ALTA Law Research Series
Macao’s EU-influenced Personal Data Protection Act
Graham Greenleaf, University of New South Wales Faculty of Law
Published in (2008) 96 Privacy Laws & Business International Newsletter 21 – 22, Dec 2008
The Macao Special Administrative Region (SAR) of the People’s Republic of China (PRC) is one of the smallest but also one of most economically successful regions of China, with industries including entertainment and gambling, textiles and household goods manufacture. Portugal administered Macao from the 16th century until the transfer of sovereignty to the PRC in December 1999.
Macao’s Personal Data Protection Act (2006) is the most recent data protection law in Asia, and potentially one of the strongest. The Act is a very similar to Portugal’s legislation in most respects (though also said to be influenced by Hong Kong’s Ordinance). As a result it is closer to the EU privacy Directive of 1995 than any other data protection legislation in Asia. Macao’s position as a region of the PRC makes this doubly interesting.
History of the Act
The formation of a data protection authority was first discussed by legal officials as far back as 1998, possibly influenced by developments in the Portuguese legislation at that time. Its subsequent history is documented in a book published by Macao’s Legislative Assembly (in Portuguese and Chinese). The president of Legislative Assembly ordered a study by its legal experts, which concluded that privacy and data privacy are protected in the legal system of Macao and that a specific data protection Act should be formulated. In 2005 eight legislators proposed legislation which was almost almost a copy of Portugal’s law, though they claimed that they also used Hong Kong's ordinance as a reference. The main difference is in the formation of supervising public authority, because it is considered that this function is legally reserved to the government, according to the Basic Law of Macao (its ‘mini-Constitution’). The proposal was endorsed by the Legislative Assembly in June 2005 and sent to a Standing Committee for further study. After consultation with the government and the public (including submissions and opinions from both), press discussion, and visits to the Hong Kong Commissioner’s office, the Committee presented a legal opinion in November 2005 on the proposal, including proposed amendments. The Law was passed by the Assembly in August 2005 and came into force in February 2006.
The Office for Personal Data Protection
Macao’s Chief Executive ordered the formation of a supervising authority, the Office for Personal Data Protection (OPDP), in March 2007, and designated Ms. Sonia Chan to be the coordinator. The OPDP can exercise all the legal power attributed to the supervising authority by the Act. As is common legal practice in Macao, the nature of the OPDP is as a ‘project’ until a law governing the organization of the Office is passed. The OPDP is an observer at meetings of the Asia-Pacific Privacy Authorities (APPA), but not yet accredited to the annual conference of data protection authorities.
The OPDP’s approach seems to be that since an EU-style data protection law is quite new to Chinese society, careful implementation is needed, with an initial emphasis on public education. Although many individuals in Macao are not yet familiar with the law, they consider that, after nearly two years of operation of the OPDP, most of the public and private sector entities in Macao are aware of the Act and that violation of it might be punished with administrative sanction, or even with criminal charges.
Data protection principles and codes
The data protection principles in the Act are based closely on Portugal’s data protection law. They include de-identification, automated processing restrictions, the right to object to processing, and other provisions that might be expected in an EU-inspired law. The restrictions on data matching (Article 9 ‘Combinations of personal data’) should provide an interesting comparison with Hong Kong’s equivalent provision. The Act contains detailed security protections, and restrictions on offence-related data. The principles in the Act deserve more examination than can be provided here, particularly by way of comparison with other legislation in the region with less EU influence.
The Act encourages professional bodies and other bodies representing other categories of controllers to submit draft codes of conduct for approval, but registration by the OPDP only ‘has the effect of a declaration of [a code’s] lawfulness but does not have the nature of a legal provision or a statutory regulation’. So registration of a code only indicates that its provisions are consistent with the Act, in the view of the OPDP.
A variety of enforcement measures
A wide range of enforcement measures are provided. Individuals can complain to the OPDP, but can also have general recourse to other legal and administrative remedies. Persons who suffer damage as a result of breaches of the Act are entitled to compensation paid by the controller, unless he proves he is not responsible for the damage (Article 14). A range of civil (administrative) offences are provided for many types of breaches, and the ODPD is responsible for determining fines in such cases. Criminal offences are specified for use of personal data for purposes incompatible with collection; unauthorised data matching, and in other more serious areas. ‘Public warning and censure’ and ‘publication of the judgment’ (concerning violations) are specific ‘additional penalties’, as are prohibitions of processing and erasure of data. Where there is a violation of fundamental rights of an urgent nature, there can be a direct appeal to Court of Final Appeal.
The enforcement provisions are complex and deserve more elaboration than the above summary. We can say that Macao’s law has, at least in theory, one of the most comprehensive ‘enforcement pyramids’ of the data protection laws in the Asia-Pacific. The question is of course ‘how is it being used?’ – and the answer is ‘it is too early to tell’. The OPDP does not publish decisions about cases in detail, but does publish a summary of them in its annual report, in Chinese and Portuguese. It is considering whether it can also provide English versions.
Transfers outside Macao
Article 19(1) of the Act prohibits transfers of personal data to any destination outside the Macao SAR (including elsewhere in China) unless ‘the legal system in the destination to which they are transferred ensures an adequate level of protection’ and subject to compliance with the Act. Article 19(2) defines an ‘adequate level of protection’ in the same terms as the EU Directive. Article 19(3) states that it is for the OPDP to determine whether a legal system provides such an adequate level of protection. Transfers can therefore only be made under Article 20 if the destination jurisdiction, or the particular transfers, already appear on a ‘whitelist’ maintained by the OPDP. Article 20 (‘Derogations’) then provides a list of exceptions to Article 19, very similar to Article 26 of the EU Directive.
The whole Act is now in force, including Article 19 and 20. However, due to the need educate Macao businesses concerning the new law, the OPDP has not implemented Articles 19 and 20 strictly as yet, and has not as yet issued any sanctions. If it becomes aware that any entity is transferring personal data outside Macao it asks them whether they come within the conditions stated in Article 20, and if they do not it will prohibit them from transferring data outside Macao.
As yet, the OPDP has not issued any ‘whitelist’ decisions stating that particular countries ensure ‘adequate protection’ in accordance with Article 19. But they have issues some opinions and authorizations that some specific situation concerning transfers involving banking in Hong Kong, Taiwan and China should be with adequate protection. Another case involves South Korea, but these are limited to particular situations. The OPDP considers that many entities in Macao are aware now they cannot just simply send data outside Macao without notification to the OPDP.
The notification/registration system
The Act has a quasi-registration system (but for some processing only), which makes it unusual in the Asia-Pacific. There must be notification to the OPDP within 8 days of most automated processing of data, or processing of sensitive data, unless an exemption from notification is obtained (Article 21). ‘Prior checking’ (ie authorisation) is required of processing of sensitive data (in some cases), credit information, data matching, or use for secondary purposes (Article 22). The notification is free. The notficiations and authorisations must be published in a public register and in the OPDP’s annual report of many aspects of personal data processing in Macao.
In the areas of surveillance and employment services, the OPDP has already started the notification/registration process (mainly in Article 21, but also in Article 22 and he other Articles on which it depends). After briefing sessions to government departments, banks, public bodies, NGOs, as well as private companies, many of them are now submitting notifications. The OPDP intends to implement the notification/registration in a full scale in the coming years (statement at 29th APPA forum, Hong Kong, 2008). The first stage is implementation in the public sector, then in the private sector. It estimates this may take about two years, after which a specific regulation on notification will be formulated. Processing without proper notification is then likely to result in sanctions.
This article was written with the assistance of materials provided by Mr Ken Yang, Office for Personal Data Protection, Government of Macao SAR, but responsibility for any interpretation and comments remain with the author. The website of the OPDP is at < http://www.gpdp.gov.mo/en/> and the Act is available there in English.