Applicability of the Macau Personal Data Protection Act (Act 8/2005)

Data protection in Macau (China) is governed by specific legislation that establishes the legal framework for personal data processing activities. The primary role of regulating personal data protection in Macau is fulfilled by the Personal Data Protection Act (Act 8/2005) or the Lei n.º 8/2005 – Lei da Protecção de Dados Pessoais, which serves as the principal legal instrument governing personal data protection within the jurisdiction. The Personal Data Protection Act (Act 8/2005) was adopted on August 22, 2005 and became effective on February 18, 2006.

The Personal Data Protection Act (PDPA) of Macau establishes a comprehensive framework for data protection, with specific provisions determining its applicability.

Material Applicability Factors

The PDPA's material scope is defined by several key factors:

Automated Means Criterion

PDPA Art.3(1):

"This Act shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a manual filing system or which are intended to form part of a manual filing system."

This provision extends the PDPA's applicability to all forms of automated data processing, whether fully or partially automated. This broad scope ensures that the law covers a wide range of technological applications in data processing.

Filing System Criterion

The same article also addresses non-automated processing:

PDPA Art.3(1):

"This Act shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a manual filing system or which are intended to form part of a manual filing system."

This criterion extends the law's reach to structured manual data processing, ensuring that personal data in organized paper-based systems are also protected.

Prospective Filing System Inclusion

The PDPA also covers data intended for future inclusion in filing systems:

PDPA Art.3(1):

"This Act shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a manual filing system or which are intended to form part of a manual filing system."

This forward-looking provision ensures that data collected with the intention of future systematic organization falls under the law's protection.

Personal and Domestic Use Exemption

The PDPA provides a limited exemption for personal or household activities:

PDPA Art.3(2):

"This Act shall not apply to the processing of personal data carried out by a natural person in the course of a purely personal or household activity, except where for the purposes of systematic communication and dissemination."

This exemption recognizes the need for privacy in personal activities but limits it to truly private contexts, excluding activities involving systematic communication or dissemination.

Territorial Applicability Factors

The PDPA's territorial scope is determined by several factors:

Processing by Entity Registered or Incorporated in Jurisdiction

PDPA Art.3(3):

"This Act shall apply to video surveillance and other forms of capture, processing and dissemination of sound and images allowing persons to be identified, provided the controller is domiciled or based in the Macao Special Administrative Region (the MSAR) or makes use of a computer or data communication network access provider established on the MSAR territory."

This provision clearly establishes the PDPA's applicability to entities with a physical presence in Macau.

Use of Equipment Within Jurisdiction

The same article extends the law's reach to entities using Macau's technological infrastructure:

PDPA Art.3(3):

"This Act shall apply to video surveillance and other forms of capture, processing and dissemination of sound and images allowing persons to be identified, provided the controller is domiciled or based in the Macao Special Administrative Region (the MSAR) or makes use of a computer or data communication network access provider established on the MSAR territory."

This factor ensures that even controllers not based in Macau are subject to the PDPA if they utilize local equipment or network providers.

Monitoring Data Subjects Within Jurisdiction

The PDPA specifically addresses monitoring activities:

PDPA Art.3(3):

"This Act shall apply to video surveillance and other forms of capture, processing and dissemination of sound and images allowing persons to be identified, provided the controller is domiciled or based in the Macao Special Administrative Region (the MSAR) or makes use of a computer or data communication network access provider established on the MSAR territory."

This provision extends the law's applicability to various forms of monitoring technologies that can identify individuals within Macau.

National Security and Law Enforcement Exemption

The PDPA acknowledges potential exemptions for public safety and law enforcement:

PDPA Art.3(4):

"This Act shall apply to the processing of personal data regarding public safety without prejudice to special rules in instruments of international law and inter-regional agreements to which the MSAR is bound and specific laws pertinent to public safety and other related regulations."

This provision allows for flexibility in applying the PDPA to public safety and law enforcement activities, recognizing the potential need for specific rules in these areas.

Conclusion

The Personal Data Protection Act of Macau covers both automated and manual data processing, extends to entities using local infrastructure, and specifically addresses monitoring activities.