Data privacy and personal data protection are two rights enshrined by the legal framework of the Macau Special Administrative Region (Macau SAR or MSAR), which covers these two separate but related rights in a systematic and extensive manner.

The most relevant pieces of legislation addressing data protection and data privacy issues in Macau are:

• the Macau Basic Law, enacted in 1999;
• the Section of the Macau Civil Code on privacy and personal rights, enacted in 1999; and
• Law No 8/2005, the Macau Personal Data Protection Act (PDPA).

The latter is an act inspired by the former European legislation on data protection, namely the European Union Data Protection Directive of 1995, and sets the legal framework for the protection of personal data in Macau SAR.

Other legislation affecting this area that should be noted includes:

• Administrative Regulation No 42/2023, effective from 1 February 2024, which created the Personal Data Protection Bureau (PDPB);
• a set of generic authorisations, legal opinions and case analyses that have been published by the PDPB on its official website; and
• Law No 2/2012, on the legal regime for video surveillance in public spaces and, pursuant to this act, the Dispatches of the Secretary for Security, authorising the specific setting up of video surveillance cameras in public spaces.

The government consistently includes a statement of priority in the annual policy address regarding the implementation of e-government, smart city and other areas involving sensitive digital technologies and artificial intelligence.

Notwithstanding this, since its enactment in 2005, the PDPA has not been amended.

The international trend for amendments and updates of legal frameworks on data protection matters, as well as the continued domestic and international interest in the area, has not been reflected in amendments to the PDPA.

The PDPB is, under Administrative Regulation 42/2023, the government entity responsible and accountable for monitoring and enforcing compliance with PDPA provisions, and for establishing an adequate confidentiality system and monitoring its enforcement.

The PDPB is granted powers covering a broad area of activities both in the private and in the public sectors and possesses a full legal basis and a permanent status.

Being a Bureau within the Public Administration of the MSAR, but reporting directly to the Chief Executive, it remains to be clarified whether this status equates with a status of permanent independence.

The PDPB is a member of the Asia Pacific Privacy Authorities (APPA).

Following it’s admission as an observer at the 30th Conference of the Global Privacy Assembly (GPA) in 2008, the current status of the PDPB is still observer, valid until April 2025.

It is expected that the PDPB will apply for admission as a member of the GPA.

There are two different types of administrative process: notification and authorisation.

Notification

Under the PDPA, the data controller, or their representative, if any, must notify the public authority in writing within eight days after the start of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. The public authority may authorise the simplification of, or exemption from, notification for specific categories of processing which, taking account of the data to be processed, are unlikely to adversely affect the rights and freedoms of the data subjects. In allowing this simplification or exemption, the authority will also consider the speed, economy and efficiency of the relevant processing.

The authorisation of simplification shall be published in the Official Gazette of the Macau SAR and must specify: the purposes of the processing; the data or category of data to be processed; the category or categories of data subjects; the recipients, or categories of recipients, to whom the data may be disclosed; and the length of time the data is to be stored.

There are exemptions from notification, such as those for processing whose sole purpose is the keeping of a register which, according to laws or administrative regulations, is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest.

The texts of these generic authorisations are available at the PDPB’s official website.

Authorisation

Prior authorisation by the PDPB is required for some types of processing. These include the processing of sensitive data (where it is not carried out pursuant to a legal provision or it is carried out without the explicit consent of the data subject), data related to the credit and solvency of the data subject, and the combination of data and further processing of data for purposes other than those originally stated by the controller.

For this purpose, sensitive data means personal data revealing philosophical or political beliefs, political association or trade union membership, religion, private life, and racial or ethnic origin, and data concerning health or sex life, including genetic data. The authorisations for these types of processing shall be granted only if the controller provides guarantees of non-discrimination and sufficient security measures (indicated in the PDPA).

Applications submitted to the PDPB for opinions, authorisations and notifications shall include the following information:

• the name and address of the controller and of their representative, if any.
• the purposes of the processing;
• a description of the category or categories of data subjects and of the data or categories of personal data relating to them;
• the recipients or categories of recipients to whom the data might be disclosed and in what circumstances;
• the body entrusted with processing the information, if it is not the controller themselves;
• any combinations of personal data processing;
• the length of time for which personal data will be kept;
• the form and circumstances in which the data subjects may be informed of, or may correct, the personal data relating to them;
• proposed transfers of data to third countries or territories; and
• a general description enabling a preliminary assessment to be made of the adequacy of the measures taken to ensure security.

Without prejudice to the right to submit a complaint to the public authority, according to the law any person may have recourse to administrative and legal means to guarantee compliance with provisions of laws and regulations in the area of personal data protection.

The PDPB is empowered to enforce those provisions of the PDPA that are of an administrative nature, under the PDPA and the Administrative Regulation 42/2023. Criminal cases are reported to, and handled by, the Public Prosecutor’s Office.

Administrative Offences

To start proceedings relating to alleged violations, the PDPB must first take into account the actions of the alleged infringers, including the type of action and the intention of the agent, under the general administrative standards. Non-compliance with the special security measures required by Article 16 of the PDPA – for sensitive data processing and for the creation and maintenance of records regarding suspicion of illegal activity, criminal offences and administrative offences – is an administrative offence which may entail a fine between MOP4,000 and MOP40,000.

Although the PDPA provides penalties for undue access, as well as for tampering with, or destruction of, personal data, it does not specifically provide for security breaches by the data controller. It should be noted, however, that the PDPA mandates that the data controller shall present the notification/authorisation request with a general description of the security measures, so that the PDPB may evaluate the adequacy of such measures. If the PDPB notifies the above-mentioned entity to address any insufficiency in the security measures and no remedy is taken, then a fine of between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons may be imposed. Other potential enforcement penalties are outlined below.

Non-compliance with notification of data processing in breach of the terms set out in Article 23 of the PDPA, providing false information after notification by the PDPB and maintaining access to open data transmission networks for data controllers which do not comply with the provisions of the PDPA are all punishable by administrative sanction. This will take the form of a fine between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons; the fines are increased to twice the amount indicated above if the data is subject to previous authorisation.

Non-compliance with stipulations of the PDPA regarding:

• data quality (Article 5);
• right to information, access, objection, right not to be subject to automated individual decisions (Articles 10 to 13);
• special security measures (Article 16);
• processing by subcontractor (Article 17); and
• non-provision of mandatory information provided in Article 24, paragraph 1,

involve an administrative sanction of a fine between MOP4,000 and MOP40,000.

Non-compliance with stipulations of the PDPA regarding:

• conditions for legitimacy of data processing (Article 6);
• processing of sensitive data (Article 7);
• suspicions of illegal activities, criminal offences and administrative offences (Article 8);
• interconnection of personal data (Article 9); and
• transfer of data to a destination outside the MSAR and respective exemptions (Articles 19 and 20),

involve an administrative sanction of a fine between MOP8,000 and MOP80,000.

Criminal Offences

Non-compliance with stipulations of the PDPA regarding:

• purposefully omitting the notification/authorisation indicated in Articles 21 and 22 of the PDPA;
• providing false information in the notification/authorisation requests for the processing of personal data or making modifications in this request not allowed by the instrument of legalisation;
• diverting or using personal data, in a manner incompatible with the purpose of the collection or with the instrument of legalisation;
• promoting or carrying out an illegal interconnection of personal data;
• non-compliance with the obligations provided for in this law or in other data protection legislation in the period established by the PDPB; and
• maintaining access to open data transmission networks for those responsible for the processing of personal data that do not comply with the provisions of the PDPA, after notification of the PDPB not to do so,

involve a criminal sanction of imprisonment up to one year or a fine up to 120 days. Fines which are set in days are under the discretion of the court – each day’s fine corresponds to an amount between MOP50 and MOP10,000, which the court shall set according to the economic and financial situation of the convicted person and their personal expenses. The sanction is increased to twice the duration indicated above if the data involved is sensitive (Article 7 of the PDPA) or if illegal activities, criminal offences and administrative offences are suspected (Article 8 of the PDPA).

Access in any way to personal data whose access is forbidden to said individual/entity is forbidden. The sanction is increased to twice the duration indicated when access:

• is achieved through violation of technical safety rules;
• has allowed the agent or third parties to obtain personal data; or
• has provided the agent or third parties with a benefit or patrimonial advantage.

Such access is punishable with a criminal sanction of imprisonment for up to one year or a fine up to 120 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated in the cases described.

Deletion, destruction, damaging, suppression or modification of personal data without proper authorisation, rendering the data unusable or affecting its ability to be used is punishable with a criminal sanction: imprisonment up to two years or a fine up to 240 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated if the damage resulting therefrom is particularly serious. If the agent acts with negligence, the sanction is, in both of the cases provided above, imprisonment for up to one year or a fine up to 120 days.

Qualified disobedience regarding notification to interrupt, cease or block the processing of personal data, or in cases of:

• refusal, without just cause, to co-operate as specifically requested by the PDPB;
• refusal to totally or partially destroy personal data; and/or
• refusal to destroy personal data, after the period of conservation provided for in the PDPA,

involve a criminal sanction of imprisonment for up to two years or a fine up to 240 days.

The PDPB publishes summaries of the most relevant cases. In 2023 and 2024, a total of 18 cases were published. One case was deemed a criminal offence and forwarded to the Public Prosecutor.

The administrative offence cases involved telemarketing in breach of the data subjects’ rights, failure to notify the PDPB of processing and/or cross-border transfer of data and disclosure/posting of personal data on social media without consent.

Fines ranged from MOP4,000 to MOP30,000 per offence.

No specific regulation has been enacted in Macau addressing AI.

In the absence of specific AI regulation, the PDPA is the applicable law in personal data protection issues arising from AI.

There are no recent cases in privacy litigation in Macau.

There are no recent cases in privacy litigation in Macau.

There is no collective redress mechanism for protection of the collective interests of data subjects in Macau. Under Article 14 of the PDPA, individuals may file for damages arising from unlawful processing of their personal data. These cases are judged by the civil courts.

With regard to the internet of things (IoT) projects and the data circulating therein, where data processed may relate to an identified or identifiable natural person, the processing falls under the provisions of the PDPA. The processing of personal data through any such device must comply with the applicable stipulations of the law:

• it must be performed in a transparent manner and in strict observance of privacy rights and of the rights, freedoms and guarantees enshrined in the Macau Basic Law and in applicable legislation; and
• it may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law.

There is currently no specific legislation on the IoT in the MSAR. Concerned parties should approach compliance from the perspective of personal data protection, where applicable.

Information that is not, initially, deemed personal data may become so by means of cross-referencing other databases.

Developers and controllers need to be mindful of developments, both in technology and in the market landscape, and take the necessary steps to respect the data subjects’ rights in such an event.

Regular reviews and assessments of impact of IoT projects on personal data should be carried out, to minimise the risk of non-compliance with the PDPA.

The rights and obligations arising from the use of IoT services, as long as personal data is involved, are those set out for processing of personal data in the PDPA.

In relation to personal data protection, the regulator is the Personal Data Protection Bureau, as mentioned in 1.2 Regulators and 1.3 Enforcement Proceedings and Fines. A significant part of IoT projects deals with public infrastructures, such as those being researched by the State Key Laboratory of Internet of Things for Smart City, in the University of Macau: Intelligent Sensing and Network Communication, Urban Big Data and Intelligent Technology, Smart Energy, Intelligent Transportation and Urban Safety and Disaster Prevention. Operators in these areas may be deemed private operators of critical infrastructures and be additionally subject to other regulators, under the provisions of Macau Cybersecurity Law (Law No 13/2019).

Cookies that are strictly necessary for the operation of a website may be lawfully used without any special requirements, under Article 6 of the PDPA.

Other cookies may only be used with the consent of the data subject.

As for other categories of personal data, the data subject has the right to be informed of the purposes of the cookies, the recipients or categories of recipients, and whether accepting cookies is obligatory or voluntary, as well as the possible consequences of rejecting the cookies. The controller must ensure that consent is freely given, specific and informed.

Personalised advertising involves gathering information about the data subject.

As a minimum, upon collection of the relevant personal data, the data subject must be informed that their data may be used for the purpose of selecting goods or services that will be advertised to them later. Online marketing or any other form of direct marketing is subject to the provision of Article 12(2) of the PDPA: The data subject has the right to object, on request and free of charge, to the processing of personal data relating to them which the controller anticipates being processed for the purposes of direct marketing or any other form of commercial research, or to be informed before personal data is disclosed for the first time to third parties for the purposes of direct marketing or for use on behalf of third parties, and to be expressly offered the right to object free of charge to such disclosure or uses.

Advertisers should also take into account the provisions of Law No 7/89/M, as republished by Law No 26/2024 (Advertising activity), restricting some practices and the advertising of some goods and services in Macau.

Labour relations in Macau are regulated by Law No 7/2008.

Article 8 (Protection of privacy) stipulates that:

• the employer and the employee should mutually respect each other’s personal rights, in particular, the rights to protect the privacy of their personal lives; and
• the right to privacy relates to access to and disclosure of information relating to the private and personal lives of either party, such as their respective family life, emotional and sexual lives, state of health and their political and religious convictions.

On the other hand, the PDPA stipulates, in Article 7(1) (Sensitive data) that the processing of personal data revealing... trade union membership... shall be prohibited.

Exceptions to this are provided in the case where:

• the data subject has given their explicit consent for such processing (Article 7(2)(3)); and
• it is carried out with the data subject’s consent in the course of its legitimate activities by a legal person or non-profit seeking body with a ... trade union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data is not disclosed to a third party without the consent of the data subjects.

Therefore, processing of trade union membership data is lawful in those two circumstances.

The duty of the employer to notify the PDPB of the processing of personal data of its employees is waived in some cases, for example in respect of:

• personal data necessary for processing of payroll and payroll-related obligations (Authorisation No 01/2007);
• personal data necessary for processing of administrative management of the employment relationship (Authorisation No 02/2007); and
• processing of biometric data for attendance control purposes (Authorisation No 02/2020).

The PDPB provides detailed recommendations on the use of personal data for supervision of employees activities in the workplace, emphasising the principles of legality of purpose, non-excessive collection and including sample privacy statements for processing of supervision of telephone calls, e-mail and internet usage and video surveillance.

In asset deals, the standard provisions of the PDPA apply. Namely, the buyer, as a recipient for the personal data controlled by the seller, shall become the controller of the data.

The data subjects’ right to information includes the identity of the recipients and the purposes of the disclosure of data to those recipients.

Besides, the identity and purposes of processing of the recipients are part of the notification to the PDPB and this notification might also need to be amended/updated.

The recipient must fulfil the requirements of legitimacy for processing the transferred data.

Therefore, either consent from the data subjects or another condition for legitimacy needs to be secured, along with a notification to the PDPB, whenever the processing is not already covered by such a notification.

The transfer of personal data overseas can only take place in accordance with the provisions of the PDPA, and provided that the jurisdiction to which the data is going to be transferred ensures an adequate level of protection.

This level of protection may be assessed by the PDPB on a case-by-case basis (Article 19 of the PDPA) but, in practice, the PDPB does not assess the adequacy of the level or protection guaranteed by the import jurisdiction.

All cases are assessed under Article 20 of the PDPA on derogations (see below).

Under the PDPA there is no provision enabling the publication of a list of jurisdictions capable of ensuring the level of protection that is imposed by the PDPA (no “white list”).

The transfer of data overseas may be possible under the various exceptions provided by the PDPA.

These include the necessity of such a transfer for the formation of a contract between the data subject and the data controller and for preliminary measures for the formation of that contract at the request of the data subject, among others.

However, the most common exception to the rule indicated above is the obtaining of the data subject’s express and unambiguous consent to such a transfer (Article 20, paragraph 1 of the PDPA).

Organisations collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations are not exempted from the standard requirements set out under the PDPA and shall be subject to the same penalties in case of breach of the existing laws.

As no list of jurisdictions ensuring an adequate level of protection currently exists in Macau, the transfer of personal data abroad is subject to prior authorisation by the PDPB, as indicated in 5.1 Restrictions on International Data Transfers.

If express and unequivocal consent from the data subject is obtained, or if the situation under analysis falls under one of the exceptions provided by the PDPA, a simple notification is sufficient and complies with the legal provisions.

The international transfer of data is subject to the requirements referred to in 5.1 Restrictions on International Data Transfers.

The issue of “blocking” statutes does not arise in the Macau SAR jurisdiction.

On September 2024, the PDPB, jointly with the Economic and Technological Development Bureau (DSEDT) and the Cyberspace Administration of China, launched the “Standard Contract for cross-border flow of personal information in the Greater Bay Area Guangdong-Hong Kong-Macau (Mainland China – Macau)”. This regional development may become a yardstick for future international developments.