Cybersecurity Bill | Security, the key word


On 18th October of last year the Legislative Assembly approved the controversial Cybersecurity Law with three votes against: cast by Pereira Coutinho, Sulu Sou and Ng Kuok Cheong. Macau will have a Cybersecurity Bill this year but – unlike most laws passed in Macau – it will only reach the Official Gazette after much discussion. We present below the four most controversial points of the law 

Freedom of expression 

For the Macau authorities, the Cybersecurity Law seeks to protect the security of essential infrastructure networks without restricting, depriving or harming the freedom of expression of citizens.  

“Unless authorised by the judicial body, their services are prevented from interfering with any content on the network, and cannot decrypt content or expressions on the network,” says Secretary for Security Wong Sio Chak. 

But will this really be possible without undermining freedom of expression? 

Local political commentator Larry So Man Yum believes that from the perspective of preventing cyber attacks the government has legitimate reasons to float the bill although “it will inevitably affect the freedom of expression,” he told Macau Business. 

“The law of cybersecurity cannot call into question the freedom of expression,” says Catarina Guerra Gonçalves, the author of Transborder Data Flows and Macau SAR Data Protection Framework. “According to what I understand [the draft law] will use binary code, but this code can be easily transformed.” 

Unauthorised access to databases 

According to the MSAR Government, the content monitored is limited only to the instruction codes used in the computer system, and the Cybersecurity Law does not allow access to and reading of the content of citizens’ communications. Without authorisation from a judicial body the services are prevented from interfering with any content on the network, and cannot decrypt content or expressions on the network. 

Not everyone, however, shares this view. 

The Macau Civil Servants Association (ATFPM) sent a letter to the Secretary of Security stating that this law constitutes a “violation” of Article 32 of the Basic Law, “which does not allow interference and breach of residents of Macau, except in cases of need for public security or for investigation in criminal proceedings and without prior or post-control in cases of urgency and necessity by a judicial authority.” 

For ATFPM, the proposal should be amended to “prevent or avoid the danger of improper use of databases” to ensure “the security of essential computer networks used by public or private entities operating critical infrastructures” and finally to warn “when cybersecurity incidents cause damage or prejudice to the confidentiality, integrity and availability of personal data.” 

“When a cybersecurity law is established we have to make sure that this law is not created so that the police can monitor and monitor citizens’ personal data,” warns Ms. Gonçalves. 

‘Real-name system’ 

The sale of pre-paid SIM cards is rampant in Macau, mainly because of the tourists who choose to use local networks without having to resort to roaming, especially in the interior of China. 

But since several attacks in the last decade have used pre-paid SIM cards, some countries have opted to legislate for the obligation of buyers to identify themselves, as will happen in Macau. 

The Secretary of Security has already said that cards purchased before the entry into force of the new law will also be covered and that any pre-paid SIM card purchased before the enactment of the Cybersecurity Law would be deactivated if the user fails or refuses to verify his or her identification with the telecommunication service provider within 60 days of being notified. 

By contrast, Internet services such as 1-Card-2-Number Prepaid SIM Card – that can be used in the city but provided by operators outside the city – would not be regulated under the law. 

Co-ordination of Judiciary Police 

“The issue here is mainly on the border between access to computer data in the form of ‘machine language’ and the content of such data and communications. One can easily see the need to do so. What is not easily perceived is the attribution of the co-ordination role to a criminal police body, even by the nature of the subject matter and the admission by the tenderer itself that it is not intended to be a criminal offence, but only administrative offences,” we can read in a letter sent by the Macau Portuguese and English Press Association to Secretary Wong. 

In the same vein, the ATFPM proposes that if this activity is conducted by the Judiciary Police “it will always represent a violation of the freedom and confidentiality of the media of Macau residents.”