Macau | Cybersecurity Law draft bill approved by Legislative Assembly

Macau (MNA) – The Legislative Assembly (AL) has approved a proposed Cybersecurity Law draft bill on Thursday, with legislators again voicing concerns over feared unapproved access to confidential information by local authorities.

Of the 30 legislators present upon voting, 27 voted in favour of passing the bill to committee evaluation with three voting against, anmeelly legislators Sulu Sou Ka Hou, Jose Pereira Coutinho and Ng Kuok Cheong.

“This cybersecurity proposal increases the security powers. With this increase, people don’t know how the government will access these data. After a request all information can be accessed, its an increase of power, it will cover telecom companies, it will impact or pressure people’s liberties,” legislator Ng Kuok Cheong said.

Secretary for Security, Wong Sio Chak, again maintained that government monitoring of communications networks would be limited to the critical infrastructure entities stipulated in the bill; only in cases those entities have been the target of cyberattacks and with the specific content of the data not accessed.

According to the proposed law, private and public companies and entities operating in crucial sectors – including internet, media and communication operators, water and energy supply, banking, financial systems and gaming – would be mandated to enforce cybersecurity measures.

These entities would also have to allow the future Cybersecurity Incident Alert and Response Centre (CARIC) to dispatch teams to assess if these entities have enforced the proposed measures or if there are signs a cybersecurity breach has or could occur, and provide data records to the CARIC teams.

Of course if there are requests, access of these data can be made so we can understand the worries of the population by public authorities. We need to know how oversight will be made. CARIC can intervene in private entities, will there be possibilities to access private data?,” legislator Sulu Sou indicated.

According to a government responsible for IT equipment present at the plenary session, residents personal communications content could only be accessible after data reconstruction, something that would follow under the proposed communications interception bill.

“We only see the water flux data but not the color of the water,” the government IT official indicated.

The Secretary for Security again underlined that operators and critical entities would have the responsibility to enforce cybersecurity measures and cooperate with authorities in case a cyberattack takes place.

These duties include having a designated local resident responsible for cybersecurity who needs to to be accessible for authorities in case of an attack and allowing a CARIC team for oversight in case of attack.

However the Secretary underlined that authorities wouldn’t have direct access to confidential data, with a judicial order need for access, with the operators being able to refuse access requests by authorities they deemed unauthorised.

Meanwhile the Secretary for Security admitted there was a current lack of human resources when it came to IT professionals at government level that needed to be improved.

“Training qualified personnel is a problem, theres not a lot of people in Macau trained in this area […] Banking and other entities have these capacities but in government we have a large lack of the personnel, that’s why we have to bet in training. We’re creating a specific career for such expert and, there will be and administrative regulation to define these functions,” he added.