Personal Privacy Protection for Data Subjects in Macau
The Personal Data Protection Act (Act 8/2005) is a data privacy law that was passed in Macau in 2005. Much like the city of Hong Kong, Macau is a city and special administrative region of The People’s Republic of China. Due to this designation, they do not fall under the jurisdiction of China’s Personal Information Security Specification or the Chinese Cybersecurity Law. As such, the Personal Data Protection Act (Act 8/2005) is the foremost legislation within Macau as it relates to data protection and privacy. To this point, the Personal Data Protection Act (Act 8/2005) sets forth the legislative guidelines and grounds that data controllers and processors within the region are required to follow.
How are data controllers and processors defined under the law?
Under the Personal Data Protection Act (Act 8/2005), the term data controller is defined as “A natural or legal person, public entity, agency, or any other body which has the capacity to decide, independently or in collaboration with others, the purposes of personal data processing and the means of personal data processing”. Conversely, a data processor is defined as “A natural or legal person, public entity or agency, or any other body which processes personal data on behalf of the controller”. What’s more, the law also provides a defines data subjects as “Any individual person to whom the data being processed pertains”. Under the Personal Data Protection Act (Act 8/2005), personal data is defined as “Any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person”.
As it relates to the scope and application of the law, the Personal Data Protection Act (Act 8/2005) applies to all entities that engage in data processing activities within Macau, including the collection, processing, and transmission of personal data throughout the region. Moreover, the territorial scope to both data controllers and processors who are based in Macau, as well as data processing activities done via “a computer or data communication network access provider established in Macau”. Additionally, the material scope of the law “applies to the processing of personal data, wholly or partly, by automatic means, and to the processing, otherwise than by automatic means, of personal data which form or is intended to form part of a manual filing system”. Alternatively, the material scope of the law does not apply to data processing done in the context of purely personal or household activities.
What are the requirements of data controllers and processors under the law?
Under the Personal Data Protection Act (Act 8/2005), data controllers and processors are required to observe the following principles when collecting, processing, and transferring personal data:
- Transparency– Data processing must be done in a manner that is transparent, and in strict compliance with the privacy of data subjects.
- Lawful basis for processing– Personal data must be processed in a manner that is lawful and in compliance with the principles of good faith, as well as the rights, freedoms, and guarantees afforded to all citizens of Macau under other laws and regulations.
- Purpose limitation– Personal data may only be collected and processed for lawful, specific, and determined purposes, which are directly related to the activities of data controllers or processors. Any collection or processing of personal data outside of these purposes is prohibited.
- Data minimization– While the law does not specifically outline how data controllers or processors should observe this principle, it is included in the law.
- Proportionality– All personal data that is collected and processed must be pertinent, adequate, and non-excessive with respect to the purposes for which said personal data had been collected and processed.
- Confidentiality– Data controllers and processors must comply with security measures for the purposes of maintaining the security, confidentiality, and integrity of personal data that has been collected or processed.
- Storage limitation– Personal data must be kept in a manner that allows for the identification of applicable data subjects, for no period longer than is necessary to fulfill the purposes for which said personal data was collected or processed.
What are the rights of data subjects under the Personal Data Protection Act (Act 8/2005)?
Under the Personal Data Protection Act (Act 8/2005), data subjects within Macau are entitled to the following data protection and privacy rights:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right not to be subject to automated decision-making.
- The right to indemnification.
In terms of penalties for non-compliance, violations of the Personal Data Protection Act (Act 8/2005) are enforced through the Penal Code of Macau. To this end, data controllers and processors who fail to comply with the law are subject to a monetary fine ranging from MOP 12,000 and MOP 2.4 million ($1,459-$291,955), as well as a term of imprisonment of up to two years. Furthermore, data controllers and processors also face a temporary prohibition of the collection and processing of personal data, as well as a legal order to either partially or fully erase any personal data in their possession.
Much like Hong Kong’s Personal Data Privacy Ordinance or the PDPO for short, the Personal Data Protection Act (Act 8/2005) provides data and privacy protection from data subjects within Macau. As the region does not fall under the jurisdiction of the law and regulations of mainland China, legislation was needed in order to protect the personal data and privacy of Macau citizens. As such, the Personal Data Protection Act (Act 8/2005) provides data subjects within Macau with a means to receive justice should they have their rights infringed as it relates to data protection and personal privacy.