Macau: What does the Cybersecurity Law entail and how will it be received?
On 24 June 2019, Macau Special Administrative Region ('SAR') enacted its Cybersecurity Law ('the Law'), and whilst it has not yet been publicly assumed, it follows the trend imposed by the Cybersecurity Law of the People's Republic of China ('the PRC Law') to a certain extent. Hugo Maia Bandeira and Tiago Assunção, from Manuela António, provide a general overview of the Law and what impact it will have on those conducting business in Macau.
Cybersecurity is a world-wide hot topic nowadays, and therefore it is no surprise that progressively more and more countries are adopting relevant laws to regulate the matter.
In the Law, the basic principles, duties and enforcement ideas of the PRC Law are somewhat present, nevertheless, the powers vested in the new regulatory supervising entities are still less comprehensive than those existing in the PRC Law.
As the Law is Macau's first comprehensive privacy and security body of rules over cyberspace, we are yet to fully discover the challenges its enforcement will pose, and notably in its articulation with the existing Personal Data Protection Act (Act 8/2005) ('the Act').
Nevertheless, despite the Law being approved amidst some criticism and concerns regarding potential violations of basic freedoms, it will only come into effect on 21 December 2019 and so the belief is that there will be enough time to produce a set of adjacent regulations to quell concerns around its implementation and enforcement.
At this stage, it is certain that while introducing regulation to prevent the failure of critical infrastructure in terms of the security and the economy of Macau is necessary, the potential reach of the Law and the duties imposed on operators of critical infrastructure mean that this new piece of legislation will present unprecedented challenges to local people, as well as local and foreign businesses in Macau.
General overview of the Law
The Law is intended to determine and regulate Macau's cybersecurity system, and aims to protect the networks, systems and computer data of the operators of critical infrastructure.
It provides for three levels of supervision:
- the Commission for Cybersecurity ('CPC') at a first level;
- the Cybersecurity Incident Alert and Response Center ('CARIC') at an intermediate level; and
- supervisory bodies, as the final level.
The CPC is the top political body, chaired by the Chief Executive of Macau, and will be responsible for defining the guidelines, objectives and strategies towards cybersecurity goals, as well as proposing and negotiating agreements and protocols that may be deemed necessary to guarantee Macau's cybersecurity, with both local or foreign public and private entities.
CARIC, a specialised structure for the prevention and handling of any cybersecurity incidents, shall be coordinated by the Judiciary Police, and is responsible for monitoring the computer data transmitted between the operators of critical infrastructure networks and the internet. CARIC aims to prevent, detect and fight cybersecurity incidents.
Finally, the supervisory bodies shall be responsible for overseeing private operators by their areas of activity, for example the Monetary Authority of Macau will inspect banks, the Macau Health Bureau Services will inspect private hospitals, etc.
The composition, powers and mode of operation of all these entities will be defined by the Chief Executive in complementary regulation, thus meaning that the real range of this Law, and the competence of the new entities related thereto, shall only be fully comprehended when those regulatory pieces of legislation are enacted.
Subjective scope: Critical infrastructure operators
The Law is applicable to both public and private operators of critical infrastructure using computer networks or systems. The former generally include the Chief Executive's Office and other holders of political and judicial offices, and Macau's public services and agencies. In turn, the latter includes all private entities, with or without a registered address in Macau, that are allowed to conduct business in Macau in certain key areas which include, amongst others:
- banking, insurance and finance activity;
- healthcare services;
- gaming concessionaires;
- media, that are not exclusively aimed at broadcasting entertainment contents; and
What are the duties imposed by the Law?
Amongst the vast group of duties that the Law imposes, such as organic duties, procedural, preventive and reactive duties, self-evaluation and report duties and collaboration duties, the most noteworthy are as follows:
- allowing the representatives of CARIC, or of the supervisory bodies, to access networks without any prior judicial decision approving the said access;
- appointing a person in charge of cybersecurity, and its substitute, who shall be in constant contact with the regulatory supervising entities, and subject to a prior probity check;
- approving an internal cybersecurity plan and procedural guide aimed at the prevention, monitoring, report and response to cybersecurity incidents;
- regularly checking the security and existing risks to networks and systems;
- submitting a yearly cybersecurity report listing, inter alia, the cybersecurity incidents and the measures adopted to prevent new incidents;
- mandatory registration by network operators of the identification of pre-paid SIM card users acquired before the enactment of the Law, or otherwise suspend service to such SIM cards;
- mandatory verification and registration by network operators of the identity of clients upon the execution of agreements, confirmation of provision of internet access services, registration of domain names or public services of land or mobile telecommunications; and
- internet services providers must keep, for a year, the network address translation records from private network addresses into public network addresses.
Needless to say, the aforementioned duties will definitively bring implementation and maintenance costs to each of the entities covered by the Law. Although, again, the full extent of such costs is still to be assessed, pending further regulation of the Law.
Infringements and sanctions
As for penalties, those in breach of the Law may be fined up to MOP 5 Million (approx. €550,000).
Other ancillary penalties may also be imposed on those in breach, such as the loss of the right to supply products to the Government or to receive Government subsidies for a period of up to 2 years.
In addition, individuals in breach of preventive, reactive or procedural duties may see their employment suspended or terminated, as well as being subject to compulsory retirement.
Concerns raised with the implementation of the Law
The major concern lies on the authority granted to CARIC, which is coordinated by the Judiciary Police, to conduct real time monitoring of the computer data transmitted between the operators of critical infrastructure networks and the internet.
Considering that the operators of telecommunications infrastructure are subject to the Law, this provision has raised fears of opening the door to real time monitoring of virtually every person and entity in Macau.
In addition, the Law does not seem to implement any mechanism of oversight for CARIC's actions, e.g. when monitoring data and accessing critical infrastructure operators' premises and networks, which again poses the concern of unsupervised police action in extremely sensitive areas of Macau's economy, as well as unwarranted interference in citizens' privacy and personal data.
Without a streamlined oversight mechanism, citizens and companies will have to rely on existing channels, such as:
- the Office for Personal Data Protection;
- the Commission Against Corruption;
- the Public Prosecutors Office; and
- Macau's Courts.
These existing channels also entail an additional level of uncertainty and a long period of time before a final decision over a claim is obtained.
Finally, the requirement that the identification of all SIM card owners is registered has also attracted criticism towards the abuses that such provision may lead to.
In any case, the Government has continuously maintained that it will only analyse the flow of computer data, meaning that, according to the Government, data will not be decoded nor will freedom of expression, economic freedom and/or intellectual property rights be affected.
In summary, in a world where cyber risks are a constant threat, there is definitively the need to implement a cybersecurity legal framework and to impose special duties of care to certain industries. However, only time will tell whether the Law will serve its legitimate purposes or whether it will lead to abuse.