New Report on Limits of “Consent” in Macau’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the twelfth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in the Special Administrative Region of Macau, China (Macau SAR), including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Macau’s Data Protection Landscape

The main data protection legislation in Macau SAR is the Personal Data Protection Act (Law No. 8/2005) (PDPA), which was significantly influenced by European data protection legislation, including Portugal’s Law No. 68/98 on the Protection of Personal Data, which implemented EU Directive 95/46/EC.

As such, the PDPA’s legal bases for processing personal data closely resemble those in the GDPR. These include consent, but also where processing is necessary:

• for the performance of a contract to which the data subject is a party; 
• to take steps at the request of the data subject when negotiating a contract;
• to comply with a legal obligation to which the controller is subject;
• to protect the vital interests of a data subject who is physically or legally incapable of giving consent;
• to carry out a task in the public interest or in the exercise of official authority;
• for pursuing the legitimate interests of the controller or a third party to whom the data is disclosed, subject to a “balancing test” between such interests and the fundamental rights, freedoms, and guarantees of the data subject.

The PDPA also empowers a public authority, the Office of Personal Data Protection (OPDP), to issue guidance on the PDPA, investigate possible breaches of the PDPA, and perform certain administrative duties, such as identifying jurisdictions which provide an adequate standard of data protection for purposes of cross-border data transfer. The OPDP has issued a number of guidelines on interpretation of the PDPA in different contexts, including several concerning the use of biometrics, as well as a large number of case notes from its enforcement actions.

Role and Status of Consent as a Basis for Processing Personal Data in Macau

Under the PDPA, consent of the data subject is one of several legal bases for processing both personal data and sensitive personal data. “Sensitive personal data,” refers to personal data:

• revealing a person’s philosophical or political beliefs, political association or trade-union membership, religion, privacy, and racial or ethnic origin;
• concerning a person’s health or sex life; or
• including a person’s genetic data.

Consent also functions as one of several legal bases for transferring personal data out of Macau SAR and can be used to legitimize transfer to a jurisdiction which does not ensure an adequate level of data protection as determined by the OPDP.

The PDPA defines consent of the data subject as any freely given, specific, and informed indication of the data subject’s wishes by which the data subject signifies agreement to processing of personal data relating to him/her.

For consent to qualify as informed, the data controller must provide certain information to the data subject either at the time that the data subjects’ personal data is collected or, if the personal data is to be disclosed to a third party, no later than the first time that the data is disclosed. This information includes:

• the identity of the data controller or its representative;
• the purpose of processing the personal data;
• any third parties to whom the personal data may be disclosed;
• whether the data subject is required to provide the data, and the consequences if the data subject does not provide the data; and
• the data subjects’ rights under the PDPA and how to exercise them.

Failure to comply with these notice requirements may give rise to an administrative fine under the PDPA.

In addition to these definitional requirements, the PDPA also requires that consent for processing and cross-border transfer of personal data should be “unambiguous” and that consent for processing sensitive personal data should be “explicit.” Failure to comply with requirements to obtain consent before transferring personal data out of Macau SAR may be subject to an administrative fine.

The PDPA imposes criminal sanctions on persons who access personal data without authorization or disclose personal data to third parties in breach of confidentiality obligations. These sanctions increase if certain aggravating factors are present, including where the wrongdoer benefits from such breaches.

Read the previous reports in the series here.