enforcement agencies. In both cases, access to data is subject to approval by a court judge.
Regarding the processing of personal data relating to persons suspected of illegal activities, criminal and administrative offences, and to decisions applying penalties, security measures, fines and additional penalties, the law allows for such processing, subject to the observance of the provisions for the protection of data and the security of information, when such processing is necessary for pursuing the legitimate purposes of the controller, provided the fundamental rights and freedoms of the data subject are not overridden.
As noted in 3.1 Laws and Standards for Access to Data for Serious Crimes, the Criminal Code and the Criminal Procedure Code are the two relevant laws in relation to access to data for the investigation of crimes. In both cases, access to data is subject to approval by a court judge. The same standards apply to issues of national security.
This issue does not arise in the Macau SAR jurisdiction.
Macau is a small territory, and the most obvious data protection issues are those related to the cross-border flow of personal data, as discussed in 4. International Considerations.
The lack of a statutory duty to report personal data breaches is becoming an increasingly hot topic.
On another front, the recent enactment of the Personal Information Protection Law in the People’s Republic of China, with its extraterritorial approach to the protection of data, imposes, in practice, numerous obligations on controllers operating in Macau that are not required by local laws. This, coupled with a similar impact from the European GDPR, has the potential to create a situation where the PDPA may lag behind the effective data protection standards of the industry.
Another debated issue is the continued requirement for notification of data processing to the OPDP, which was dropped by the European Union and also not adopted by the PRC. The practical advantage of keeping this administrative formality has been often challenged by interested parties.
The transfer of personal data overseas can only take place in accordance with PDPA provisions and provided that the jurisdiction to which the data is going to be transferred ensures an adequate level of protection. This level of protection may be assessed by the OPDP on a case-by-case basis (Article 19 of the PDPA) but, in practice, the OPDP doesn’t assess the adequacy of the level or protection guaranteed by the import jurisdiction. All cases are assessed under Article 20 of the PDPA on derogations (see 4.2 Mechanisms or Derogations That Apply to International Data Transfers). Under the PDPA there is no provision enabling the publication of a list of jurisdictions capable of ensuring the level of protection that is imposed by the PDPA.
The transfer of data overseas may be possible under the various exceptions provided by the PDPA. These include the necessity of such a transfer for the formation of a contract between the data subject and the data controller and for preliminary measures for the formation of that contract at the request of the data subject, among others. However, the most common exception to the rule indicated above is the obtaining of the data subject’s express and unequivocal consent to such a transfer (Article 20, paragraph 1 of the PDPA).
As no list of jurisdictions ensuring an adequate level of protection currently exists in Macau, the transfer of personal data abroad is subject to prior authorisation by the OPDP, as indicated in 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers. If express and unequivocal consent from the data subject is obtained, or if the situation under analysis falls under one of the exceptions provided by the PDPA, a simple notification is sufficient and complies with the legal provisions. No timeframe currently exists for the procedure for assessing of the level of protection of a given legal order by the OPDP.
The international transfer of data is subject to the requirements referred to in 4.1 Restrictions on International Data Issues.
This issue does not arise in the Macau SAR jurisdiction.
Organisations collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations are not exempted from the standard requirements set out under the PDPA and shall be subject to the same penalties in case of breach of the existing laws.
This issue does not arise in the Macau SAR jurisdiction.
Big data constitutes an example of the interconnection of data, which is defined as “data processing which consists in the possibility of correlating data in a file, with the data in a file or files kept by another or other controllers, or kept by the same controller for other purposes”. As stated in 2.5 Enforcement and Litigation, the interconnection of data is subject to previous authorisation by the OPDP, without prejudice to legal or regulatory exceptions (Articles 9 and 22 of the PDPA).
Under the PDPA, profiles involving the personal data of individuals shall be built and processed in a lawful way and in compliance with the principle of good faith, as well as with the principles enunciated in Article 2 of the PDPA, which include the respect of rights, freedoms and guarantees in Macau SAR, and in international instruments and in existing legislation (Article 5, paragraph 1, subparagraph 1 of the PDPA).
Article 6 of the PDPA further provides that the processing of personal data may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for:
Other Key Principles
The PDPA stipulates that data shall be exact and, if necessary, shall be updated, with the obligation to ensure that inexact or incomplete data is erased or amended, in compliance with the purposes for which that data was collected or subsequently processed (Article 5, paragraph 1, subparagraph 5 of the PDPA).
Purpose limitation – data shall be collected for specific, determined and lawful purposes, which are directly related to the activity of the data controller, and cannot subsequently be processed in a way that is incompatible with those purposes (Article 5, paragraph 1, subparagraph 2 of the PDPA).
Data minimisation – no specific stipulation, this principle is included in Article 5, paragraph 1, subparagraph 3 of the PDPA (see “Proportionality” below).
Proportionality – data shall be adequate, pertinent and non-excessive in relation to the purposes for which it is collected and processed (Article 5, paragraph 1, subparagraph 3 of the PDPA).
Retention – data shall be kept in a way which allows the identification of its owner only for the duration necessary for the purposes of collection or subsequent processing (Article 5, paragraph 1, subparagraph 5 of the PDPA).
Facial recognition, biometric data and geolocation – despite the absence of specific provisions in the Macau SAR applicable legislation, systems that contain these features shall be considered as personal data collecting and processing systems and therefore should follow the same operational requirements.
Drones – these devices are subject to the limitations referred to above if collecting personal data. In addition, there are requirements imposed by Macau Civil Aviation authorities, who limit the operation of the devices and require the issuance of an appropriate licence.
Disinformation and other online harms – the matter of disinformation has been partially addressed, but outside the scope of personal data protection. In this regard, “civil protection” legislation was passed, making the spread of false rumours during emergency situations a criminal offence.
Pursuant to the Macau SAR authorities’ increasing concern with data protection matters, most relevant corporations in Macau – including gaming operators, banks, insurance companies and public services concessionaires – have also increased their awareness of the topic, which in many cases has also made these players change their attitude towards the matter. It is therefore now common to find internal policies supervising the use and processing of personal data within some of these entities and it is also common to find some appointing data protection officers despite the absence of a legal requirement to enact either of these measures.
There are no significant audits, investigations or penalties imposed for alleged privacy or data protection violations. The legal standards are those included in the Macau Administrative Procedure Code and any investigation or audit shall follow the legal principles.
There are no specific regulations on this matter in Macau.
It is possible, under certain circumstances, for penalties to be published after the relevant court decisions have been taken. Such disclosure shall be considered an accessory sanction to the principal penalty imposed.
In January 2022, the new Consumer Protection Act (Law No 9/2021) entered into force. It includes provisions on the execution and performance of distance contracts, mainly imposing on the trader the duty of pre-contractual disclosure of information to the consumer. There are no specific provisions regarding the protection of privacy of the consumer, apart from a generic provision subjecting the PDPA to the collection and processing of personal data.
The Cybersecurity Law
The Cybersecurity Law was recently enacted. Under this Act, private operators of “critical public infrastructure” are required to notify their respective regulators of any “cybersecurity incidents”. This is deemed to cover significant personal data leaks but does not necessarily imply a notification to the OPDP or to the data subjects.
The COVID-19 digital environment has had a major impact on the privacy of the common citizen. Starting from December 2022, most of the measures in place were phased out, including the so-called “health code”, which is no longer required for daily life activities. Other schemes, such as the registration of the names of public transportation passengers, have also been phased out, and the scheduled erasure of existing data has been announced by the government.
The Personal Data Protection Act of Macau (PDPA) was enacted by Law No 8/2005. The PDPA follows very closely the text of the former Portuguese Act of 1998, with the notable exception of the provisions on the Public Authority for Personal Data Protection. The Act on Video Surveillance in Public Areas was enacted by Law No 2/2012.
The Chief Executive of the Special Administrative Region of Macau established, in 2007, the Office for Personal Data Protection (OPDP), empowering the Office both as regulator and as enforcer of the provisions of the PDPA. The OPDP is, however, a temporary body, with the nature of a “project team”, reporting directly to the Chief Executive. It lacks both a permanent legal basis and the status of an independent authority. The international status of the OPDP remains, since 2011, the one of an Observer to the Global Privacy Assembly.
The OPDP is empowered to enforce those provisions of the PDPA that are of an administrative nature. Criminal cases are reported to, and handled by, the Public Prosecutor’s Office. There has been some expectation, over the years, that the Executive would initiate the process for establishing a permanent, independent public authority. This has not yet materialised and the legislation plan of the government for 2023 continues to omit any reference to this matter.
Similarly, the PDPA has never been amended. The government has not included any statement on the development of personal data protection in the Policy Guidelines for 2023. Therefore, there is no expectation that the legal framework will change in the short term. This trend for stability of the law is facing an increasing number of challenges, arising from a rapidly changing data protection environment.
The cybercrime phenomenon is on the rise and poses ever greater risks on many different fronts. Macau has addressed cybersecurity concerns by enacting a Cybersecurity Act (Law No 13/2019). Personal data breaches are included in this Act as notifiable incidents. However, it should be noted that the related notifications are to be made to designated supervisory authorities, which do not include the OPDP.
At the same time, no duty exists for the controllers, regarding the notification of data breaches to the data subjects. Also, only those controllers qualified as “operators of critical infrastructure” are supposed to notify cybersecurity incidents to the supervisory authorities. There are, currently, 136 such operators in Macau.
The scale of processing of personal data is not relevant vis-à-vis the legal duties of the controller. This has repercussions at both ends of the spectrum: for example, there is no legal provision for mandatory privacy officers, either in public bodies or in large private controllers. Large-scale controllers of personal data are not required to carry out preliminary assessments of impact on privacy.
Under the PDPA, the registration of every processing of personal data is still the norm. As a result, all data controllers are required to notify the OPDP within eight days of starting the processing of personal data, without prejudice to the cases where prior authorisation must be sought. Especially when small-scale operations are involved, it becomes debatable whether the benefits of this system outweigh the administrative burden it imposes. In Macau, the volume of notifications has increased over the years. In 2021 there were nearly 900 notifications made to the OPDP.
These are examples of legal issues that have yet to be addressed in Macau.
The OPDP publishes annual reports and these offer some insight on its approach to enforcement. Two distinct phases have been observed in this regard.
Abuses, by some operators, have been on the rise in recent years, across a range of business areas, including marketing through mobile media, pushing the offer of real estate deals and heavily promoting beauty products and services.
In 2021, the OPDP conducted 186 investigations, and applied sanctions (fines) in 77 cases. Only 11% of the cases were own-motion investigations. This trend of reactive enforcement will likely continue.
Transfer of Personal Data to Jurisdictions outside Macau – “White List”
There were no recent developments on this subject. The apparent provision of Article 19 of the PDPA for adopting a white list of jurisdictions for the purpose of cross-border data transfers does not translate into a practicable mechanism.
The OPDP continues to solve this problem by resorting in every case to Article 20 of the PDPA (Derogations), which allows for transfers, even where “the legal system does not ensure an adequate level of protection”, provided that “the data subject has given his consent unambiguously to the proposed transfer”, and in a number of other limited circumstances (as per Article 20 of the PDPA).
Given the likelihood of no amendment to the PDPA in the near future, it is not expected that the situation with regard to the white list will change.
Data Combination (Interconnection)
The PDPA subjects the processing of personal data involving “data combination” to prior checking and authorisation by the OPDP. It also makes it a criminal offence to “promote or carry out an illegal combination of personal data”, punishable with imprisonment not exceeding one year or a fine not exceeding 120 days (double maxima if sensitive data is involved). This would be the case should the controller fail to secure the said authorisation.
In practice, the processing of personal data by means of data combination in the public administration became the norm, rather than the exception, given the almost “automatic” provision of legal waivers in the organic laws of public bureaus and bodies.
However, in the private sector, the need for securing a prior authorisation from the OPDP keeps the processing by means of data combination as an exception.
The effects of the COVID-19 pandemic on the privacy of residents were significant. Tracking technology was deployed by the health authorities, relying mainly on the self-reported “health code” (mobile phone app) and on the registration of the names of passengers on public transportation buses (e-card).
By the end of 2022, though, these were for the most part lifted and, as of January 2023, are no longer in use.
Macau’s video surveillance programme, “Eyes in the Sky”, continues to develop, comprising a total of nearly 2,500 video cameras to be set up in public places. This installation is planned to be completed by 2023.
Initial testing of facial recognition and vehicle licence plate recognition software was reported, mentioning “satisfactory” results. As to the retention period of the collected data, the authorities have stated that, under normal circumstances (ie, if no criminal investigation is involved), all the data is automatically erased 60 days after collection.
Under the 2012 Act, the OPDP’s prior opinion is required for each camera, regarding the location, the angle of coverage and its width of field. The OPDP regularly confirms that this has been carried out. However, the particulars of the process are not disclosed to the public.
The adoption by Mainland China of the Personal Information Protection Law (PIPL) has a special significance for Macau, given the intense economic and human cross-border flows. The OPDP has been promoting multiple awareness actions in order to ensure that local operators are in compliance with the PIPL requirements.
Macau has introduced a growing number of e-Government services, covering multiple areas of the administrative procedures for residents. The different services are being brought together into a unified platform, the “Macau One Account”, making them available online via mobile phone.
The processing of the personal data involved is subject to the PDPA. As a number of e-services require the combination of data held by two or more different public departments, the organic status of these departments, some specific acts or OPDP authorisations provide the legal grounds for such combination. The trend for expanding the “Macau One Account” platform is likely to continue for the near future.