Data privacy and personal data protection are two rights enshrined by the legal framework of the Macau Special Administrative Region (Macau SAR or MSAR), which covers these two separate but related rights in a systematic and extensive manner.
The most relevant pieces of legislation addressing data protection and data privacy issues in Macau are:
The latter is an act inspired by the former European legislation on data protection, namely the European Union Data Protection Directive of 1995, and sets the legal framework for the protection of personal data in Macau SAR.
Other legislation affecting this area that should be noted includes:
The government consistently includes a statement of priority in the annual policy address regarding the implementation of e-government, smart city and other areas involving sensitive digital technologies and artificial intelligence.
Notwithstanding this, since its enactment in 2005, the PDPA has not been amended.
The international trend for amendments and updates of legal frameworks on data protection matters, as well as the continued domestic and international interest in the area, has not been reflected in amendments to the PDPA.
The PDPB is, under Administrative Regulation 42/2023, the government entity responsible and accountable for monitoring and enforcing compliance with PDPA provisions, and for establishing an adequate confidentiality system and monitoring its enforcement.
The PDPB is granted powers covering a broad area of activities both in the private and in the public sectors and possesses a full legal basis and a permanent status.
Being a Bureau within the Public Administration of the MSAR, but reporting directly to the Chief Executive, it remains to be clarified whether this status equates with a status of permanent independence.
The PDPB is a member of the Asia Pacific Privacy Authorities (APPA).
Following it’s admission as an observer at the 30th Conference of the Global Privacy Assembly (GPA) in 2008, the current status of the PDPB is still observer, valid until April 2025.
It is expected that the PDPB will apply for admission as a member of the GPA.
There are two different types of administrative process: notification and authorisation.
Notification
Under the PDPA, the data controller, or their representative, if any, must notify the public authority in writing within eight days after the start of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. The public authority may authorise the simplification of, or exemption from, notification for specific categories of processing which, taking account of the data to be processed, are unlikely to adversely affect the rights and freedoms of the data subjects. In allowing this simplification or exemption, the authority will also consider the speed, economy and efficiency of the relevant processing.
The authorisation of simplification shall be published in the Official Gazette of the Macau SAR and must specify: the purposes of the processing; the data or category of data to be processed; the category or categories of data subjects; the recipients, or categories of recipients, to whom the data may be disclosed; and the length of time the data is to be stored.
There are exemptions from notification, such as those for processing whose sole purpose is the keeping of a register which, according to laws or administrative regulations, is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest.
The texts of these generic authorisations are available at the PDPB’s official website.
Authorisation
Prior authorisation by the PDPB is required for some types of processing. These include the processing of sensitive data (where it is not carried out pursuant to a legal provision or it is carried out without the explicit consent of the data subject), data related to the credit and solvency of the data subject, and the combination of data and further processing of data for purposes other than those originally stated by the controller.
For this purpose, sensitive data means personal data revealing philosophical or political beliefs, political association or trade union membership, religion, private life, and racial or ethnic origin, and data concerning health or sex life, including genetic data. The authorisations for these types of processing shall be granted only if the controller provides guarantees of non-discrimination and sufficient security measures (indicated in the PDPA).
Applications submitted to the PDPB for opinions, authorisations and notifications shall include the following information:
Without prejudice to the right to submit a complaint to the public authority, according to the law any person may have recourse to administrative and legal means to guarantee compliance with provisions of laws and regulations in the area of personal data protection.
The PDPB is empowered to enforce those provisions of the PDPA that are of an administrative nature, under the PDPA and the Administrative Regulation 42/2023. Criminal cases are reported to, and handled by, the Public Prosecutor’s Office.
Administrative Offences
To start proceedings relating to alleged violations, the PDPB must first take into account the actions of the alleged infringers, including the type of action and the intention of the agent, under the general administrative standards. Non-compliance with the special security measures required by Article 16 of the PDPA – for sensitive data processing and for the creation and maintenance of records regarding suspicion of illegal activity, criminal offences and administrative offences – is an administrative offence which may entail a fine between MOP4,000 and MOP40,000.
Although the PDPA provides penalties for undue access, as well as for tampering with, or destruction of, personal data, it does not specifically provide for security breaches by the data controller. It should be noted, however, that the PDPA mandates that the data controller shall present the notification/authorisation request with a general description of the security measures, so that the PDPB may evaluate the adequacy of such measures. If the PDPB notifies the above-mentioned entity to address any insufficiency in the security measures and no remedy is taken, then a fine of between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons may be imposed. Other potential enforcement penalties are outlined below.
Non-compliance with notification of data processing in breach of the terms set out in Article 23 of the PDPA, providing false information after notification by the PDPB and maintaining access to open data transmission networks for data controllers which do not comply with the provisions of the PDPA are all punishable by administrative sanction. This will take the form of a fine between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons; the fines are increased to twice the amount indicated above if the data is subject to previous authorisation.
Non-compliance with stipulations of the PDPA regarding:
involve an administrative sanction of a fine between MOP4,000 and MOP40,000.
Non-compliance with stipulations of the PDPA regarding:
involve an administrative sanction of a fine between MOP8,000 and MOP80,000.
Criminal Offences
Non-compliance with stipulations of the PDPA regarding:
involve a criminal sanction of imprisonment up to one year or a fine up to 120 days. Fines which are set in days are under the discretion of the court – each day’s fine corresponds to an amount between MOP50 and MOP10,000, which the court shall set according to the economic and financial situation of the convicted person and their personal expenses. The sanction is increased to twice the duration indicated above if the data involved is sensitive (Article 7 of the PDPA) or if illegal activities, criminal offences and administrative offences are suspected (Article 8 of the PDPA).
Access in any way to personal data whose access is forbidden to said individual/entity is forbidden. The sanction is increased to twice the duration indicated when access:
Such access is punishable with a criminal sanction of imprisonment for up to one year or a fine up to 120 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated in the cases described.
Deletion, destruction, damaging, suppression or modification of personal data without proper authorisation, rendering the data unusable or affecting its ability to be used is punishable with a criminal sanction: imprisonment up to two years or a fine up to 240 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated if the damage resulting therefrom is particularly serious. If the agent acts with negligence, the sanction is, in both of the cases provided above, imprisonment for up to one year or a fine up to 120 days.
Qualified disobedience regarding notification to interrupt, cease or block the processing of personal data, or in cases of:
involve a criminal sanction of imprisonment for up to two years or a fine up to 240 days.
The PDPB publishes summaries of the most relevant cases. In 2023 and 2024, a total of 18 cases were published. One case was deemed a criminal offence and forwarded to the Public Prosecutor.
The administrative offence cases involved telemarketing in breach of the data subjects’ rights, failure to notify the PDPB of processing and/or cross-border transfer of data and disclosure/posting of personal data on social media without consent.
Fines ranged from MOP4,000 to MOP30,000 per offence.
No specific regulation has been enacted in Macau addressing AI.
In the absence of specific AI regulation, the PDPA is the applicable law in personal data protection issues arising from AI.
There are no recent cases in privacy litigation in Macau.
There are no recent cases in privacy litigation in Macau.
There is no collective redress mechanism for protection of the collective interests of data subjects in Macau. Under Article 14 of the PDPA, individuals may file for damages arising from unlawful processing of their personal data. These cases are judged by the civil courts.
With regard to the internet of things (IoT) projects and the data circulating therein, where data processed may relate to an identified or identifiable natural person, the processing falls under the provisions of the PDPA. The processing of personal data through any such device must comply with the applicable stipulations of the law:
There is currently no specific legislation on the IoT in the MSAR. Concerned parties should approach compliance from the perspective of personal data protection, where applicable.
Information that is not, initially, deemed personal data may become so by means of cross-referencing other databases.
Developers and controllers need to be mindful of developments, both in technology and in the market landscape, and take the necessary steps to respect the data subjects’ rights in such an event.
Regular reviews and assessments of impact of IoT projects on personal data should be carried out, to minimise the risk of non-compliance with the PDPA.
The rights and obligations arising from the use of IoT services, as long as personal data is involved, are those set out for processing of personal data in the PDPA.
In relation to personal data protection, the regulator is the Personal Data Protection Bureau, as mentioned in 1.2 Regulators and 1.3 Enforcement Proceedings and Fines. A significant part of IoT projects deals with public infrastructures, such as those being researched by the State Key Laboratory of Internet of Things for Smart City, in the University of Macau: Intelligent Sensing and Network Communication, Urban Big Data and Intelligent Technology, Smart Energy, Intelligent Transportation and Urban Safety and Disaster Prevention. Operators in these areas may be deemed private operators of critical infrastructures and be additionally subject to other regulators, under the provisions of Macau Cybersecurity Law (Law No 13/2019).
Cookies that are strictly necessary for the operation of a website may be lawfully used without any special requirements, under Article 6 of the PDPA.
Other cookies may only be used with the consent of the data subject.
As for other categories of personal data, the data subject has the right to be informed of the purposes of the cookies, the recipients or categories of recipients, and whether accepting cookies is obligatory or voluntary, as well as the possible consequences of rejecting the cookies. The controller must ensure that consent is freely given, specific and informed.
Personalised advertising involves gathering information about the data subject.
As a minimum, upon collection of the relevant personal data, the data subject must be informed that their data may be used for the purpose of selecting goods or services that will be advertised to them later. Online marketing or any other form of direct marketing is subject to the provision of Article 12(2) of the PDPA: The data subject has the right to object, on request and free of charge, to the processing of personal data relating to them which the controller anticipates being processed for the purposes of direct marketing or any other form of commercial research, or to be informed before personal data is disclosed for the first time to third parties for the purposes of direct marketing or for use on behalf of third parties, and to be expressly offered the right to object free of charge to such disclosure or uses.
Advertisers should also take into account the provisions of Law No 7/89/M, as republished by Law No 26/2024 (Advertising activity), restricting some practices and the advertising of some goods and services in Macau.
Labour relations in Macau are regulated by Law No 7/2008.
Article 8 (Protection of privacy) stipulates that:
On the other hand, the PDPA stipulates, in Article 7(1) (Sensitive data) that the processing of personal data revealing... trade union membership... shall be prohibited.
Exceptions to this are provided in the case where:
Therefore, processing of trade union membership data is lawful in those two circumstances.
The duty of the employer to notify the PDPB of the processing of personal data of its employees is waived in some cases, for example in respect of:
The PDPB provides detailed recommendations on the use of personal data for supervision of employees activities in the workplace, emphasising the principles of legality of purpose, non-excessive collection and including sample privacy statements for processing of supervision of telephone calls, e-mail and internet usage and video surveillance.
In asset deals, the standard provisions of the PDPA apply. Namely, the buyer, as a recipient for the personal data controlled by the seller, shall become the controller of the data.
The data subjects’ right to information includes the identity of the recipients and the purposes of the disclosure of data to those recipients.
Besides, the identity and purposes of processing of the recipients are part of the notification to the PDPB and this notification might also need to be amended/updated.
The recipient must fulfil the requirements of legitimacy for processing the transferred data.
Therefore, either consent from the data subjects or another condition for legitimacy needs to be secured, along with a notification to the PDPB, whenever the processing is not already covered by such a notification.
The transfer of personal data overseas can only take place in accordance with the provisions of the PDPA, and provided that the jurisdiction to which the data is going to be transferred ensures an adequate level of protection.
This level of protection may be assessed by the PDPB on a case-by-case basis (Article 19 of the PDPA) but, in practice, the PDPB does not assess the adequacy of the level or protection guaranteed by the import jurisdiction.
All cases are assessed under Article 20 of the PDPA on derogations (see below).
Under the PDPA there is no provision enabling the publication of a list of jurisdictions capable of ensuring the level of protection that is imposed by the PDPA (no “white list”).
The transfer of data overseas may be possible under the various exceptions provided by the PDPA.
These include the necessity of such a transfer for the formation of a contract between the data subject and the data controller and for preliminary measures for the formation of that contract at the request of the data subject, among others.
However, the most common exception to the rule indicated above is the obtaining of the data subject’s express and unambiguous consent to such a transfer (Article 20, paragraph 1 of the PDPA).
Organisations collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations are not exempted from the standard requirements set out under the PDPA and shall be subject to the same penalties in case of breach of the existing laws.
As no list of jurisdictions ensuring an adequate level of protection currently exists in Macau, the transfer of personal data abroad is subject to prior authorisation by the PDPB, as indicated in 5.1 Restrictions on International Data Transfers.
If express and unequivocal consent from the data subject is obtained, or if the situation under analysis falls under one of the exceptions provided by the PDPA, a simple notification is sufficient and complies with the legal provisions.
The international transfer of data is subject to the requirements referred to in 5.1 Restrictions on International Data Transfers.
The issue of “blocking” statutes does not arise in the Macau SAR jurisdiction.
On September 2024, the PDPB, jointly with the Economic and Technological Development Bureau (DSEDT) and the Cyberspace Administration of China, launched the “Standard Contract for cross-border flow of personal information in the Greater Bay Area Guangdong-Hong Kong-Macau (Mainland China – Macau)”. This regional development may become a yardstick for future international developments.
Avenida da Amizade, 555
Landmark Office Tower
23rd Floor
Macau SAR
+853 2856 2322
+853 2858 0991
mail@lektou.com www.lektou.comLegal Framework
The Personal Data Protection Act of Macau (PDPA) was enacted by Law No 8/2005 and follows very closely the text of the former Portuguese Act of 1998, with the notable exception of the provisions on the Public Authority for Personal Data Protection.
The Act on Video Surveillance in Public Areas was enacted by Law No 2/2012.
The Personal Data Protection Bureau (PDPB) is the public authority with regulatory and supervisory powers, created in 2023 by Administrative Regulation No 42/2023. It succeeded the former Office for Personal Data Protection (OPDP).
The PDPB is a permanent Bureau of the Public Administration of the Macau Special Administrative Region and, despite not having a formal independent status, it is placed under the direct authority of the Chief Executive, not under a Secretary of the government.
This means that the PDPD is not under the authority of other public administration bodies in the performance of its regulatory and supervision powers.
It is expected that the new PDPB will apply for membership to the Global Privacy Assembly, currently having the status of an Observer.
The substantive law framework in Macau has not seen a significant change in the last few years, and no plans to legislate in the field of personal data protection have been announced.
The previously reported concerns, namely regarding a duty of notification of data breaches to data subjects, provision for mandatory privacy officers in relevant controllers, preliminary assessments of impact on privacy to be carried out by large-scale controllers, and duties in connection to further transfers in the case of cross-border transfer of personal data, remain current and may be addressed by the new PDPB in the near future. With the emergence of AI, the resilience of the PDPA is under additional pressure.
Another area where the Macau SAR may consider a revision of the legal framework is the requirement for notification (registration) of processing of personal data with the PDPB.
This notification is an administrative requirement, not necessarily followed by an assessment of the lawfulness of the notified processing of personal data.
The volume of such notifications increased in 2022 and 2023, with more than 1,600 cases each year, up 80% from the nearly 900 in 2021.
It is debatable whether the benefits of this system outweigh the administrative burden it imposes.
The new challenges posed by the AI tools and their impact on privacy and personal data protection are being addressed worldwide and one may expect that the new PDPB will do the same, either by issuing guidelines or by promoting legislation and/or regulation on the subject.
Enforcement
The PDPB will continue to publish annual reports of activity, offering some insight on its approach to enforcement. Two distinct phases have been observed in this regard in the past.
2023 did not show a significant trend for change in the average number of new investigations (105, compared to 73 in 2022 and 124 in 2021) and in the number of sanctions applied (30 offenders, compared to 18 in 2022 and 24 in 2021).
Less than 9% of the investigations were own-motion.
It is yet to be seen whether the PDPB will adopt a more proactive stance, particularly regarding own-motion investigations.
Transfer of Personal Data to Jurisdictions outside Macau – “White List”
There have been no recent developments on this subject.
The apparent provision of Article 19 of the PDPA for adopting a white list of jurisdictions for the purpose of cross-border data transfers does not translate into a practicable mechanism.
The PDPB is expected to continue to solve this problem by resorting in every case to Article 20 of the PDPA (Derogations), which allows for transfers, even where “the legal system does not ensure an adequate level of protection”, provided that “the data subject has given his consent unambiguously to the proposed transfer” and in a number of other limited circumstances (as per Article 20 of the PDPA).
Any change to this situation depends on the amendment to the relevant provisions of the PDPA.
In respect of regional cross-border data flows, the trend sees a close co-operation with the Cyberspace Administration of China, facilitating the flow of personal information in the context of the Greater Bay Area Guangdong-Hong Kong-Macau.
In a joint initiative, together with the Economic and Technological Development Bureau of Macau (DSEDT) and the Cyberspace Administration of China, the PDPB launched the “Standard Contract for cross-border flow of personal information in the Greater Bay Area Guangdong-Hong Kong-Macau (Mainland China – Macau)”.
Data Combination (Interconnection)
The PDPA subjects the processing of personal data involving “data combination” to prior checking and authorisation by the OPDP. It also makes it a criminal offence to “promote or carry out an illegal combination of personal data”, punishable with imprisonment not exceeding one year or a fine not exceeding 120 days (double maxima if sensitive data is involved). This would be the case should the controller fail to secure the required authorisation.
In practice, almost every department of the public administration is empowered, by law or by its organic regulation, to conduct data combination in areas related to its lawful activities.
There is a close connection between this topic and the development of e-government, making the use of data combination by the public administration the norm, rather than the exception.
However, in the private sector, the need to secure a prior authorisation from the OPDP keeps the processing by means of data combination as an exception.
The total number of applications for authorisations (mostly granted to bodies of the public sector, including data combination) was 57 in 2023, compared with 33 in 2022 and 65 in 2021.
Video Surveillance
Macau’s video surveillance programme, “Eyes in the Sky”, continues to develop.
As the initial phases have yielded satisfactory results in criminal investigation, the authorities have disclosed plans to further expand the system, which is expected to include up to 4,200 cameras by 2028.
The system has the capability to provide facial recognition and vehicle licence plate recognition.
The authorities have stated that, in respect of the retention period for collected data, under normal circumstances (ie, if no criminal investigation is involved) all data is automatically erased 60 days after collection.
Under the 2012 Act, the OPDP’s prior opinion is required for each camera’s location, angle of coverage and its width of field. The OPDP regularly confirms that its opinion has been given, however, the particulars of the process are not disclosed to the public.
PIPL
The adoption by Mainland China of the Personal Information Protection Law (PIPL) has a special significance for Macau, given the intense economic and human cross-border flows between the regions.
The PDPB held a forum on high-level protection of personal data during the China Cybersecurity Week of 2024, with the participation of the Commissioner of the Office of the Privacy Commissioner for Personal Data, Hong Kong and a seminar for lawyers of Macau on recent trends in personal data protection in China and in some Portuguese-speaking countries.
The PDPB is expected to continue promoting multiple awareness actions to ensure that local operators are in compliance with the PIPL requirements.
e-Government
Macau has introduced a growing number of e-government services, covering multiple areas of the administrative procedures of the residents.
The different services are being brought together into a unified platform, the “Macau One Account”, making them available online via mobile phone.
This has been developed to enable residents to produce a growing list of documents (eg, ID, driver’s licence) only by exhibiting their digital version.
The processing of the relevant personal data is subject to the PDPA. As a number of e-services require the combination of data held by two or more different public departments, the organic regulations of these departments, some specific acts or PDPB authorisations, provide the legal grounds for such combination.
The trend for expanding the “Macau One Account” platform is likely to continue in the near future.
Avenida da Amizade, 555
Landmark Office Tower
23rd Floor
Macau SAR
+853 2856 2322
+853 2858 0991
mail@lektou.com www.lektou.com