We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
21 February 2020
On 24 June 2019 the Legislative Assembly of the Macau Special Administrative Region (SAR) enacted the Cybersecurity Law (13/2019). Prior to this, no legislation covered cybersecurity issues in the Macau SAR. As such, this new law reflects the region's efforts to respond to the latest regulatory trends regarding privacy and security and establish a legal regime for such matters.
The main purpose of the Cybersecurity Law is to protect the networks, systems and data of critical infrastructure operators of the Macau SAR. The law comprises five chapters:
The law imposes several obligations on critical infrastructure operators, such as maintaining an adequate level of management and security for their information networks and implementing prevention and penalty mechanisms to ensure the law's enforcement.
Article 2 of the Cybersecurity Law sets out all of the definitions necessary to interpret the law, including as follows:
The cybersecurity oversight system comprises the CPC, the CARIC and cybersecurity oversight entities. As such, it provides three levels of oversight in decreasing order of importance (as follows).
The CPC is chaired by the chief executive and is responsible for:
The CARIC is a technical body specialised in issuing alerts on and responding to cybersecurity incidents. It is coordinated by the Judiciary Police and is responsible for:
Cybersecurity oversight entities are services and bodies of the public administration that are responsible for:
These latter powers are exercised by the Public Administration and Civil Service Bureau in relation to public operators of critical infrastructure, as well as by public entities designated by administrative regulations in relation to private critical infrastructure operators.
However, in regard to the composition, powers and mode of operation of the abovementioned entities, as well as the designation of supervisory entities and private operators of critical infrastructure, the chief executive of the Macau SAR can approve complementary administrative regulations or external regulatory orders that may be necessary for these implementations. This means that the full scope of the Cybersecurity Law needs to be widened.
Private critical infrastructure operators have various duties and obligations, including:
As for public operators of critical infrastructures, their obligations include:
Instances of non-compliance incur a penalty of up to MPtc5 million for the most serious offences and up to MPtc150,000 for less serious offences.
Other penalties may also be imposed, such as the loss of the right to contract in direct agreements or participate in public tenders to supply products to the government, or the loss of government subsidies, for up to two years.
Further, individuals who breach their respective duties may have their employment terminated or suspended or be subject to compulsory retirement.
The enactment of the Cybersecurity Law brought forth issues such as privacy and the risks of surveillance, which could affect freedom of expression, reporting and even business secrecy. However, Article 8(2) of the law specifies that the tracking of data is to be performed by the Judiciary Police and will exclusively concern so-called 'machine language', as computer data cannot be collected or decoded in any way.
For further information on this topic please contact Pedro Cortés or Luís Machado at Rato, Ling, Lei & Cortés Advogados by telephone (+853 2856 2322) or email (firstname.lastname@example.org or email@example.com). The Rato, Ling, Lei & Cortés Advogados website can be accessed at www.lektou.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.