effective approach in implementation of data protection law: macao’s experiences
DESCRIPTION
Effective Approach in Implementation of Data Protection Law: Macao’s Experiences. Ken Yang Office for Personal Data Protection Macao SAR. Macao at a Glance. Small city with high population density. Size: 29.9 km 2 in 2011 (11.6 km 2 in 1912) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/1.jpg)
Effective Approach in Implementation of Data Protection
Law:Macao’s Experiences
Ken YangOffice for Personal Data Protection
Macao SAR
![Page 2: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/2.jpg)
Macao at a Glance
![Page 3: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/3.jpg)
Small city with high population density• Size: 29.9 km2 in 2011 (11.6 km2 in 1912)• Population: 560 thousand (About 94% are
ethnic Chinese)• 60 Km far away from Hong Kong
![Page 4: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/4.jpg)
A Special Administrative Region• In the early 1550s the Portuguese reached Macao• Ruled by Portuguese Administration before handover to China (Dec. 20th, 1999)• Like Hong Kong, benefits from the principle of "one country, two systems".• Legal system: civil law system
![Page 5: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/5.jpg)
A tourist cityVisitors 2010 2011Total 24 965 411 28 002 279From Malaysia
338 058(1.4%)
324 509(1.2%)
![Page 6: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/6.jpg)
Macao WORLD HERITAGEThe Historic Center of Macao
• the perfect crossroad for the meeting of East and West cultures
![Page 7: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/7.jpg)
Brief Introduction of Macao’s Personal Data Protection Act
![Page 8: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/8.jpg)
Passed: August 2005Entry into force: February 2006It covers both public and private sectorsIt covers automatic data processing, as well as
systematic manual processingIt relates to the EU DirectiveSupervising authority – GPDP
![Page 9: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/9.jpg)
Definition of personal data
• any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person
![Page 10: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/10.jpg)
Legitimacy of data processing• the data subject has unambiguously given his consent,• or processing is necessary for: (1) performance of contracts or to take steps prior to
entering into a contract; (2) compliance with a legal obligation; (3) protecting the vital interests of the data subject who is
incapable of giving his consent; (4) performance of a task in the public interest or in the
exercise of official authority; (5) pursuing the legitimate interests of the controller not
overridden by the interests for fundamental rights, freedoms and guarantees of the data subject.
![Page 11: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/11.jpg)
Sensitive data
• personal data revealing philosophical or political beliefs, political society or trade union membership, religion, privacy and racial or ethnic origin, and the processing of data concerning health or sex life, including genetic data
![Page 12: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/12.jpg)
Legitimacy of data processing: Additional
• Data processing is prohibited, except:(1) authorised by a legal provision;(2)on important public interest grounds, and
authorised by the public authority;(3)the data subject’s explicit consent. (4)Some other derogations defined in the PDPA
(Article 7)
![Page 13: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/13.jpg)
Suspicion of illegal activities, criminal and administrative offences
• personal data relating to persons suspected of illegal activities, criminal and administrative offences and decisions applying penalties, security measures, fines and additional penalties
![Page 14: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/14.jpg)
Legitimacy of data processing: Additional
• Defined in Article 8 of the PDPA
![Page 15: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/15.jpg)
Data quality
(1) lawfulness, principle of good faith; (2) for specified, explicit, legitimate purposes;
not incompatible with those purposes; (3) adequate, relevant and not excessive; (4) accurate(5) kept for no longer than is necessary for the
purposes
![Page 16: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/16.jpg)
Rights of the data subject
• Rights to information• Right of access, rights to rectify• Right to object• Right not to be subject to automatic individual
decisions• Rights to indemnification
![Page 17: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/17.jpg)
Data security
• General security – technical and organizational measures (Article 15)
• Special security measures (Article 16)• Processing by a processor (Article 17)• Professional secrecy (Article 18)
![Page 18: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/18.jpg)
Transfer of data outside Macao
• The destination shall have a adequate level of personal data protection
• Derogations: - with notification to GPDP- Authorized by GPDP
![Page 19: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/19.jpg)
Sanctions
• Administrative offences (fine from MOP $4,000 to MOP $200,000)
• Crimes (maximum: 4 years imprisonment)• Additional penalties (prohibition of
processing, blocking, erasure or destruction of data, public warning)
![Page 20: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/20.jpg)
The roles of GPDP
• Supervision and coordination• Establishment of regimes (including issuing
guidelines)• Handling complaints and enquiries (Both data
controllers and data subjects need that)• Publicity & Education (Privacy awareness is
always important)• Analyses & research (There is always
something new)
![Page 21: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/21.jpg)
Work statistics (2007-2011)
Works Number of cases
Investigations 253Consultations 2296Notifications 1129Applications for Opinion 154Applications for Authorizations 244
![Page 22: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/22.jpg)
Approaches of implementation
![Page 23: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/23.jpg)
Principle
• Education first
Considering:• History• Culture• Readiness of data controllers• Awareness of the general public
![Page 24: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/24.jpg)
Promotion - Work on public education
Targets :• data controllers• general public• youth
![Page 25: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/25.jpg)
Means 1 – Understanding the PDPA
• Briefing sessions• Seminars• Training courses• Conferences
![Page 26: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/26.jpg)
From 2007-2011
• Sessions: more than 230• Attendees: more than 9000
![Page 27: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/27.jpg)
Means 2 – Publications
• Annual Reports• Newsletters• Booklets and Pamphlets• Column stories in newspaper - “Privacy & You”
![Page 28: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/28.jpg)
Means 3 – Videos
• Video clips competition• Advertising videos
![Page 29: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/29.jpg)
Means 4 – Promotional items
• Distributed in different occasions• Attract different target population• An effective marketing approach
![Page 30: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/30.jpg)
Means 5 – Website www.gpdp.gov.mo
• To provide basic knowledge and information• To provide case summaries• To provide our legal opinions• To provide our guidelines• To provide translation of international
documents• In different languages
![Page 31: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/31.jpg)
Supervision - Work on enforcement
![Page 32: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/32.jpg)
Some statistics
• Investigations
Year Numbers
2007 22
2008 35
2009 47
2010 63
2011 86
![Page 33: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/33.jpg)
Some case highlights
![Page 34: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/34.jpg)
Right to object:
• A bank continued to send SMS to a former client who had exercised his right to object and refuse to receive any marketing messages from the bank. The bank was sanctioned with MOP $4,000 fine.
![Page 35: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/35.jpg)
Principle of proportionality:
• A self-employed decoration contractor X tried to collect unsettled payment from citizen Y in the decoration work of Y’s residence. X held a press conference and disclosed Y’s residential address in full.
![Page 36: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/36.jpg)
(cont.)• This Office held the opinion that X’s disclosure
of Y’s residential address in full was a violation of the principle of proportionality, and imposed a MOP $4,000 fine on X.
• For Y’s complaint against two newspapers on their reports with his residential address in full, this Office held the opinion that the freedom of press was protected by Publication Law, Y could only lodge his compliant to court by civil litigation.
![Page 37: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/37.jpg)
Supervision (registration) – Notification and authorization
![Page 38: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/38.jpg)
Notification
• The controller must notify GPDP in written form within eight days after the initiation of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.
![Page 39: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/39.jpg)
Exemptions issued by GPDP
• The public authority may authorise the simplification of or exemption from notification for particular categories of processing which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of the data subjects and to take account of criteria of speed, economy and efficiency.
![Page 40: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/40.jpg)
Current exemptions• Remunerations, Payments and Welfare Benefits• Administration of Employees and Service Providers• Non-Profit Legal Person’s Collection of Membership Fees or
Contact with Members• Billing and Contact Information of Clients, Suppliers and
Service Providers• Relating to Students• Relating to Users of Libraries and Archives• Registration of Entries and Exits of Visitors• Recruitment• Admission of students
![Page 41: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/41.jpg)
Major difficulties
• The existing data processing when the PDPA came into force
• Lack of a secondary legislation to define the detail procedures
![Page 42: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/42.jpg)
Implementation of the registration scheme - notification
• First of all, “notification” requirements apply to all new data processing after the PDPA’s coming into force.
• Secondly, GPDP needs to deal with the existing processing.
• The first stage (completed): progressive implementation in the public sector, issuance of exemptions
• The second stage: progressive implementation in the private sector – now drafting a secondary legislation
![Page 43: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/43.jpg)
Authorization• The processing of sensitive data• The processing of personal data relating to credit
and the solvency of the data subjects. • Combination / interconnection of data• Change of purpose• Extending the period of data retention• Transferring personal data to destinations
outside Macao without adequate level of personal data protection.
![Page 44: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/44.jpg)
• First of all, “authorization” requirements apply to all new data processing after the PDPA’s coming into force immediately. No new data processing requiring GPDP’s authorization should be started without it.
• Existing ones without authorization by legal provisions should be either stopped or authorized by GPDP.
• “combination” in public sector is a problem.
![Page 45: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/45.jpg)
Combination/interconnection of data
• “combination of data” shall mean a form of processing which consists of the possibility of correlating data in a filing system with data in a filing system or systems kept by another or other controllers or kept by the same controller for other purposes
![Page 46: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/46.jpg)
The coordination on interconnections within the public sector
• Requested all government departments to check whether they had interconnections before the PDPA came into force.
• If yes, check whether there is a legislation allowing it.
• If not, they must submit application.• Some departments decided to stop the
practice, some got our authorization.
![Page 47: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/47.jpg)
Coordination – guidelines• Protection of Personal Data in the Workplace:
Guidelines for Employee Monitoring • Processing clients’ data by the employment
agencies • Using attendance devices of biometric
technologies• Data retention in public agencies• The right to information in indirect collection of
personal data.• Publication of personal data on the Internet.
![Page 48: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/48.jpg)
Code of conduct
• A self-regulation model• It shall be drawn by the professional
associations and other bodies representing some categories of data controller, not GPDP
• GPDP did encourage some industries to do so, but no successful case yet
![Page 49: Effective Approach in Implementation of Data Protection Law: Macao’s Experiences](https://reader035.vdocuments.site/reader035/viewer/2022070410/568146af550346895db3cb34/html5/thumbnails/49.jpg)
Thank You