Macau May Step Up Data Protection Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lien Hoang

Aug. 27 — An official from Macau's data protection authority said Aug. 26 the agency would seek permanent status so it can sign international agreements and boost investigations.

Luis Manuel Pacheco de Matos Rolo, senior officer at the Office for Personal Data Protection, admitted his office hasn't aggressively punished privacy violations. But now it is petitioning lawmakers to recognize the office as a permanent arm of the government in Macau, a semi-autonomous Chinese territory similar to Hong Kong.

“The benefit is that we will get full investigative powers,” Rolo told Bloomberg BNA in Singapore on the sidelines of the inaugural Data Privacy Asia conference.

He said in a speech that the DPA has relied on the legislature to renew its mandate every three years since launching in 2007. He hopes the legislature will take up the request for a permanent endorsement by the end of 2015.

Privacy of Gamblers

Fines and imprisonment haven't been a priority, Rolo said, adding that his office doesn't have prosecutorial authority. Instead, it has focused on giving companies “recommendations” and “guidance” after they violate Macau's privacy rules, he said.

But some have been sanctioned in the gambling capital, including a $2,500 fine to the Wynn Resorts Ltd. casino for unlawfully transmitting customer information. According to the Central Intelligence Agency Factbook, Gaming industry revenues constituted 83 percent of Macau's tax revenues in 2014, making the industry an important sector for the regulation of customer privacy.

“Even today, the degree of compliance may not be very good,” Rolo said.

Macau's Personal Data Protection Act took effect in 2005.

Controlling Cross-Border Data

Rolo said he also wants to increase international cooperation. Most data activity in Macau, a dense city of 640,000 people, involves some movement of information abroad. A former Portuguese colony, it was the first government in Asia to set up cross-border restrictions modeled on those of the European Union. That is, the data protection office reviews transfer requests on a per-case basis to decide if the recipient country has sturdy privacy safeguards.

“That creates a really, very tricky problem for our office,” Rolo said. “We have problems regarding jurisdiction once the data is outside.”

He gave the hypothetical example of a company just outside Macau spamming residents with marketing calls, which would be hard for the DPA to block.

If his office gains full legal status, Rolo said it could negotiate deals with foreign counterparts, such as its top goal of joining the International Conference of Data Protection and Privacy Commissioners.

Investigations to Increase

While Rolo expects more enforcement in the future, he said inspections already have been starting to rise.

He pointed to several cases. One hospital worker was sentenced to 16 months in prison for snooping through patient records, while in another case, a website owner received a six-month sentence for identifying casino debtors in a name-and-shame crusade.

Sanctions max out at two years in prison and 80,000 pataca per infraction.

Macau's DPA has been mainly “reactive,” according to Rolo. “We are mostly complaint-driven,” he said.

To contact the reporter on this story: Lien Hoang in Singapore at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

An unofficial translation of Macau's Personal Data Protection Act is available at http://www.gpdp.gov.mo/uploadfile/2013/1217/20131217120421182.pdf.