Macau | Data monitoring considered in Cybersecurity Law proposal goes against Macau Basic Law – ATFPM

Macau (MNA) – The Macau Civil Servants Association (ATFPM) issued a letter on Tuesday addressed to the Secretary for Security, Wong Sio Chak, stating the proposed monitoring by the Judiciary Police (PJ) of online data between public and private operators of critical infrastructures, included in the new Cybersecurity Law proposal is against the Macau SAR Basic Law.

The proposed law is currently under public consultation until January 24, suggesting that protection measures should be enforced in companies operating in sectors such as water and energy supply, financial systems, gaming, and health, in addition to any other sector considered to be crucial for the city.

Still according to the draft, a Permanent Committee for Cybersecurity (CPC) would be in charge of the monitoring activity, with the PJ appointed to create a special cybersecurity unit responsible for monitoring online data traffic in binary code, as well as keep track of and investigate eventual cyber attacks.

However, the ATFPM considers that even only involving binary code, the data monitoring is ‘arbitrary, disproportionate and illegal,’ running counter article 32 of the city’s Basic Law, which stipulates that ‘no public authority or individual may violate the freedom and confidentiality of the residents’ communications, for whatever reason,’ except in cases of necessary public security or criminal investigations conducted and authorised by local authorities.

According to the association, binary language ‘can easily be converted to comprehensive data,’ with the group considering further that the responsibility to monitor the data should only be in charge of the cybersecurity operators of critical infrastructures.

‘In accordance with international standards, monitoring of such data [by the authorities] should only be allowed after cyber attacks, in order to avoid spreading over critical city infrastructures, or in the following up of investigations,’ the release noted.

The association suggested three articles of the Cybersecurity Law be amended to avoid unauthorised access to sensible data from entities in sectors such as banking, health, and communications.

[Edited by Sheyla Zandonai]