The Organising Committee of Civil Referendum (OCCR) received a communication from the Office of Personal Data Protection (GPDP) on 21 July 2015 about a written hearing on the administrative offense of “transfer of data”. In the letter, the GPDP demanded OCCR’s response to the accusation in 15 days, however, at the same time, offered a new explanation of the legality of the processing of personal data for the purposes of civil referendum.
A paragraph in GPDP’s letter reads “Generally speaking, your organisation collected the personal data of the voters with their explicit consent, in compliance with Article 6 of the “Personal Data Protection Law”… Based on the present information, consent made by people aged 16 may not be denied.”
Residents of Macau should be able to clearly recall that in 2014 the whole Macau SAR government denounced the “illegal” civil referendum in an unprecedentedly high-profile manner. The GPDP claimed the collection of personal data for the purposes of civil referendum was “illegitimate”, thus, the consent of the voters would be “invalid.”
The OCCR reiterates that the Court of Final Instance stated in the judgement no. 100/2014 that the realization of “referendum” is a praeter legem act (a realização de “referendo” é um acto praeter legem) and the citizens can carry out all acts not prohibited by law. The court has debunked the claim of the illegality of civil referendum.
In early September 2014 the OCCR made a complaint to the Public Prosecution Office (MP) against the officials who had allegedly orchestrated the illegal suppression of the civil referendum, violating the freedom of citizens organising and taking part in an unofficial referendum. However, the OCCR has not received a reply from the MP.
Although the GPDP now gives “a new interpretation” of the legality of the civil referendum, the GPDP may be just seeking to “punish” the civil referendum in another way. The GPDP is now accusing the OCCR of not using servers in Macau and “transferring” the personal data of voters to a third country.
The Personal Data Protection Law of Macau is rooted in EU Directive 95/46/EC according to the GPDP. In GPDP’s letter, an EU position paper on “The transfer of personal data to third countries” was cited in an attempt to support the accusation. However, in the same manner as how the court judgement had been distorted, the GPDP garbled the EU document. In the paper, it is stated that “[a]gainst this background and although there is not yet a formal definition of ‘transfer of personal data’, controllers should consider that this term would normally imply the following elements: communication, disclosure or otherwise making available of personal data, conducted with the knowledge or intention of a sender subject to the Regulation that the recipient(s) will have access to it.……The term would therefore cover both ‘deliberate transfers’ and ‘permitted access’ to data by recipient(s). … On the other hand, the mere fact that information might or will cross international borders to its destination due to the way in which networks are structured would not automatically trigger the concept.” The GPDP has been informed of the security measures implemented by the OCCR that no one, not even the cloud service provider, except the authorised representative of the organiser had access to the data. Based on the definition found in the paper cited by the GPDP, the processing of personal data in our case should not constitute “transfer of personal data (to third countries).”
More importantly, the way that GPDP has handled complaints alleging “transfer of data” appears very inconsistent. In a case which a (pro-establishment) association had received personal data online for event registration without informing the residents the location of server, the GPDP said that “based on the fact that the personal information, except being processed by the [cloud service provider], was neither passed to another party nor leaked. Without further concrete evidence, we close the file for now.” In very similar circumstances, if the GPDP decides in the future to fine the OCCR, the GPDP may be in violation of the Principle of Equality and Proportionality, Principle of Fairness and Impartiality, and the Principle of Good Faith enshrined in the Code of Administrative Procedure.
It is a matter of fact that there is no cloud service provide in Macau targeting the affordability of small enterprises and ordinary associations. Many Macau-based business organisations and associations choose to use non-local servers. Ordinary internet users in Macau may not assume that the servers hosting Macau websites are necessarily located in Macau.
Some suggest a low possibility of the incumbent GPDP head Vasco Fong having no knowledge of CCAC’s talk with the Italian company HackingTeam over the acquisition of software with intrusive capabilities in 2013 as a former Commissioner against Corruption. Vasco Fong’s passion to protect residents’ privacy may be called into question. Still, the OCCR expects Fong to carry out his duties in accordance with law.
After receiving the GPDP’s letter on 21 July 2015, on the next day (22 July 2015) the OCCR requested for the Portuguese version of the letter. On 24 July 2015, the OCCR visited the GPDP in person to request for the photocopies of the file. The OCCR waited for a week without hearing an update from the GPDP about the Portuguese translation and the photocopies. On 31 July 2015, the OCCR requested for extending the period of written haring from 15 days to 30 days. On the day before the last day of the hearing period (4 August 2015) the GPDP called the OCCR to collect the photocopies. Yesterday (5 August 2015), on the last day of the hearing period, the OCCR had no choice but to turn in a defence written without a fully analysis of the materials in the file. The OCCR regrets that the OCCR’s right to access to information was not respected and the GPDP allegedly has failed to observe the Principle of Collaboration between the Administration and Individuals set forth in the Code of Administrative Procedure.