MACAU SAR, CHINA Law and Practice Contributed by: Pedro Cortés and Luís Rôlo, Lektou
3. Artificial Intelligence 3.1 Liability, Data Protection, IP and Fundamental Rights There is currently no specific legislation on arti - ficial intelligence (AI) in the MSAR (in this case, a shortened form of Macau SAR). However, the challenges presented by the processing of large amounts of data which include traditional enter - prise/company data, machine-generated/sen - sor data and social data, may concern, on the one hand, the type of data being transferred and generally processed in several networks and, on the other, the need to ensure that these networks are secure and compliant with personal data protection and cybersecurity legislation. Compliance With the PDPA One of the biggest challenges for entrepreneurs is compliance with the PDPA with regard to the processing of personal data under its mandatory principles, such as transparency, lawful basis for processing (including the strict observance of privacy rights and of the rights, freedoms and guarantees set out by the Macau Basic Law and applicable legislation), collection limited to spe - cific purposes, and proportionality, and the need to obtain the unequivocal consent of the data subject for the processing (or, alternatively, the need for processing for the purposes set out in the PDPA). As AI tools necessarily include the processing of large data sets which are often unorganised and may come from several jurisdictions with different personal data protection requirements, such challenge will force large corporations to have dedicated structures (such as chief data officers and ancillary teams or departments) to ensure that, in the processing of data, there is differentiation between general data and per - sonal data, and that such processing is done in
In the case of cloud computing, the data is likely to be stored in servers abroad – in the case of the transfer of personal data to a destination outside Macau, the PDPA determines that such transfer can only take place if the provisions of said law are respected and if the legal system of the destination ensures an adequate level of protection. Analysis is made on a case-by-case basis by the PDPB. The transfer to a legal system which does not ensure an adequate level of protection can be made by notification to the PDPB if the data subject has given their unequivocal consent for the transfer or if the transfer is necessary for the purposes set out in the law. It should be noted, however, that regarding sensitive data as well as credit and solvency, the need for authorisa - tion by the PDPB overrides the simple notifica - tion procedure, and the transfer cannot take place without such previous authorisation being obtained. Regarding specific industries such as banking and finance, the Macau Financial System Legal Regime (Law No 13/2023 ‒ RJSF) stipulates that the members of the governing bodies of credit institutions, their senior management officers, their workers, auditors, experts, agents and oth - er persons who provide services to them, wheth - er on a permanent or accidental basis, may not reveal or use, for their own or someone else’s benefit, information or knowledge that has come to them from the exercise of their functions, and includes in the information subject to secrecy the names and other data relating to customers, deposit accounts and their movements, invest - ment of funds and other banking transactions. Such duty of secrecy shall survive even after the functions referred to above have ended.
202 CHAMBERS.COM
Powered by FlippingBook