The “distance contract”, one of the common figures in the digital economy, is framed by the Consumer Rights and Interests Protection Law (Law No 9/2021). In accordance with this Law, “distance contract” is defined as the contract concluded between the consumer and the commercial operator, without the simultaneous physical presence of the two, through the exclusive means of distance communication, from the negotiation to the conclusion of the contract, within the remote mode prepared by the trader for the supply of goods or provision of services.

Under the Consumer Rights and Interests Protection Law, special obligations are set out for the commercial operator, for instance, before concluding the distance contract, trade-related information, such as the commercial operator’s identification information, the characteristics of the goods or services, and the way in which consumer complaints are handled by the commercial operator, should be provided to the consumer in a timely, clear, accurate, and understandable manner. The distance contract must contain all the information required by the Consumer Rights and Interests Protection Law, and the contract cannot be altered.

However, there is lack of specific legislation on different aspects of the digital market. One of the key legal challenges is the legislation of the third-party electronic payment platform. Electronic payment is already a very commonly used payment method in Macau; however, there is currently a lack in regulations that specifically address issues like the establishment of third-party electronic payment platforms, oversight of cross-border transactions and cybersecurity in the digital market.

Except for tobacco and some alcoholic beverages, Macau does not tax transactions of goods or services.

Physical posting of advertising requires licensing by the Municipal Affairs Institute and is subject to a licensing fee. The fee itself is subject to stamp duty. However, every fiscal year starting in 2002, the Annual Budget Law has waived this fee and the related stamp duty. Other means of advertising carried out by the advertiser do not require a licence.

Advertising over radio, television and any other audiovisual broadcasts is subject to stamp duty of 2% on the cost of the advertising. Digital advertising carried out by the advertiser is not taxable. However, a local advertising service provider hosting advertising for third parties is subject to 2% stamp duty on the price charged for such hosting services. The hosting service provider should charge and collect the stamp duty from the advertiser and hand over the proceeds to the Financial Services Bureau.

The provision of digital goods and services is subject to the general framework of the Consumer Rights and Interests Protection Law (Law No 9/2021).

Law 17/92/M (Standard Contractual Clauses) applies to almost every contract in the TMT field and companies must pay attention to the roll of forbidden clauses, as well as clauses deemed void.

Administrative Regulation No 24/2002 (Provision of internet services), besides stipulating that contracts between providers and users must abide by the stipulations of said Administrative Regulation, also stipulates that users are only bound by the terms, conditions and prices that were expressly communicated by the provider.

The services provided must not depend on the acceptance, by the user, of other services, and deceptive advertising is forbidden. Similar provisions apply, under Administrative Regulation No 41/2011 (Public Telecommunications Networks), to operators of Public Telecommunications Networks. Additionally, this Administrative Regulation stipulates that the operators are liable for damages sustained by users, by reason of unjustified termination of the provision of services.

The rules for handling consumer complaints and consumer dispute resolution are the same as for general cases. Consumers may lodge complaints with the Consumer Council. The Macao Consumer Mediation and Arbitration Centre handles the mediation and arbitration of consumer disputes arising from the supply of goods or services. In the case of telecommunications, if the consumer requests to submit the dispute to the Centre, the arbitration becomes compulsory for the provider.

Judicial remedies are available under the general provisions of law.

TMT companies should establish and implement a standard procedure for handling consumer complaints. This should be able to assess quickly whether the consumer has reasonable grounds for their complaint, and recommend appropriate corrective action.

Factors to consider include the potential reputational damage arising from public disclosure of consumer disputes, particularly in grey-area cases.

Distributed Ledger Technology and Cryptocurrency are not regulated in Macau. Cryptocurrency is not recognised as legal tender and the Monetary Authority has repeatedly issued warnings against promoters and traders of cryptocurrencies. Banks were specifically instructed not to engage or participate in any ICOs.

Law No 10/2023 provides for currency in digital format, which is known as “pataca digital” or “e-MOP”. The regulations required for actual issuance and operation of the e-MOP are yet to be enacted and the government has launched, in December 2024, the trial issuance and operation of the e-MOP, to be carried out by the Bank of China (Macau).

As to blockchain, it is still regarded as an emerging technology. The government has actively promoted training in this area but no regulation has been published.

While the expectations of upcoming developments are high, the actual progress of official recognition and regulation is still an open question.

Laws and Regulations

The processing of personal data in the Macau Special Administrative Region (MSAR or Macau) is subject to the legal regime of the Personal Data Protection Act (Law No 8/2005, dated 22 August 2005 ‒ PDPA), which defines personal data as “any information of any kind and regardless of the respective format, pertaining to an identified or identifiable natural person”. Sensitive personal data is further defined as “data related to philosophical or political beliefs, membership of a political or trade union association, religious belief, private life and racial or ethnic origin, health and sex life, including genetic data”. With regard to cloud and edge computing, there is currently no specific regulation on this matter in Macau.

The Personal Data Protection Act (PDPA)

The processing of personal data under the PDPA is subject to key mandatory principles, such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specified, explicit and legitimate purposes, and proportionality, and may only be carried out if the data subject has given their unequivocal consent or if the processing is necessary for the purposes set out in the law.

The Macau Personal Data Protection Bureau (PDPB) must be notified in writing within eight days of the start of any processing of personal data under the PDPA (either wholly or partly executed by automatic means), without prejudice to the cases where prior authorisation must be sought.

Whenever data is retrieved directly from the data subject, the person responsible for processing the data, or their representative, must provide the data subject with the information set out in the PDPA (eg, the identity of the controller and their representative, the purpose of the processing, and other ancillary information), and the documents used to retrieve the personal data must contain such information. Also, in the case of data collection in open networks, the data subject must be informed that their personal data may circulate in the network without security, at the risk of being seen and used by unauthorised third parties.

The Personal Data Protection Bureau (PDPB)

Directly under the Chief Executive of the Special Administrative Region of Macau, the PDPB is the public authority vested with the regulatory and supervisory powers provided by the PDPA.

In the case of cloud computing, the data is likely to be stored in servers abroad – in the case of the transfer of personal data to a destination outside Macau, the PDPA determines that such transfer can only take place if the provisions of said law are respected and if the legal system of the destination ensures an adequate level of protection. Analysis is made on a case-by-case basis by the PDPB.

The transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the PDPB if the data subject has given their unequivocal consent for the transfer or if the transfer is necessary for the purposes set out in the law. It should be noted, however, that regarding sensitive data as well as credit and solvency, the need for authorisation by the PDPB overrides the simple notification procedure, and the transfer cannot take place without such previous authorisation being obtained.

Regarding specific industries such as banking and finance, the Macau Financial System Legal Regime (Law No 13/2023 ‒ RJSF) stipulates that the members of the governing bodies of credit institutions, their senior management officers, their workers, auditors, experts, agents and other persons who provide services to them, whether on a permanent or accidental basis, may not reveal or use, for their own or someone else’s benefit, information or knowledge that has come to them from the exercise of their functions, and includes in the information subject to secrecy the names and other data relating to customers, deposit accounts and their movements, investment of funds and other banking transactions. Such duty of secrecy shall survive even after the functions referred to above have ended.

There is currently no specific legislation on artificial intelligence (AI) in the MSAR (in this case, a shortened form of Macau SAR). However, the challenges presented by the processing of large amounts of data which include traditional enterprise/company data, machine-generated/sensor data and social data, may concern, on the one hand, the type of data being transferred and generally processed in several networks and, on the other, the need to ensure that these networks are secure and compliant with personal data protection and cybersecurity legislation.

Compliance With the PDPA

One of the biggest challenges for entrepreneurs is compliance with the PDPA with regard to the processing of personal data under its mandatory principles, such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to specific purposes, and proportionality, and the need to obtain the unequivocal consent of the data subject for the processing (or, alternatively, the need for processing for the purposes set out in the PDPA).

As AI tools necessarily include the processing of large data sets which are often unorganised and may come from several jurisdictions with different personal data protection requirements, such challenge will force large corporations to have dedicated structures (such as chief data officers and ancillary teams or departments) to ensure that, in the processing of data, there is differentiation between general data and personal data, and that such processing is done in accordance with applicable legislation and the security measures provided therein.

Macau Cybersecurity Law

In relation to the Macau Cybersecurity Law (Law No 13/2019, dated 24 June 2019), which seeks to bolster the protection of computer systems regarding cybercrimes and cybersecurity threats against public and private operators of critical infrastructures (as defined in the law), the dedicated structures referred to in the previous paragraph will also need to comply with the general responsibilities and cybersecurity duties provided therein, namely:

• organisational duties;
• procedural, preventive and reactive duties;
• self-evaluation duties; and
• co-operation duties.

The list of operators of critical infrastructures is defined by Dispatch of the Chief Executive. Currently, under Dispatch 119/2024, there are 143 such operators, 78 of which are private companies belonging to the financial sector. There are four operators of radio or television broadcasting, and eight operators of telecommunications networks or provision of internet services. Included, are also ten private entities classified as of public utility, operating solely in the science and technology field. As previously indicated, there is currently no specific legislation regarding AI. Although the PDPA includes the right of the data subject not to be exposed to individual automated decisions, no further stipulations regulate the issue of automated decision-making. In this regard, and without prejudice to the principles and provisos of the law regarding personal data processing, it is incumbent on the local legislature to update the law so as to ensure that AI-driven decision-making is compatible with core legal principles such as transparency, accountability, legality, and protection of fundamental rights.

Restrictions on a Project’s Scope

With regard to the internet of things (IoT) projects and the data circulating therein, the main piece of legislation which would restrict the scope of a project in such an area would be the PDPA and its stipulations regarding personal data. The processing of personal data through any such device would necessarily have to comply with the applicable stipulations of the law:

• it must be performed in a transparent manner and in strict observance of privacy rights and of the rights, freedoms and guarantees enshrined in the Macau Basic Law and in applicable legislation; and
• it may only be carried out if the data subject has given their unequivocal consent, or if the processing is necessary for the purposes set out in the law.

There is currently no specific legislation on IoT in the MSAR. Companies should approach compliance under the perspective of personal data protection, where applicable.

As information that is not, initially, deemed personal data may become so, by means of cross-referencing other databases, companies need to be mindful of developments, both in technology and in the market landscape, and take the necessary steps to respect the data subjects’ rights in such an event.

As mentioned previously, sharing of data that is not deemed personal data and does not involve any information specifically protected by law (state secrets, trade or professional secrets, among others) is not restricted.

Volume is not a consideration, and no threshold will trigger legal or regulatory requirements.

Also as already noted, sharing personal data is subject to the legal requirements of the PDPA and, specifically, the processing of sensitive data is, as a rule, prohibited.

Broadcasting in the MSAR is framed by Law No 8/89/M, of 4 September 1989, which establishes the legal regime for radio and television broadcasting, with the purposes set out therein. Television broadcasting is defined as a public service and is exercised under a concession contract, whereas the activity of sound broadcasting is subject to the licensing regime, the exercise of which depends on the attribution of a licence. Both awards are normally preceded by a public tender.

Radio Broadcasting Licences

Pursuant to Law No 8/89/M, the broadcast of sound/radio is subject to the granting of a licence to operate in the radio-electric public domain spectrum of the MSAR. Sound broadcast radios may be held in the following bands:

• hectometric waves (medium), modulated amplitude ‒ band between 526.5 kHz and 1606.5 kHz; and
• metric waves (very short), modulated frequency ‒ band between 87 MHz and 108 MHz.

Pursuant to Law No 8/89/M, the Chief Executive may also allocate other frequency bands of the broadcasting service which are already available or which, as a consequence of technological development, have been added to the International Frequency Allocation Plan. It appears that, to date, no such other frequencies have been included in regulation.

Regarding the administrative procedures related to radio communication services, Administrative Regulation No 37/2024 establishes the rules by which said administrative procedures shall be governed, in particular with regard to:

• necessary elements for the application for issuance, renewal, and modification of the network or radiocommunication station licence and respective procedures, as well as the inspection procedure to be carried out for the issuance of the said licence;
• necessary elements for the application for approval, as well as the equipment testing procedure for approval purposes;
• necessary elements for the application for issuance and renewal of the commercialisation licence and respective procedures;
• necessary elements for the application for issuance and renewal of the radio operator’s certificate and respective procedures;
• payment of fees due for services rendered in the execution of this law and the respective supplementary regulations;
• content of the professional and amateur radio operator aptitude exam, as well as the general rules on the operation of the equipment;
• establishment of radio servitudes;
• registration of the commercialisation of radiocommunication equipment; and
• implementation of the electronic system for the practice of acts and formalities by electronic means.

The granting of licences for the activity of radio broadcasting under Law No 8/89/M is preceded by a public tender, except when ponderous and duly justified reasons advise a direct award. The radio broadcasting activity can be carried out by any legal person that has its headquarters in Macau and offers guarantees of suitability, technical qualification and financial capacity. The Government Information Bureau (Gabinete de Comunicação Social) is the competent entity that organises the processes related to the granting of permits, and an application for a permit must be accompanied by the following elements:

• justification note of the request;
• demonstration of the economic and financial viability of the project;
• detailed description of the activity to be carried out, with emphasis on the broadcasting time and the schedule map;
• design of the facilities, including equipment, antennas and studios; and
• articles of association of the applicant.

The licence is valid for five years and can be renewed, for equal periods of time, at the request of the respective holder. The attribution and transmission of licences, as well as the respective alterations, renewals or substitutions, in case of loss or unusability, are subject to the payment of fees. Law No 21/2024 provides that those fees shall be determined by a Dispatch of the Chief Executive, which, at the moment of writing, has not yet been enacted. In the meantime the General Table of Fees and Fines Applicable to Radio Services approved by Administrative Regulation No 16/2010, lastly amended by Administrative Regulation No 40/2022, shall apply.

Television Broadcasting Concessions

The granting of television broadcasting is executed by concessions, under Law No 8/89/M. The procedure, as with radio broadcasting, is also preceded by a competitive bidding process, except when weighted and duly justified reasons advise direct concession. Television broadcasting activity can be granted to any legal person that is incorporated in corporate form and has its headquarters in Macau, for the purpose of exercising the activity to be granted, and offers guarantees of suitability, technical qualification and financial capacity.

The television broadcasting concession contract may authorise the concessionaires to carry out other complementary activities related to the main activity, by themselves or in association with other entities. These activities are those indicated by law, and in exceptional cases, concessionaires may be legal persons of public law or public utility.

Television broadcasting concessions must have a fixed term, to be determined according to the business plan to be developed and the time necessary for the amortisation of the capital invested by the concessionaires, and sub-concession is not allowed. Concessionaires are obliged to fulfil the duties indicated in the law, namely, they are obliged to make the necessary investments to guarantee full coverage, in good technical conditions, of the areas of Macau that are defined in the concession contract, which must establish the amount of investment to be made, the plan and the overall timetable for its implementation.

For the concession, a fee is due, to be determined in the respective contract, without prejudice to any initial grace period established in the contract. Concession contracts may also establish forms of remuneration other than payment in cash, namely, the “use of issuance time by grantor”.

Furthermore, the licensing regime for satellite television broadcasting activity is regulated by Decree-Law No 3/98/M, dated 19 January 1998, with regard to:

• installation and operation of satellite television broadcasting telecommunications systems; and
• provision of satellite television broadcasting telecommunications services.

A licence for the installation and operation of the system or for the provision of telecommunications services for satellite television broadcasting may be requested by telecommunications companies with headquarters and a place of effective management in Macau, and which demonstrate technical suitability and adequate economic and financial capacity. The licence is requested through the Macau Post Office, which is the competent entity to organise and instruct the licensing process and analyse the request, and it is assigned by order of the Chief Executive, who sets out, on a case-by-case basis, the terms and conditions for exercising the activity.

The holder of a licence to exercise the activity of satellite television broadcasting is required to pay the following fees to the Macau Post Office:

• installation and operation of the system ‒ from MOP100,000 to 1 million, depending on the complexity and purpose of the system;
• provision of the service ‒ MOP100,000 for each broadcast programme; and
• an annual operating fee, corresponding to 1.5% of the respective gross operating revenues from licensed systems or services and subsidiary activities.

Additionally, systems and services of space telecommunications or via satellite, may also be granted licences by procedure similar to the satellite broadcasting services. The applicable fees are also similar, but the annual fee may be replaced by a fixed amount between MOP100,000 and 500,000, to be waived in the first year of operation.

Online Video Channels

Online video channels such as YouTube would fall under the scope of Administrative Regulation No 24/2002, of 4 November 2002, which subjects the provision of internet services to prior licensing; however, as previously indicated, the use of such technologies through internet connection by existing duly licensed telecommunications entities should not require any further licensing, without prejudice to the applicable telecoms rules.

The telecommunications sector in Macau is framed by Law No 14/2001, of 20 August 2001 (the “Telecommunications Act”), which defines the basis of the telecommunications policy of the MSAR, as well as the general framework for the establishment, management and operation of telecommunications networks and the provision of telecommunications services. The provisions of said law do not, however, apply to television and sound broadcasting services, terrestrial or satellite, which are subject to specific legislation. Telecommunications under the law is defined as the transmission, emission or reception of symbols, signs, writing, images, sounds or information of any nature by wire, radio, electricity or other electromagnetic systems. The law further determines that the establishment, management and operation of telecommunications networks and the provision of telecommunications services are in the public interest, and can only be pursued by public or private entities duly authorised to that effect under the terms of the applicable regulations.

The Telecommunications Act also stipulates the objectives of such policy, which include:

• to gradually liberalise the installation of public telecommunications networks and the provision of public-use telecommunications services;
• to ensure access to telecommunications by the whole population, at reasonable tariffs and prices, in a non-discriminatory manner and at a level of quality and efficiency that meets their needs, and also their economic and social activities;
• to ensure the existence and availability of the universal telecommunications service;
• to ensure equality and transparency of conditions of competition by promoting the diversification of services in order to increase supply and achieve quality standards compatible with the requirements of users; and
• to ensure the interoperability of public telecommunications networks, as well as the portability of the customer’s number, among others.

It is incumbent upon the government to oversee and supervise telecommunications and the activities of telecommunications operators, without prejudice to the specific competencies of the Macau Post Office.

Licensing of Telecommunications Services

On the licensing of telecommunications services, Administrative Regulation No 32/2000, of 11 September 2000, defines the legal regime for provisional licensing of the activities of public network operators and the provision of telecommunications services for public land mobile use, up to a maximum of three licences, operating in certain frequency bands, and with the adoption of the concepts established by the International Telecommunication Union (ITU). The operation of public telecommunications networks and the provision of telecommunications services for public land or mobile use are further defined by the Administrative Regulation No 7/2002, of 15 April 2002, which establishes that said activities are subject to licensing.

The allocation of licences under Administrative Regulation No 7/2002 is subject to a public tender, which can be limited with prior qualification, under the terms of the specific regulation of each tender, to be approved by executive order. The bidding regulation defines the terms of the respective procedure, including any prior qualification, as well as the information set out in the law (which includes the amount and method of providing the provisional bond to guarantee the link assumed with the submission of applications and the obligations inherent to the tender, as well as the final bond). The licensed entities are further subject to the payment of:

• fees for issuing and renewing the licence; and
• annual operating fees, corresponding to a percentage of gross operating revenue from services provided under licensed activities, to be determined by order of the Chief Executive, to be published in the Official Bulletin.

The fees related to the use of the radio spectrum, on the other hand, are set out in Administrative Regulation No 8/2006, dated 12 June 2006.

Voice-Over-IP and Instant Messaging

On specific technologies such as voice-over-IP and instant messaging, the applicable legislation would be the Administrative Regulation No 24/2002, of 4 November 2002, which subjects the provision of internet services to prior licensing, to be requested from the Chief Executive by filing an application with the Macau Post Office, signed by a person with the power to bind the applicant, and whose respective signature and the quality thereof must be certified by a notary. The application must contain the following documents:

• proof that the applicant is a commercial company duly incorporated in the MSAR, whose scope of business includes the provision of internet services;
• proof that the applicant has the necessary technical capacity and experience adequate to fulfil the obligations and further specifications of the licence the applicant proposes to obtain, having, namely, a body of qualified personnel for the development of the activity;
• proof that the applicant has adequate financial and economic capacity;
• proof that the applicant has up-to-date and adequate accounting of the analysis required for the project they wish to develop;
• a detailed proposal relating to the operation of the services, presented as a technical plan to be developed, that must contain, namely, the configuration of the technological systems to be used, with reference to access methods and the necessary equipment, as well as planning of the development of the systems and services;
• an economical and financial plan that includes the price system to be adopted;
• the applicant’s organisational structure, including the identities and CVs of its main responsible personnel, as well as, where possible, financial statements and audit reports in relation to the accounts of the three prior fiscal years; and
• any other elements that the applicant deems relevant for a decision on its request.

The licence shall specify the applicable fees and their respective payment period. Namely, the provider is subject to licence issuance and renewal rates of MOP2,000, and to an annual operating fee of MOP1,000 from the year after the licence is issued, to be paid during the month of January each year. These fees do not exempt the service provider from the payment of other fees and taxes that are legally owed.

It should be noted, however, that the use of such technologies through internet connection by existing, duly licensed telecommunications entities should not require any further licensing, without prejudice to the applicable telecoms rules.

RFID Tags

Regarding RFID tags, the Decree-Law No 18/83/M subjects the possession of radio equipment that can transmit, receive or transmit/receive, as well as the establishment or use of a radio station or network, to prior government authorisation. However, exceptions to this rule are reduced radio equipment power and short range, included in categories set out in Chief Executive Dispatch No 198/2014, dated 14 July 2014, as well as the receivers of the radio and television broadcasting service. Therefore, RFID tags in the 13.553–13.567 MHz and 920–925 MHz frequency bands, with a maximum equivalent isotropically radiated power (PIRE) of 1 W, are exempt from prior government authorisation.

Security requirements for telecommunications services

Under Macau Cybersecurity Law (Law No 13/2019), operators of public telecommunications networks and providers of telecommunications services for public land or mobile use are deemed “operators of critical infrastructure”.

Security requirements for private operators of critical infrastructures include the following.

• Create Cybersecurity Management Units capable of executing internal protection measures.
• Equip Cybersecurity Management Units with adequate human, financial, material, and property resources.
• Designate the main person responsible for cybersecurity and their substitute, who must reside habitually in Macau.
• Ensure that the main person responsible for cybersecurity and their substitute are permanently reachable by the CARIC (Cybersecurity Incident Response Center).
• Set up mechanisms for complaints and reports related to cybersecurity.

In terms of procedures, the private operators of critical infrastructures must:

• establish a cybersecurity management regime and respective internal operational procedures;
• adopt, in accordance with the cybersecurity management regime and applicable technical standards, internal measures for protection, monitoring, alerting, and responding to cybersecurity incidents;
• inform the CARIC of the occurrence of cybersecurity incidents and notify the respective supervisory entity, as well as immediately initiate actions to respond to serious incidents; and
• monitor and record the operational status of the network.

There is currently no specific legislation on net neutrality in the MSAR. However, the principle is embodied in the Administrative Regulation No 24/2002 (Provision of internet services), which stipulates that the provider must ensure equal access to the services provided to those who meet the required criteria and comply with the conditions imposed by the applicable legal and regulatory provisions, starting the provision as soon as possible. Administrative Regulation 7/2002 has an identical provision, for public telecommunications networks.

The legal framework of telecommunications has not been amended to accommodate the new technologies.

As an example, the public tender for granting 5G licences was launched by an Executive Order of the Chief Executive, under the applicable provisions of Administrative Regulation 7/2002.

Companies integrating emerging technologies should refer to the legal and regulatory framework of telecommunications, personal data protection and cybersecurity, among others.

There are currently no specific stipulations on IT service agreements in Macau, without prejudice to the general stipulations regarding data in general (regulated and protected under the general civil and commercial regime) and the stipulations on personal data protection (set out in the PDPA).

In accordance with the Cybersecurity Law, which established the general structure of the cybersecurity system of the MSAR, public and private operators of critical infrastructures defined in the law are subject to the general responsibilities and cybersecurity duties (organisational duties; procedural, preventive and reactive duties; self-evaluation duties; and co-operation duties) set out therein.

For the organisational and procedural duties of the private operators of critical infrastructures, refer to 6.1 Scope of Regulation and Pre-Marketing Requirements.

Regarding self-assessment and reporting, these duties are:

• assess, by themselves or through specialised entities, the security and risks existing in their networks and systems; and
• submit an annual cybersecurity report to the respective supervisory entity, mentioning, inter alia, any recorded incidents, the results of the assessment referred to in the previous bullet point and the improvement measures taken.

The duties of private operators of critical infrastructures, as well as their administrators, managers or representatives, with regard to collaboration with CARIC and supervisory entities, are to:

• allow the representatives of those services to enter their premises, provide them with access to their networks and provide them with the information they request, to the extent necessary to verify compliance with the procedural, preventive and reactive duties referred to above; and
• provide the support and collaboration necessary to ensure the good management of cybersecurity.

Any IT service agreement entered into with a local organisation defined as a private operator of critical infrastructures under the Cybersecurity Law must encompass (and comply with) the duties and responsibilities set out in this chapter.

Furthermore, and should the IT service agreement touch upon personal data, it is likely that the local entity shall be either the data controller (understood as the natural or legal person, the public entity, the service or any other body that, individually or together with others, determines the purposes and means of processing of personal data under the PDPA) or a subcontractor/processor (classified in the PDPA as the natural or legal person, the public entity, the service or any other body that processes personal data on behalf of the controller). Processing of personal data is defined by the PDPA as “any operation or set of operations performed upon personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

A Local Entity as Data Controller

Should the local entity be the data controller, then it is bound by the obligations set out in the PDPA as indicated above, inter alia, with regard to the need to obtain the unequivocal consent of the data subject and to provide all the necessary information, as well as to ensure that the subcontractor implements the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of implementation.

A Subcontractor as Data Processor

Where processing of data is carried out on behalf of the data controller (eg, by a local entity), the data controller must choose a subcontractor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing of the data, and must further ensure compliance with those measures. The processing by a subcontractor must be governed by a contract or legal act, binding the subcontractor to the data controller and stipulating in particular that the subcontractor shall act only on instructions from the data controller, and that the obligations set out in the PDPA regarding data security measures shall also be incumbent on the subcontractor. For the purposes of keeping proof, the parties to the contract or the legal act relating to data protection and the requirements relating to the data security measures must be in writing in a document with legally recognised probative value.

The Electronic Documents and Signatures Law (Law No 5/2005) establishes the legal framework for electronic documents and signatures, in which “electronic document” is defined as the result of electronic data processing for the purpose of reproducing or representing a person, thing or fact.

In terms of the “electronic signatures”, three types of electronic signatures are distinguished in the Electronic Documents and Signatures Law.

• “Electronic signature” ‒ simply a set of data in electronic form that, linked or logically associated with an electronic document, can be used as a method to make its authorship known.
• “Advanced electronic signature” ‒ electronic signature that is unequivocally linked to the signatory and can be used to verify the signatory’s identity, is created using means that are solely under the signatory’s control, and is so linked to the document to which it is affixed that any changes made after it has been applied are detectable.
• “Qualified electronic signature” ‒ advanced electronic signature based on a qualified certificate, the signature is created through a secure signature creation device, and can effectively prevent the signature from being fraudulently used in accordance with internationally recognised standards. Affixing a qualified electronic signature is legally equivalent to an autograph signature.

A qualified certificate should be issued by an accredited certification entity. If the certification entities based abroad or the certificates issued by the former are recognised in Macau by virtue of an instrument of international law or regional agreement, or if the certificates satisfy the other requirements specified by the Electronic Documents and Signatures Law, these certificates are equivalent to the qualified certificates issued by the certification entity established in Macau. The information related to these certificates should be disclosed by the means deemed appropriate by the accredited authority of Macau, as well as made available to the interested parties.

The use of electronic signatures may not be feasible when considering laws, regulations or conventions regarding the mandatory use of paper or other special forms of submitting, composing, transmitting or storing documents. Traditionally, these included:

• notarial and registration acts;
• procedural acts;
• acts concerning personal legal relationships;
• acts relating to tender procedures; and
• situations in which the physical presence of the signatory or in-person signature recognition is required.

This situation is changing, with the government adopting an expanding range of electronic procedures, under the policy of “e-Government”.

Law No 13/2024 amended previous legislation in this area, providing, as a general rule, for the use of electronic means in public services, including electronic certificates and electronic identification of persons (e-Government and some court procedural acts).

Law No 11/2024 amended the Civil Registration Code, allowing for performance of registration acts by electronic means, including the electronic identification of persons.

Law No 18/2024 extended a similar approach to real estate and commercial registration and to notarial acts.

Generally, residents may perform a significant number of acts next to the public authorities by electronic means, including electronic identification of persons.

There is currently no specific legal or regulatory framework applicable to the gaming development industry in Macau.

The gaming industry of Macau consists of the operation of games of chance in casinos and is regulated mainly by Law No 16/2001, as amended by Law No 7/2022.

Article 2(1(2)) of Law No 16/2001 defines “Interactive games” as “games of chance in which:

a) A cash prize or other value is offered or can be won according to the respective rules;

b) A player enters or participates in the game through telecommunications means, namely through telephones, fax machines, internet access, data networks, video signal transmission, or digital data transmission, and for this purpose makes, or agrees to make, payments in cash or any other value; and

c) The game is also offered or approved as a game of chance or as an electric or mechanical machine game, in the casinos of Macau.”

Article 4 prohibits the casino gaming concessionaires from operating interactive games and further stipulates that concessions for interactive games shall be separate from casino gaming concessions.

No concession for interactive games has been granted until now.

Under Article 7 of Law No 20/2024 (Unlawful Gambling Law), the unauthorised operation of online gaming, covering games of chance and pari-mutuel betting, is criminalised: whoever operates, promotes, or organises online gaming without appropriate legal authorisation – regardless of whether the systems, devices or servers are located in Macau – shall be punished, upon conviction, with imprisonment for a term ranging from one to eight years. Negligence is also punishable.

Operation of online games not meeting the criteria of “interactive games” (of chance) of either Law No 16/2001 and Law No 20/2024 is unregulated.

The regulatory body for the gaming industry of Macau is the Gaming Inspection and Coordination Bureau (Direcção de Inspecção e Coordenação de Jogos – DICJ). It is a public administration body, directly under the Secretary for Economy and Finance.

DICJ has extensive powers, including regulatory, supervisory and enforcement of administrative penalties.

The decisions in administrative (regulatory) enforcement cases are generally not made public. Significant cases in judiciary (criminal) enforcement are usually reported to the media by the authorities.

The general IP rights are enshrined in Decree-Law No 43/99/M, as amended by Law No 5/2012. There are no specific stipulations addressing the protection of IP rights in the context of a virtual environment.

The protection afforded by Decree-Law No 43/99/M includes, in some cases, a specific provision for works made available to the public over a public computer network, which may be applicable to the virtual environment.

Publishing or making available an unpublished work without the authorisation of the owner of the IP rights is a criminal offence punishable with imprisonment not exceeding three years.

Using other protected real-world content, including phonograms and videograms, in a public computer network is subject to the authorisation of the IP owner. Failure to abide by this provision will result in a criminal offence, punishable with imprisonment not exceeding two years.

The application of Decree-Law No 43/99/M to other situations involving a virtual environment may require an in-depth analysis of the circumstances of the case.

There is currently no specific legislation on social media in Macau.

The Personal Data Protection Act applies to all activities carried out on a public computer network and the unauthorised use of personal data without consent of the data subject is deemed unlawful processing of personal data.

As mentioned in 9.3 Intellectual Property, rights are protected by Decree-Law No 43/99/M, including in the context of public computer networks. ISPs are private operators of critical infrastructure and are subject to the provisions of Law No 13/2019 (Macau Cybersecurity Law).

There are no local provisions restricting access to social media by reason of age.

The regulatory authority for the provision of internet services is the Macau Post (CTT). From a regulatory perspective, its powers include ensuring fair competition among operators, the rights of the internet service users, full compliance by licensees in line with the obligations established in the business licences, and issuing regulatory guidelines to network operators and service providers.