26 January 2017
The Office for Personal Data Protection (‘GPDP’) released, on 6 January 2017, a decision regarding an organisation’s (‘the Organisation’) transfer from Macau to its server in Hong Kong of more than 10 individuals’ personal data including identity certificates, which was collected via its website for the purpose of their visit to Mainland China (‘the Decision’). In particular, the GPDP fined the organisation MOP 12,000 (approx. €1,410) for breaching the data transfer restrictions under Articles 19 and 20 of the Personal Data Protection Act 2005 (‘the Act’), due to the fact that it did not notify the GPDP before such transfer, nor did it obtain consent from the individuals.
Michelle Chan and Clarice Yue, Partner and Senior Associate respectively at Bird & Bird, told DataGuidance, “The Decision sends a warning signal to businesses that carry out cross-border data transfers from Macau as it shows that the GPDP takes the provisions on cross-border data transfers under the Act seriously and will strictly enforce the provisions […] Whilst fines are rarely imposed solely based on non-compliance with data transfer requirements, it is not unprecedented. For example, in 2013, the GPDP imposed a fine of MOP 40,000 (approx. €4,670) on Venetian Macau, S.A. for breach of data transfer requirements.”
Article 19 of the Act provides that data transfers to a destination outside Macau may only take place subject to compliance with this Act and provided the legal system in the destination to which they are transferred ensures an adequate level of protection. In the Decision, the GPDP outlined that the transfer of personal data is in breach of Article 19, as the GPDP has not made such an adequacy decision. According to the Act, an organisation may rely on the exemptions provided in Article 20 in order to transfer personal data outside Macau, but must notify the GPDP before carrying out cross-border transfers of personal data. Article 20 provides several derogations from the data transfer restrictions, including obtaining data subjects’ consent.
The increasing reliance on cloud-based services raises particular data protection issues, because some organisations may be hosting personal data in multiple locations outside Macau without realising it
The Decision stated that the Organisation’s server is located in Hong Kong, which means that the personal data had been transferred outside Macau for processing. The GPDP ordered the Organisation to delete the transferred data permanently and notify the data subjects that were affected.
Mark Parsons and Louise Crawford, Partner and Lawyer respectively at Hogan Lovells stated, “The Decision is a wake-up call not only to website operators but to all organisations in Macau that rely on IT infrastructure located outside Macau. These businesses should conduct a review of their data management practices to ensure they comply with the Act, including in relation to cross-border data transfers. The increasing reliance on cloud-based services raises particular data protection issues, because some organisations may be hosting personal data in multiple locations outside Macau without realising it.”
The GPDP stated that the fine took into consideration the amount of individuals affected and the nature of the data involved. According to Article 33 of the Act, a breach of Articles 19 and 20 may result in a company being fined up to MOP 80,000 (approx. €9,310).
Chan and Yue concluded, “In the digital era, it is unavoidable for international businesses to transfer data from one jurisdiction to another. However, as the data transfer requirements in different jurisdictions may vary, it is vital for international businesses to come up with an overall policy in respect of data transfers across the applicable jurisdictions.”
Ningxin Xie | Privacy Analyst