As one of the four core cities in the Greater Bay Area, Macau is playing a key role in building the Guangzhou-Zhuhai-Macau science and technology innovation corridor with the strong support of China. As the core link that gears the urban industrial diversification up with the national dual circulation economic strategy, investing in the tech industry has become a consensus across the general public. Under the keynote of building Macau into a smart city, many digitization policies and smart infrastructures have emerged, covering smart government services, smart transportation systems, smart tourism, and smart medical care. In the process of promoting digital innovation, the construction of smart city infrastructures stands on top of all other priorities.

To protect cybersecurity and personal data, the Office for Personal Data Protection (GPDP) independently operates under the supervision of the Chief Executive to oversee and coordinate the compliance of the Personal Data Protection Act, and the implementation of established confidentiality and supervision regulations. In addition, the GPDP is restructuring the regulatory framework to support technological innovation and promote innovation in the industry.

Regulators:
In accordance with the Macau Cybersecurity Law (No.13/2019, the MCSL), the supervisory entities include public administrative agencies or authorities, who shall: (1) ensure that the obligations under this law and technical specifications are fulfilled; (2) supervise the cybersecurity-related plans and actions of critical infrastructure operators; and (3) exercise the penalty authority regulated by this law. Specifically, the Judiciary Police is responsible for the general administration and supervision of Cybersecurity Incidents Alert and Response Center (CARIC); the Public Administration and Civil Service Bureau (SAFP) supervises public critical infrastructure operators; and private critical infrastructure operators are supervised by public entities established based on administrative regulations.
The Office for Personal Data Protection (GPDP) has oversight of personal data protection in Macau.

General Security Laws:
To better regulate the cybersecurity system in Macau SAR (China), the government of Macau SAR (China) announced the Macau Cybersecurity Law (MCSL) on June 24, 2019 with the aim to ensure the cybersecurity, system security and data security of the operators of critical infrastructures. The MCSL applies to the public and private operators of critical infrastructures.
The cybersecurity system of Macau SAR (China) consists of the following entities:
1. Commission for Cybersecurity
2. Cybersecurity Incidents Alert and Response Center (CARIC)
3. Supervisory Entities for Cybersecurity
The MCSL defines the obligations of critical infrastructure operators and internet service providers, and the penalties of non-compliance.

General Privacy Laws:
Personal Data Protection Act (No. 8/2005, the PDPA) regulates the collection, processing, and cross-border transmission of personal data in Macau SAR (China).

Data Cross-Border Transfer Requirements:
Chapter 5 "Transfer of personal data outside the MSAR" of the PDPA provides regulations on the cross-border transfer of personal data. In any circumstances involving the cross-border transfer of information about a natural person collected in Macau, entities responsible for processing personal data must assess the legal and regulatory environments of destination places of personal data to ensure that the transferred personal data is adequately protected. At present, no country or region is listed in the transfer whitelist. If the transferred personal data involves sensitive information of a person, the transfer must be approved by the GPDP. Otherwise, the data may be transferred either with the express consent of the person involved, or after a notification to the PDPA under the five circumstances defined in Article 20 of the PDPA.

Overview:
Alibaba Cloud offers a high degree of flexibility in designing and implementing IT architectures in the cloud. In addition, Alibaba Cloud provides a public cloud, private cloud, and hybrid cloud to help enterprises in digital transformation. With proper solution design, on-cloud deployment can help the financial services sector meet regulatory requirements for security, availability, confidentiality, and performance. Alibaba Cloud has helped customers from the financial sector improve their business efficiency and user experience, relieve the burden of security compliance, and manage IT risks in the process of digital transformation.

Alibaba Cloud is committed to helping customers in compliance with the financial industry-specific regulatory requirements, including the initial high-level due diligence and risk assessment, registration of regulatory measures, solution design, cloud migration, and continuous monitoring of security compliance in the cloud. Alibaba Cloud provides a full suite of services and related best practices to help customers design and implement solutions on security compliance and privacy compliance.

Regulator:
The Monetary Authority of Macau (AMCM) stabilizes the financial system of Macau SAR (China), standardizes the regulations on the monetary, financial, foreign exchange, and insurance markets, and guides, coordinates, and supervises these markets to ensure their normal operation. In addition, the AMCM supervises the operators of these markets.

Regulations/Guidelines to look at when using cloud computing services:
The AMCM has published a series of circulars and guidelines to set out its latest supervisory policies, requirements, and guidance that LFIs are expected to follow regarding the management over technology outsourcing activities.
- Guideline on Outsourcing
- Business Continuity Management
- Incident Reporting Measures for Major Emergencies

Is cloud permitted?
Yes.

Is there any additional approval needed in cloud adoption?
The AMCM permits the use of cloud services by licensed financial institutions (LFIs). LFIs shall consult AMCM before signing an agreement to outsource major business activities or functions and, within 30 days after the signing of the agreement, notify AMCM and continue to manage and monitor outsourcing risks. LFIs shall discuss with AMCM in advance about their outsourcing plans on major business activities or functions, and make sure that the plans are in full compliance with the Guideline on Outsourcing. Outsourcing plans submitted to AMCM should generally include: (i) details of the outsourced activities or functions; (ii) reasons for outsourcing; (iii) details of service providers; and (iv) a description of the measures taken by the LFI to ensure its supervision and monitoring of the outsourced activities or functions. AMCM may further request LFIs to provide supplementary materials where necessary.

Are offshore outsourcing arrangements allowed?
The AMCM permits the outsourcing arrangement to an service provider outside Macau. LFIs should establish a comprehensive risk management frameworks with sufficient controls to manage relevant risks, and deal with country risks, information confidentiality, and AMCM's auditing right and right to access data. LFIs are also required, in accordance with provisions on cross-border data transfer in the PDPA, to obtain explicit authorization from customers and fulfill their duties to report to the GDPD.