This post was written by Cynthia O’Donoghue.

Macau, Hong Kong and Taiwan have been flexing their data protection muscles. Macau’s Office for Personal Data Protection (“OPDP”) is investigating the transfer of data from the Asian subsidiary of Las Vegas Sands to the United States. Hong Kong has just passed the Personal Data (Privacy) (Amendment) Ordinance that increases penalties and introduces new offences. Taiwan has added stronger enforcement powers to its Personal Information Protection Act (“PIPA”).

In Macau, the OPDP is investigating Sands China Limited’s subsidiary, Venetian Macau Limited, for potential violations of Macau’s privacy laws, which prohibit the unsanctioned transfer of personal data to foreign jurisdictions, such as to the United States. The investigation relates to the movement of files from Macau to the United States relevant to a 2010 lawsuit. Violations of Macau’s 2005 Personal Data Protection Act (“PDPA”) can be subject to civil and criminal penalties, with fines per violation of 80,000MOP (around $10,000) and a maximum jail sentence of two years. Macau has previously fined Google 30,000MOP for breaching the PDPA.

Hong Kong enacted an amendment to the Personal Data (Privacy) Ordinance passed in June, 2012. However, most provisions will come into effect 1 October 2012. The changes particularly affect organisations engaged in direct marketing or that provide data for direct marketing. The Privacy Commissioner’s Office (“PCO”) is scheduled to provide guidance on the new compliance regime, which includes enforcement powers for the PCO such as fines of between HK$500,000 and HK$1 million ($64,500 – $129,000). The maximum fine is for a new offence designed to address malicious disclosure of personal data without consent, where the perpetrator has made financial gain, caused financial loss, or caused psychological harm to the data subject. The new law also includes:

  • An exemption relating to the use of personal data in relation to due diligence
  • Requirements for data users to adopt contractual means to prevent personal data that has been transferred to a data controller from being kept longer than necessary, and to prevent unauthorised access, unauthorised use or loss of personal data 
  • A new right for individuals who have suffered harm as a result of a breach of the Data Protection Law to apply to the PCO for assistance

Taiwan amended its Computer Processed Personal Data Protection Act (“CPPDPA”) more than two years ago when it enacted the new Personal Information Protection Act (“PIPA”). PIPA is finally set to come into force next year, but the legislature can continue to make further amendments up until 30 April 2012. Enforcement under the old CPPDPA had been haphazard and intermittent, mainly because there has been no single agency responsible for enforcement. Under PIPA, the Ministry of Justice has been identified as the agency responsible for coordinating enforcement. Recently, however, Taiwan’s financial services regulator (the “FSC”) imposed substantial fines against banks on privacy-related grounds, rather than wait for PIPA to be enacted. In March 2012, the FSC fined two insurance brokers NT$600,000 ($20,000) each for illegally releasing personal data to a life insurance company.