Jason Chao holding a referendum poster
Authorities are “seeking another approach to ‘punish’ the civil referendum,” which was organized by pro-democracy civil groups during the Chief Executive election last year, claimed political activist Jason Chao yesterday.
Chao disclosed details of a “confidential” official letter that was issued recently by the Office of Personal Data Protection (GPDP), and pointed out that the office has recognized the legitimacy of collecting personal data for the unofficial referendum. Instead, the letter indicates that the data was collected through a Cloud server that was located outside Macau. This could be seen as an administrative offense of “transfer of personal data to other countries” and could result in a fine of up to MOP80,000.
The referendum – conducted in the form of online public polling – was jointly organized by Macau Conscience, Macao Youth Dynamics and the Open Macau Society. More than 8,600 people cast their votes on whether the Macau SAR’s Chief Executive (CE) should be elected through universal suffrage, or whether they approved of Chui Sai On’s certain re-election as the sole candidate.
As the government quickly responded to the poll by denouncing its legality, the GPDP claimed that the referendum organizer’s collection of personal data had violated the Personal Data Protection Law. This was due to the “invalidity” of voters’ consent, a factor determined by the activity’s “illegitimate purpose.”
Jason Chao said that the GPDP has now backflipped in its interpretation of the issue, as the office now admits that the data was collected in compliance with the relevant legal clause. However, it went on to accuse the referendum organizer of “not using data servers in Macau and transferring the voters’ personal data to other territories.”
The activist revealed to media yesterday the nature of GPDP’s letter, which was stamped as “confidential.” In the letter, the authorities point out that “the referendum website [that was] set up for online voting was based on a server located in the United States. The data security service was also provided by a foreign company called CloudFlare, whose data centers were scattered in several countries.”
As informed by the letter, the referendum organizer is facing the accusation of committing the administrative offense of “transfer of personal data,” and thereby faces a possible fine of MOP8,000 to MOP80,000.
Having submitted a response to the GPDP’s written hearing on Wednesday’s deadline, Jason Chao stated, “The processing of personal data in our case should not constitute ‘transfer of personal data’ based on the referred definition.”
He said that the implementation of security measures for online voting and data processing had ensured that “no one, not even the Cloud service provider, had access to the data, except the authorized representative of the referendum organizer.”
Moreover, he highlighted the GPDP’s stance that “it was with voters’ explicit consent that the organizer collected their personal data, (…) whereas the consent given by voters aged 16 and above cannot be denied.”
“In fact, the Court of Final Instance’s ruling has also debunked the claim of the unofficial referendum’s illegality, because it’s an activity not regulated by law and citizens can carry out any acts that are not prohibited by law,” Chao said, adding that the GPDP is “just seeking to ‘punish’ the civil referendum in another way.”
No Comments