Introduction

On 24 June 2019 the Legislative Assembly of the Macau Special Administrative Region (SAR) enacted the Cybersecurity Law (13/2019). Prior to this, no legislation covered cybersecurity issues in the Macau SAR. As such, this new law reflects the region's efforts to respond to the latest regulatory trends regarding privacy and security and establish a legal regime for such matters.

The main purpose of the Cybersecurity Law is to protect the networks, systems and data of critical infrastructure operators of the Macau SAR. The law comprises five chapters:

  • General provisions (Articles 1 to 5) – this chapter sets out the law's objectives, definitions and scope.
  • Institutional provisions (Articles 6 to 9) – this chapter establishes the following offices:
    • the Commission for Cybersecurity (CPC);
    • the Cybersecurity Alert and Response Centre (CARIC); and
    • various cybersecurity oversight entities.
  • Cybersecurity duties (Articles 10 to 14) – this chapter sets out the duties of both private and public critical infrastructures operators, such as those regarding governance and reporting.
  • Penalty framework (Articles 15 to 23) – the administrative offences set out in the law are punishable with fines ranging from MPtc50,000 to MPtc150,000 for less serious offences and MPtc150,000 to MPtc5 million for more severe offences, without prejudice to any other liability that may apply to the case.
  • Transitional and final provisions (Articles 24 to 28) – this chapter sets out the duties of internet service providers. For example, under the real-name system, operators must ask for genuine identification data when providing internet or telecoms services and pre-paid SIM cards must be re-registered using user identification or be suspended.

The law imposes several obligations on critical infrastructure operators, such as maintaining an adequate level of management and security for their information networks and implementing prevention and penalty mechanisms to ensure the law's enforcement.

Definitions

Article 2 of the Cybersecurity Law sets out all of the definitions necessary to interpret the law, including as follows:

  • 'Cybersecurity' is the permanent and multisector activity carried out by the Macau SAR with the aim of ensuring the normal functioning of the networks and computer systems used by critical infrastructure operators and the integrity, confidentiality and availability of computer data, preventing, in particular, such networks, systems and data from being compromised through unauthorised acts.
  • 'Critical infrastructure' comprises the assets, networks and computer systems relevant to the normal functioning of society, whose disruption, destruction, disclosure of data, suspension of operation or significant decrease in efficiency is likely to cause serious damage to public wellbeing, security or order or another particularly relevant public interest.
  • 'Critical infrastructure operators' are entities (public or private) that operate critical infrastructure and provide services relating thereto.
  • An 'unauthorised act' is the access, obtainment, use, availability, interception or damage of, or another type of interference with, a network or system or computer data to which the owner or other rights holders have not consented.
  • A 'cybersecurity incident' is any situation that constitutes an unauthorised act and, in general, any event with a real adverse effect on the security of computer networks, systems and data.
  • 'Network operators' are entities authorised to operate public fixed or mobile telecoms networks and provide internet access services (also known as 'internet service providers').

Regulatory oversight

The cybersecurity oversight system comprises the CPC, the CARIC and cybersecurity oversight entities. As such, it provides three levels of oversight in decreasing order of importance (as follows).

The CPC is chaired by the chief executive and is responsible for:

  • developing cybersecurity guidelines, objectives and strategies;
  • supervising the activities of entities which operate within the cybersecurity framework; and
  • proposing that the government sign and review agreements, protocols or contracts with public or private entities from the Macau SAR or abroad which may help to improve Macau's cybersecurity standards.

The CARIC is a technical body specialised in issuing alerts on and responding to cybersecurity incidents. It is coordinated by the Judiciary Police and is responsible for:

  • centralising the receipt of information on cybersecurity incidents;
  • defining cybersecurity measures;
  • responding to cybersecurity incidents;
  • ensuring and promoting institutional cooperation;
  • classifying cybersecurity incidents;
  • tracking, in real time, computer data traffic and its characteristics between networks of critical infrastructures operators and the Internet;
  • issuing alerts on cybersecurity incidents; and
  • providing technical support to supervisory entities.

Cybersecurity oversight entities are services and bodies of the public administration that are responsible for:

  • ensuring compliance with the Cybersecurity Law and the technical standards;
  • supervising the plans and actions of critical infrastructure operators with regard to cybersecurity; and
  • administering penalties as provided for in the law.

These latter powers are exercised by the Public Administration and Civil Service Bureau in relation to public operators of critical infrastructure, as well as by public entities designated by administrative regulations in relation to private critical infrastructure operators.

However, in regard to the composition, powers and mode of operation of the abovementioned entities, as well as the designation of supervisory entities and private operators of critical infrastructure, the chief executive of the Macau SAR can approve complementary administrative regulations or external regulatory orders that may be necessary for these implementations. This means that the full scope of the Cybersecurity Law needs to be widened.

Cybersecurity duties

Private critical infrastructure operators have various duties and obligations, including:

  • creating cybersecurity management units capable of implementing the respective internal protection measures;
  • providing cybersecurity management units with the appropriate human, financial and material resources;
  • designating the main party responsible for cybersecurity and their respective substitute (these must be suitable individuals with sufficient professional experience and their habitual residence in the Macau SAR);
  • ensuring that the principal responsible for cybersecurity and their replacement is permanently contactable by the CARIC; and
  • establishing complaint and reporting mechanisms relating to cybersecurity.

As for public operators of critical infrastructures, their obligations include:

  • appointing a party responsible for cybersecurity from within the management and leadership staff;
  • obtaining adequate human, financial and material resources for the proper functioning of the respective cybersecurity management regime;
  • complying with and enforcing the duties provided for in the Cybersecurity Law – both internally and within the scope of public services, bodies and entities whose cybersecurity is their responsibility;
  • monitoring the execution of cybersecurity service contracts signed with private entities;
  • executing contracted cybersecurity services in case of non-compliance by private entities, without prejudice to the liability that may be attributed thereto; and
  • providing the support and collaboration needed to ensure positive cybersecurity management.

Penalties for infractions

Instances of non-compliance incur a penalty of up to MPtc5 million for the most serious offences and up to MPtc150,000 for less serious offences.

Other penalties may also be imposed, such as the loss of the right to contract in direct agreements or participate in public tenders to supply products to the government, or the loss of government subsidies, for up to two years.

Further, individuals who breach their respective duties may have their employment terminated or suspended or be subject to compulsory retirement.

Comment

The enactment of the Cybersecurity Law brought forth issues such as privacy and the risks of surveillance, which could affect freedom of expression, reporting and even business secrecy. However, Article 8(2) of the law specifies that the tracking of data is to be performed by the Judiciary Police and will exclusively concern so-called 'machine language', as computer data cannot be collected or decoded in any way.