The Macau Special Administrative Region of the People’s Republic of China (Macau SAR or MSAR) has its political and legal framework in the Basic Law, adopted by the National People’s Congress in 1993, under the provision of Article 31 of the Constitution.

Data privacy and personal data protection are two rights enshrined by the Basic Law, which covers these two separate but related rights in a systematic and extensive manner.

The most relevant pieces of legislation addressing data protection and data privacy issues in Macau are:

• the Macau Basic Law;
• the Section of the Macau Civil Code on privacy and personal rights, enacted in 1999; and
• Law No 8/2005, the Macau Personal Data Protection Act (PDPA).

The latter is an act inspired by the former European legislation on data protection, namely the European Union Data Protection Directive of 1995, and sets the legal framework for the protection of personal data in Macau SAR.

Other legislation affecting this area that should be noted includes:

• Administrative Regulation No 42/2023, effective from 1 February, 2024, which created the Personal Data Protection Bureau (PDPB);
• a set of generic authorisations, legal opinions and case analyses that have been published by the PDPB on its official website; and
• Law No 2/2012, on the legal regime for video surveillance in public spaces and, pursuant to this act, the Dispatches of the Secretary for Security, authorising the specific setting up of video surveillance cameras in public spaces.

The government consistently includes a statement of priority in the annual policy address regarding the implementation of e-government, smart city and other areas involving sensitive digital technologies and artificial intelligence.

Notwithstanding this, since its enactment in 2005, the PDPA has not been amended.

The international trend for amendments and updates of legal frameworks on data protection matters, as well as the continued domestic and international interest in the area, has not been reflected in amendments to the PDPA.

The legislation has no extraterritorial reach.

Separate legislation (Law 13/2019) provides for cybersecurity, covering networks and IT systems, with specific focus on operators of critical infrastructures.

The general principle of transparency of processing is supplemented by specific principles, as provided by Articles 2, 5 and 6 of the PDPA:

• lawfulness and good faith;
• purpose limitation;
• adequacy and proportionality;
• accuracy;
• time limitation; and
• legitimacy by consent of the data subject or by prevailing legitimate interest of the controller.

Organisations carrying out processing of personal data should comply with the duty to notify the Regulator of the processing, within eight days the initiation of processing. The PDPB provides a structured and itemised form for the notification.

Besides the general duty of notification, organisations need to apply, unless otherwise provided by law, for authorisation for conducting some types of processing, namely when involving sensitive personal data, data relating to credit and solvency, combination of personal data and further processing of data for purposes not giving rise to their collection.

Sensitive personal data (Article 7 of the PDPA) is stated to be “data revealing philosophical or political beliefs, political association or trade-union membership, religion, privacy and racial or ethnic origin, and data concerning health or sex life, including genetic data”. As a general rule, the processing of sensitive personal data is prohibited.

Processing of sensitive personal data, when allowed, must guarantee non-discrimination and be carried out with special security measures.

Processing of sensitive personal data may be allowed by a legal provision, under “important public interest grounds” and by “explicit consent” of the data subject.

Data relating to minors is not specifically addressed by legislation.

Data on suspicion of illegal activities, criminal and administrative offences (Article 8 of the PDPA) is restricted to “when such processing is necessary for pursuing the legitimate purposes of the controller, provided the fundamental rights and freedoms of the data subject are not overriding”. Central registers may only be created or kept by public authorities and data “for the purposes of police investigations shall be restricted to the processing necessary to prevent a specific danger or to prosecute a particular offence”.

Data relating to health and sex life, including genetic data, may be processed for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, provided that data is processed by a health professional bound by professional secrecy.

If data is adequately anonymised, it becomes no longer related to an “identified or identifiable natural person”, and is no longer deemed “personal data”.

Macau does not have specific privacy requirements for the use of personal data in the context of AI.

Under the cybersecurity law, private operators of critical infrastructures must inform the competent authority (the “Cybersecurity Committee”) of any “cybersecurity incident”. The PDPB is a member of the Cybersecurity Committee.

Notwithstanding, the PDPA does not require specific actions in the event of data breaches.

The PDPB is, under Administrative Regulation 42/2023, the government entity responsible and accountable for monitoring and enforcing compliance with PDPA provisions, and for establishing an adequate confidentiality system and monitoring its enforcement.

The PDPB is granted powers covering a broad area of activities both in the private and in the public sectors and possesses a full legal basis and a permanent status.

Being a Bureau within the Public Administration of the MSAR, but reporting directly to the Chief Executive, it remains to be clarified whether this status equates with a status of permanent independence.

The PDPB is a member of the Asia Pacific Privacy Authorities (APPA).

Following its admission as an observer at the 30th Conference of the Global Privacy Assembly (GPA) in 2008, the current status of the PDPB is still observer, renewed at the 47th Conference in September 2025.

Guidance and recommendations issued by the PDPB are not binding but are generally adopted.

There are two different types of administrative process: notification and authorisation.

Notification

Under the PDPA, the data controller, or their representative, if any, must notify the public authority in writing within eight days after the start of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. The public authority may authorise the simplification of, or exemption from, notification for specific categories of processing which, taking account of the data to be processed, are unlikely to adversely affect the rights and freedoms of the data subjects. In allowing this simplification or exemption, the authority will also consider the speed, economy and efficiency of the relevant processing.

The authorisation of simplification shall be published in the Official Gazette of the Macau SAR and must specify: the purposes of the processing; the data or category of data to be processed; the category or categories of data subjects; the recipients, or categories of recipients, to whom the data may be disclosed; and the length of time the data is to be stored.

There are exemptions from notification, such as those for processing whose sole purpose is the keeping of a register which, according to laws or administrative regulations, is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest.

The texts of these generic authorisations are available at the PDPB’s official website.

Authorisation

Prior authorisation by the PDPB is required for some types of processing. These include the processing of sensitive data (where it is not carried out pursuant to a legal provision or it is carried out without the explicit consent of the data subject), data related to the credit and solvency of the data subject, and the combination of data and further processing of data for purposes other than those originally stated by the controller.

For this purpose, sensitive data means personal data revealing philosophical or political beliefs, political association or trade union membership, religion, private life, and racial or ethnic origin, and data concerning health or sex life, including genetic data. The authorisations for these types of processing shall be granted only if the controller provides guarantees of non-discrimination and sufficient security measures (indicated in the PDPA).

Applications submitted to the PDPB for opinions, authorisations and notifications shall include the following information:

• the name and address of the controller and of their representative, if any;
• the purposes of the processing;
• a description of the category or categories of data subjects and of the data or categories of personal data relating to them;
• the recipients or categories of recipients to whom the data might be disclosed and in what circumstances;
• the body entrusted with processing the information, if it is not the controller themselves;
• any combinations of personal data processing;
• the length of time for which personal data will be kept;
• the form and circumstances in which the data subjects may be informed of, or may correct, the personal data relating to them;
• proposed transfers of data to third countries or territories; and
• a general description enabling a preliminary assessment to be made of the adequacy of the measures taken to ensure security.

Without prejudice to the right to submit a complaint to the public authority, according to the law any person may have recourse to administrative and legal means to guarantee compliance with provisions of laws and regulations in the area of personal data protection.

The PDPB is empowered to enforce those provisions of the PDPA that are of an administrative nature, under the PDPA and the Administrative Regulation 42/2023. Criminal cases are reported to, and handled by, the Public Prosecutor’s Office.

Administrative offences

To start proceedings relating to alleged violations, the PDPB must first take into account the actions of the alleged infringers, including the type of action and the intention of the agent, under the general administrative standards. Non-compliance with the special security measures required by Article 16 of the PDPA – for sensitive data processing and for the creation and maintenance of records regarding suspicion of illegal activity, criminal offences and administrative offences – is an administrative offence which may entail a fine between MOP4,000 and MOP40,000.

Although the PDPA provides penalties for undue access, as well as for tampering with, or destruction of, personal data, it does not specifically provide for security breaches by the data controller. It should be noted, however, that the PDPA mandates that the data controller shall present the notification/authorisation request with a general description of the security measures, so that the PDPB may evaluate the adequacy of such measures. If the PDPB notifies the above-mentioned entity to address any insufficiency in the security measures and no remedy is taken, then a fine of between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons may be imposed. Other potential enforcement penalties are outlined below.

Non-compliance with notification of data processing in breach of the terms set out in Article 23 of the PDPA, providing false information after notification by the PDPB and maintaining access to open data transmission networks for data controllers which do not comply with the provisions of the PDPA are all punishable by administrative sanction. This will take the form of a fine between MOP2,000 and MOP20,000 for individuals and of between MOP10,000 and MOP100,000 for legal persons; the fines are increased to twice the amount indicated above if the data is subject to previous authorisation.

Non-compliance with stipulations of the PDPA regarding:

• data quality (Article 5);
• right to information, access, objection, right not to be subject to automated individual decisions (Articles 10 to 13);
• special security measures (Article 16);
• processing by subcontractor (Article 17); and
• non-provision of mandatory information provided in Article 24, paragraph 1,

involve an administrative sanction of a fine between MOP4,000 and MOP40,000.

Non-compliance with stipulations of the PDPA regarding:

• conditions for legitimacy of data processing (Article 6);
• processing of sensitive data (Article 7);
• suspicions of illegal activities, criminal offences and administrative offences (Article 8);
• interconnection of personal data (Article 9); and
• transfer of data to a destination outside the MSAR and respective exemptions (Articles 19 and 20),

involve an administrative sanction of a fine between MOP8,000 and MOP80,000.

Criminal offences

Non-compliance with stipulations of the PDPA regarding:

• purposefully omitting the notification/authorisation indicated in Articles 21 and 22 of the PDPA;
• providing false information in the notification/authorisation requests for the processing of personal data or making modifications in this request not allowed by the instrument of legalisation;
• diverting or using personal data, in a manner incompatible with the purpose of the collection or with the instrument of legalisation;
• promoting or carrying out an illegal interconnection of personal data;
• non-compliance with the obligations provided for in this law or in other data protection legislation in the period established by the PDPB; and
• maintaining access to open data transmission networks for those responsible for the processing of personal data that do not comply with the provisions of the PDPA, after notification of the PDPB not to do so,

involve a criminal sanction of imprisonment up to one year or a fine up to 120 days. Fines which are set in days are under the discretion of the court – each day’s fine corresponds to an amount between MOP50 and MOP10,000, which the court shall set according to the economic and financial situation of the convicted person and their personal expenses. The sanction is increased to twice the duration indicated above if the data involved is sensitive (Article 7 of the PDPA) or if illegal activities, criminal offences and administrative offences are suspected (Article 8 of the PDPA).

Access in any way to personal data whose access is forbidden to said individual/entity is forbidden. The sanction is increased to twice the duration indicated when access:

• is achieved through violation of technical safety rules;
• has allowed the agent or third parties to obtain personal data; or
• has provided the agent or third parties with a benefit or patrimonial advantage.

Such access is punishable with a criminal sanction of imprisonment up to one year or a fine up to 120 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated in the cases provided.

Deletion, destruction, damaging, suppression or modification of personal data without proper authorisation, rendering the data unusable or affecting its ability to be used is punishable with a criminal sanction: imprisonment up to two years or a fine up to 240 days, unless otherwise provided by special law. The sanction is increased to twice the duration indicated if the damage resulting therefrom is particularly serious. If the agent acts with negligence, the sanction is, in both of the cases provided above, imprisonment for up to one year or a fine up to 120 days.

Qualified disobedience regarding notification to interrupt, cease or block the processing of personal data, or in cases of:

• refusal, without just cause, to co-operate as specifically requested by the PDPB;
• refusal to totally or partially destroy personal data; and/or
• refusal to destroy personal data, after the period of conservation provided for in the PDPA,

involve a criminal sanction of imprisonment for up to two years or a fine up to 240 days.

According to the two most recent annual reports published by the PDPB, in 2023 there were 105 investigations, mostly involving (in 55% of the cases) lack of legitimacy conditions for processing personal data or non-compliance with personal data protection principles (in 47% of the cases). In 2024, the number of investigations dropped to 74, involving lack of legitimacy in 66% of the cases and non-compliance with principles in 38% of the cases. The proportion of PDPB’s own-motion investigations is low – 9% in 2023 and under 2% in 2024.

The investigations resulted in enforcement of penalties (fines) in 25% and 17% of the cases, in 2023 and 2024, respectively.

The PDPA provides, in Article 14, that any person who has suffered damage as a result of an unlawful processing operation or of any other act incompatible with legal provisions or regulations in the area of personal data protection is entitled to receive compensation from the controller for the damage suffered. However, no case law exists on the basis of this provision.

No recent case law exists regarding Article 14 of the PDPA.

There is no collective redress mechanism for protection of the collective interests of data subjects in Macau. As mentioned in 2.1 Privacy Litigation Overview, individuals may file for damages arising from unlawful processing of their personal data. These cases are judged by the civil courts.

Macau has not enacted laws relating to processing of non-personal data.

The PDPA may apply where data processed may relate to an identified or identifiable natural person.

Macau has not enacted laws relating to processing of non-personal data.

Macau has not enacted laws relating to processing of non-personal data.

Macau has not enacted laws relating to processing of non-personal data.

Cookies that are strictly necessary for the operation of a website may be lawfully used without any special requirements, under Article 6 of the PDPA.

Other cookies may only be used with the consent of the data subject.

In respect of other categories of personal data, the data subject has the right to be informed of the purposes of the cookies, the recipients or categories of recipients, and whether accepting cookies is obligatory or voluntary, as well as the possible consequences of rejecting the cookies. The controller must ensure that consent is freely given, specific and informed.

Personalised advertising involves gathering information about the data subject.

As a minimum, upon collection of the relevant personal data, the data subject must be informed that their data may be used for the purpose of selecting goods or services that will be advertised to them later. Online marketing or any other form of direct marketing is subject to the provision of Article 12(2) of the PDPA: The data subject has the right to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing or any other form of commercial research, or to be informed before personal data is disclosed for the first time to third parties for the purposes of direct marketing or for use on behalf of third parties, and to be expressly offered the right to object free of charge to such disclosure or uses.

Advertisers should also take into account the provisions of Law No 7/89/M, as republished by Law No 26/2024 (Advertising activity), restricting some practices and the advertising of some goods and services in Macau.

Labour relations in Macau are regulated by Law No 7/2008.

Article 8 (Protection of privacy) stipulates that (i) the employer and the employee should mutually respect each other’s personal rights, in particular, the rights to protect the privacy of their personal lives and (ii) the right to privacy relates to access to and disclosure of information relating to the private and personal lives of either party, such as their respective family life, emotional and sexual lives, state of health and their political and religious convictions.

On the other hand, the PDPA stipulates, in Article 7(1) (Sensitive data) that the processing of personal data revealing (…) trade-union membership (…) shall be prohibited.

Exceptions to this are provided in the case where:

• the data subject has given his explicit consent for such processing (Article 7(2(3))); and
• it is carried out with the data subject’s consent in the course of its legitimate activities by a legal person or non-profit seeking body with a (…) trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data is not disclosed to a third party without the consent of the data subjects.

Therefore, processing of trade union membership data is lawful in those two circumstances.

The duty of the employer to notify the PDPB of the processing of personal data of their employees is waived in some cases:

• personal data necessary for processing of payroll and payroll-related obligations (Authorisation No 01/2007);
• personal data necessary for processing of administrative management of the employment relation (Authorisation No 02/2007); and
• processing of biometric data for attendance control purposes (Authorisation No 02/2020).

The PDPB provides detailed recommendations on the use of personal data for supervision of employees’ activities in the workplace, emphasising the principles of legality of purpose, non-excessive collection and including sample privacy statements for processing of supervision of telephone calls, e-mail and internet usage and video surveillance.

In asset deals, the standard provisions of the PDPA apply. Namely, the buyer, as a recipient for the personal data controlled by the seller, shall become the controller of the data.

The data subjects’ right to information includes the identity of the recipients and the purposes of the disclosure of data to those recipients.

Besides, the identity and purposes of processing of the recipients are part of the notification to the PDPB and this notification might also need to be amended/updated.

The recipient must fulfil the requirements of legitimacy for processing the transferred data.

Therefore, either consent from the data subjects or another condition for legitimacy needs to be secured, along with a notification to the PDPB, whenever the processing is not already covered by such a notification.

The transfer of personal data overseas can only take place in accordance with PDPA provisions and provided that the jurisdiction to which the data is going to be transferred ensures an adequate level of protection.

This level of protection may be assessed by the PDPB on a case-by-case basis (Article 19 of the PDPA) but, in practice, the PDPB does not assess the adequacy of the level or protection guaranteed by the import jurisdiction.

All cases are assessed under Article 20 of the PDPA on derogations (see below).

Under the PDPA there is no provision enabling the publication of a list of jurisdictions capable of ensuring the level of protection that is imposed by the PDPA (no “white list”).

The transfer of data overseas may be possible under the various exceptions provided by the PDPA.

These include the necessity of such a transfer for the formation of a contract between the data subject and the data controller and for preliminary measures for the formation of that contract at the request of the data subject, among others.

However, the most common exception to the rule indicated above is the obtaining of the data subject’s express and unambiguous consent to such a transfer (Article 20, paragraph 1 of the PDPA).

Organisations collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations are not exempted from the standard requirements set out under the PDPA and shall be subject to the same penalties in case of breach of the existing laws.

As no list of jurisdictions ensuring an adequate level of protection currently exists in Macau, the transfer of personal data abroad is subject to prior authorisation by the PDPB, as indicated in 5.1 Restrictions on International Data Transfers.

If express and unequivocal consent from the data subject is obtained, or if the situation under analysis falls under one of the exceptions provided by the PDPA, a simple notification is sufficient and complies with the legal provisions.

The international transfer of data is subject to the requirements referred to in 5.1 Restrictions on International Data Transfers.

This issue does not arise in the Macau SAR jurisdiction.

The PDPB, jointly with the Economic and Technological Development Bureau (DSEDT) and the Cyberspace Administration of China, continue to develop the implementation of the “Standard Contract for cross-border flow of personal information in the Greater Bay Area Guangdong-Hong Kong-Macau (Mainland China – Macau)”, launched in September 2024.