Transcript Effective Approach in Implementation of Data Protection Law:

Effective Approach in
Implementation of Data Protection
Law:
Macao’s Experiences
Ken Yang
Office for Personal Data Protection
Macao SAR
Macao at a Glance
Small city with high population density
• Size: 29.9 km2 in 2011 (11.6 km2 in 1912)
• Population: 560 thousand (About 94% are
ethnic Chinese)
• 60 Km far away from Hong Kong
A Special Administrative Region
• In the early 1550s the
Portuguese reached Macao
• Ruled by Portuguese
Administration before
handover to China
(Dec. 20th, 1999)
• Like Hong Kong, benefits from the principle of
"one country, two systems".
• Legal system: civil law system
A tourist city
Visitors
Total
From
Malaysia
2010
24 965 411
338 058
(1.4%)
2011
28 002 279
324 509
(1.2%)
Macao WORLD HERITAGE
The Historic Center of Macao
• the perfect crossroad for the meeting of East
and West cultures
Brief Introduction of Macao’s
Personal Data Protection Act
Passed: August 2005
Entry into force: February 2006
It covers both public and private sectors
It covers automatic data processing, as well as
systematic manual processing
It relates to the EU Directive
Supervising authority – GPDP
Definition of personal data
• any information of any type, irrespective of
the type of medium involved, including sound
and image, relating to an identified or
identifiable natural person
Legitimacy of data processing
• the data subject has unambiguously given his consent,
• or processing is necessary for:
(1) performance of contracts or to take steps prior to entering
into a contract;
(2) compliance with a legal obligation;
(3) protecting the vital interests of the data subject who is
incapable of giving his consent;
(4) performance of a task in the public interest or in the
exercise of official authority;
(5) pursuing the legitimate interests of the controller not
overridden by the interests for fundamental rights,
freedoms and guarantees of the data subject.
Sensitive data
• personal data revealing philosophical or
political beliefs, political society or trade union
membership, religion, privacy and racial or
ethnic origin, and the processing of data
concerning health or sex life, including genetic
data
Legitimacy of data processing:
Additional
• Data processing is prohibited, except:
(1) authorised by a legal provision;
(2)on important public interest grounds, and
authorised by the public authority;
(3) the data subject’s explicit consent.
(4) Some other derogations defined in the PDPA
(Article 7)
Suspicion of illegal activities, criminal
and administrative offences
• personal data relating to persons suspected of
illegal activities, criminal and administrative
offences and decisions applying penalties,
security measures, fines and additional
penalties
Legitimacy of data processing:
Additional
• Defined in Article 8 of the PDPA
Data quality
(1) lawfulness, principle of good faith;
(2) for specified, explicit, legitimate purposes;
not incompatible with those purposes;
(3) adequate, relevant and not excessive;
(4) accurate
(5) kept for no longer than is necessary for the
purposes
Rights of the data subject
•
•
•
•
Rights to information
Right of access, rights to rectify
Right to object
Right not to be subject to automatic individual
decisions
• Rights to indemnification
Data security
• General security – technical and organizational
measures (Article 15)
• Special security measures (Article 16)
• Processing by a processor (Article 17)
• Professional secrecy (Article 18)
Transfer of data outside Macao
• The destination shall have a adequate level of
personal data protection
• Derogations:
- with notification to GPDP
- Authorized by GPDP
Sanctions
• Administrative offences (fine from MOP
$4,000 to MOP $200,000)
• Crimes (maximum: 4 years imprisonment)
• Additional penalties (prohibition of processing,
blocking, erasure or destruction of data, public
warning)
The roles of GPDP
• Supervision and coordination
• Establishment of regimes (including issuing
guidelines)
• Handling complaints and enquiries (Both data
controllers and data subjects need that)
• Publicity & Education (Privacy awareness is
always important)
• Analyses & research (There is always
something new)
Work statistics (2007-2011)
Works
Number
of cases
Investigations
253
Consultations
2296
Notifications
1129
Applications for Opinion
154
Applications for Authorizations
244
Approaches of implementation
Principle
• Education first
Considering:
• History
• Culture
• Readiness of data controllers
• Awareness of the general public
Promotion - Work on public education
Targets :
• data controllers
• general public
• youth
Means 1 – Understanding the PDPA
•
•
•
•
Briefing sessions
Seminars
Training courses
Conferences
From 2007-2011
• Sessions: more than 230
• Attendees: more than 9000
Means 2 – Publications
•
•
•
•
Annual Reports
Newsletters
Booklets and Pamphlets
Column stories in
newspaper “Privacy & You”
Means 3 – Videos
• Video clips competition
• Advertising videos
Means 4 – Promotional items
• Distributed in different
occasions
• Attract different
target population
• An effective marketing
approach
Means 5 – Website
www.gpdp.gov.mo
•
•
•
•
•
To provide basic knowledge and information
To provide case summaries
To provide our legal opinions
To provide our guidelines
To provide translation of international
documents
• In different languages
Supervision - Work on
enforcement
Some statistics
• Investigations
Year
Numbers
2007
22
2008
35
2009
47
2010
63
2011
86
Some case highlights
Right to object:
• A bank continued to send SMS to a former
client who had exercised his right to object
and refuse to receive any marketing messages
from the bank. The bank was sanctioned with
MOP $4,000 fine.
Principle of proportionality:
• A self-employed decoration contractor X tried
to collect unsettled payment from citizen Y in
the decoration work of Y’s residence. X held a
press conference and disclosed Y’s residential
address in full.
(cont.)
• This Office held the opinion that X’s disclosure
of Y’s residential address in full was a violation
of the principle of proportionality, and
imposed a MOP $4,000 fine on X.
• For Y’s complaint against two newspapers on
their reports with his residential address in full,
this Office held the opinion that the freedom
of press was protected by Publication Law, Y
could only lodge his compliant to court by civil
litigation.
Supervision (registration) –
Notification and authorization
Notification
• The controller must notify GPDP in written
form within eight days after the initiation of
carrying out any wholly or partly automatic
processing operation or set of such operations
intended to serve a single purpose or several
related purposes.
Exemptions issued by GPDP
• The public authority may authorise the
simplification of or exemption from
notification for particular categories of
processing which are unlikely, taking account
of the data to be processed, to affect
adversely the rights and freedoms of the data
subjects and to take account of criteria of
speed, economy and efficiency.
Current exemptions
• Remunerations, Payments and Welfare Benefits
• Administration of Employees and Service Providers
• Non-Profit Legal Person’s Collection of Membership Fees or
Contact with Members
• Billing and Contact Information of Clients, Suppliers and
Service Providers
• Relating to Students
• Relating to Users of Libraries and Archives
• Registration of Entries and Exits of Visitors
• Recruitment
• Admission of students
Major difficulties
• The existing data processing when the PDPA
came into force
• Lack of a secondary legislation to define the
detail procedures
Implementation of the registration
scheme - notification
• First of all, “notification” requirements apply to
all new data processing after the PDPA’s coming
into force.
• Secondly, GPDP needs to deal with the existing
processing.
• The first stage (completed): progressive
implementation in the public sector, issuance of
exemptions
• The second stage: progressive implementation in
the private sector – now drafting a secondary
legislation
Authorization
• The processing of sensitive data
• The processing of personal data relating to credit
and the solvency of the data subjects.
• Combination / interconnection of data
• Change of purpose
• Extending the period of data retention
• Transferring personal data to destinations outside
Macao without adequate level of personal data
protection.
• First of all, “authorization” requirements apply
to all new data processing after the PDPA’s
coming into force immediately. No new data
processing requiring GPDP’s authorization
should be started without it.
• Existing ones without authorization by legal
provisions should be either stopped or
authorized by GPDP.
• “combination” in public sector is a problem.
Combination/interconnection of data
• “combination of data” shall mean a form of
processing which consists of the possibility of
correlating data in a filing system with data in
a filing system or systems kept by another or
other controllers or kept by the same
controller for other purposes
The coordination on interconnections
within the public sector
• Requested all government departments to
check whether they had interconnections
before the PDPA came into force.
• If yes, check whether there is a legislation
allowing it.
• If not, they must submit application.
• Some departments decided to stop the
practice, some got our authorization.
Coordination – guidelines
• Protection of Personal Data in the Workplace:
Guidelines for Employee Monitoring
• Processing clients’ data by the employment
agencies
• Using attendance devices of biometric
technologies
• Data retention in public agencies
• The right to information in indirect collection of
personal data.
• Publication of personal data on the Internet.
Code of conduct
• A self-regulation model
• It shall be drawn by the professional
associations and other bodies representing
some categories of data controller, not GPDP
• GPDP did encourage some industries to do so,
but no successful case yet
Thank You