The Cybersecurity Law No. 13/2019 (‘the Cybersecurity Law’) was published, on 24 June 2019, in the Official Gazette of the Macau Special Administrative Region. The Cybersecurity Law applies to public and private critical information infrastructure (‘CII’) operators and will regulate cybersecurity in Macau. In particular, the Cybersecurity Law defines ‘critical infrastructure’ as assets, networks and computer systems that if disrupted, disclosed, suspended, or significantly slowed down, would potentially endanger public welfare, safety, or order. Moreover, the Cybersecurity Law notes that private CII operators include domestic or foreign companies qualified to conduct business in areas such as banking, finance, insurance, gambling, telecommunications, or healthcare, among other things.
Hugo Maia Bandeira and Tiago Assunção, Partner and Associate respectively at Manuela António, told DataGuidance by OneTrust, “The Cybersecurity Law will present unprecedented challenges to local and foreign industries in Macau. […] The Cybersecurity Law provides for three levels of supervision: the Commission for Cybersecurity […] will be responsible for defining the guidelines, objectives and strategies towards cybersecurity goals; […] the Cyber Security Incident Response and Response Center (‘CARIC’) […] is responsible for monitoring the computer data transmitted between the operators of CII networks and the internet (‘the Data Flow’); […] and the supervisory bodies shall be responsible for supervising private operators by areas of activity […] The composition, powers and mode of operation of all these entities, another concern raised in connection with the Cybersecurity Law, will be defined by the Chief Executive of Macau in complementary regulations, thus meaning that the real range of the Cybersecurity Law (and the competence of the new entities related thereto) shall only be fully comprehended when those regulatory pieces of legislation are enacted.”
The Cybersecurity Law imposes a significant set of duties on the operators of CII
The Cybersecurity Law will require private CII operators to establish internal cybersecurity management units, organise complaint mechanisms relating to cybersecurity, and designate a suitably qualified individual who can be contacted by CARIC as the principal in charge of cybersecurity. In addition, private CII operators will be obliged to carry out routine self-assessments and submit an annual report to the relevant supervisory authority.
Julia Herold, Partner at DSL Lawyers, told DataGuidance by OneTrust, “The Cybersecurity Law imposes a significant set of duties on the operators of CII. […] Telecommunications operators (‘telcos’) and Internet Service Providers (‘ISPs’) will be responsible for implementing a ‘real name’ registration system, including for prepaid SIM cards. […] These legal duties will likely imply an increase in costs and an administrative burden on telecos in Macau. […] [In addition,] the Cybersecurity Law does not expressly require a court order for the Data Flow to be examined, as CARIC may control in real-time the Data Flow and data transmission, including individuals’ private communications and online activities. The Cybersecurity Law will, however, be subject to the principles of the Penal Code No.46/1995 under which a court order is required for obtaining information on private communications. The main focus is the analysis of the size of the Data Flow examined, without recording any data (as opposed to the Cybersecurity Law 2016, which came into force on 1 June 2017 (‘the Cybersecurity Law 2016’) in China that requires network operators to store select data).”
The Cybersecurity Law stipulates that private CII operators will report cybersecurity incidents to CARIC and relevant supervisory bodies, as well as immediately initiate a response to serious incidents. Furthermore, the Cybersecurity Law will require that private CII operators allow representatives of CARIC or supervisory bodies access to their networks and premises to the extent necessary to verify compliance with certain provisions.
Bandeira and Assunção further noted, “The Cybersecurity Law, although not publicly assumed, follows the trend imposed by the Cybersecurity Law 2016 in China, at least to a certain extent. The basic principles, duties and enforcement ideas are somewhat present. Nevertheless, the powers vested in the new regulatory supervisory entities are still less comprehensive than those existing in China. […] Whether the Cybersecurity Law will be a piece of legislation completely different and not integrated with the Cybersecurity Law 2016 in China is a reality that will only be assessed later.”
The Cybersecurity Law will come into force on 21 December 2019.
ANGUS YOUNG Junior Privacy Analyst