Cybersecurity: Bouquets . . . and brickbats

The people of Macau want a law to combat cybercrime. The government has one ready. There are still some doubts. But there is a certainty right now: buying prepaid GSM cards will no longer be as easy.

Two well-known MSAR lawyers, specialists in telecommunications, talking to Macau Business, have expressed reservations about the proposed Cybersecurity Law. 

Despite what Security Secretary Wong Sio Chak promised a year ago (“Unless authorised by the courts, its services are prevented from interfering with any content on the network, and cannot decrypt the content or the expressions in the network”), José Filipe Salreta understands that “the critical point of the Cybersecurity Law will be access to the personal or private data of residents. As in other jurisdictions, the core of the issue is to ensure that entities responsible for preventing cyberattacks will limit their analysis to data streams (metadata) on Macau networks, excluding the analysis of personal data as defined by the law on the Protection of Personal Data,” he says. 

The reading of the Public Consultation Report of the new law has raised doubts in the mind of this lawyer from the firm Lektou; namely, regarding the entities who can assent to the consultation of data. “The new Cybersecurity Law should, therefore, clarify this point,” says Salreta. “Otherwise, we will see these supervised entities having personal data without the proper authorisation of their owners.” 

Julia Herold, of DSL Lawyers, does not “think that the law will directly restrict people’s freedom of speech or introduce censorship of online activities (at least according to what the government has disclosed in the consultation paper).”  

Nevertheless, “there are some concerns regarding the definition of ‘Critical Infrastructure Operators,’ which includes a variety of private sector entities (such as network operators, public utility operators, banks, gaming operators, etc.), which will be subject to government supervision on compliance with cybersecurity ‘duties’.”  

“The new Cybersecurity Law should, therefore, clarify this point [which entities can assent to the consultation of data] otherwise we will see these supervised entities having personal data without the proper authorisation of their owners” – José Filipe Salreta

Ms. Herold underlines the “duty to provide the supervisory entities with any requested information in case of an investigation into a ‘cybersecurity incident’ (defined as any incident that ‘may cause or has caused damage to the networks’ operation or to the confidentiality, integrity and availability of the networks’ data’) without mentioning the need for a court order, which could have implications for people’s rights to privacy and possibly open a door to government monitoring of their online activities.” 

These doubts join a long list of criticism that the proposed Cybersecurity Law has attracted since it was presented for public discussion last year. Criticism, however, is not shared by the overwhelming majority of residents who participated in the public consultation at the end of 2017: more than 80 per cent of people consider it ‘urgent’ to set up a computer network security system. 

Specifically, according to the final report published two months ago by the government, ‘more than 87 per cent of the views of both sectors and the public consider that it is necessary and urgent to establish a cybersecurity protection territory.’ 

Similarly, the conclusions of the last Internet Usage Trends in Macau (2018): ‘Only 39 per cent of users evaluated the Internet privacy in Macau as ‘safe’ while 48 per cent regard it as ‘unsafe’. This means that the rate of users who are worried about Internet privacy in Macau is relatively high.’ 

The government promises to submit the bill later this year to the Legislative Assembly. 

‘Real names’ on prepaid GSM cards 

The overwhelming majority of the provisions of the law will not affect the daily life of Macau residents and tourists but there is at least one change that promises to be revolutionary: whoever buys a stored-value GSM card in Macau will have to provide identification, from his or her identity card or passport. In addition, any pre-paid SIM card which was purchased before the enactment of the Cybersecurity Law will be deactivated if the user fails or refuses to verify his or her identification with the telecommunications service provider within 60 days of being notified. 

Only prepaid cards purchased outside of Macau are excluded, such as 1-Card-2-Number Prepaid SIM Card, but in return the use of public Internet networks will require that identification data be provided regardless of whether the user is a local or a tourist. Among the data required for access – for example, to WiFi Go – is the identity or residence card number. 

According to the government, this law intends to apply in Macau “what is already a worldwide practice, namely in the European Union” – that is, the acquisition of identification data (Real Name System) in the acquisition of mobile phone cards and Internet access.  

“Anti-terrorist measures, following the attacks in Madrid (2004) and London (2005), forced a greater traceability of those who use an SIM card, mobile phone, which proved to be a fundamental element in police investigations,” explained António de Jesus Pedro, an advisor in the Cabinet of the Secretary for Security.