Macau, an autonomous urban region on the south coast of China, is currently developing a Cybersecurity Law based on a public consultation that took place in December 2017.
Political critics have noted that the current proposal does not sufficiently protect citizens’ privacy, but does provide a legal framework for mass surveillance.
As a former Portuguese colony, Macau unified with China in 1999 but maintained a high degree of autonomy as a special administrative region (similar to Hong Kong) with its own constitution known as the “Basic Law” written under the principle of “One Country Two Systems.”
Macau's 2009 National Security Law criminalized seditious acts, including certain types of speech. The city is now en route to reviewing the proposed Cybersecurity Law. A long political “watch list” of individuals who have spoken out for democracy in Hong Kong have been labelled as “threat” to the city's stability and banned from entering Macau during sensitive periods, such as during mainland Chinese state leaders’ visits or election campaign month.
On December 11, 2017 the Macanese government initiated a 45-day public consultation on the proposed Cybersecurity Law. Commercial sector leaders and ordinary citizens are invited to submit their opinions in written form.
Under the proposed law, telecommunication operators and internet service providers (ISPs) would be responsible for implementing a “real name” registration system, including prepaid Subscriber Identity Module (SIM) cards. It also mandates that ISPs retain their users’ online activity logs for at least one year.
Under the current proposal, the law would authorize the establishment of a cybersecurity standing committee and a cybersecurity incident alert system, as well as an emergency center intended to deal with any cybersecurity threats. The committee will be authorized to monitor online data traffic in binary code, as well as keep track of and investigate future cyber attacks.
The document also proposes that companies operating in 11 crucial sectors would enforce protection measures, including internet operators and mass media, water and energy supply, financial systems, gaming, and health, among others, according to Consultation Document (CD) 4.2. These sectors would be under the supervision of related government departments and authorities. For example, the Macau Monetary Authority upon receiving instruction from the cybersecurity emergency center would be responsible for overseeing the implementation of measures in the banking and financial systems.
Officers from the cybersecurity emergency center would be guaranteed the right to enter the offices and facilities of internet service operators (in both the private and public sector) for inspection. Operators would be required to fulfill all reasonable requests of the officers and to follow any instructions they issue on the maintenance of their communication networks (CD 5.2).
When hiring for key positions, operators within these sectors would be required to consult with law enforcement authorities on candidates’ backgrounds (CD 5.1), giving unrestrained power to the police.
Penalties for operators that do not comply with the law could be as high as 500 million MOP (Macanese Patacas) or approximately USD $62 million.
Cyber security or mass surveillance?
Wong Sio Chak, Secretary for Security, stressed that the authorities would not monitor individual online activities or restrict freedom of speech enjoyed by Macau's residents. But citizens are worried.
The Macau Civil Servants Association (MCSA) issued an open letter raising the concern that monitoring and tracking online data through the binary code is “arbitrary, disproportionate and illegal.”
According to Article 32 of Macau's constitution, “no public authority or individual may violate the freedom and confidentiality of the residents’ communications, for whatever reason” except in cases of necessary public security or criminal investigations conducted and authorized by local authorities.
The MCSA pointed out that binary code “can easily be converted to comprehensive data” and hence should not be monitored by the authorities unless there is a real threat:
In accordance with international standards, monitoring of such data [by the authorities] should only be allowed after cyber attacks, in order to avoid spreading over critical city infrastructures, or in the following up of investigations.
It further argues that the responsibility to monitor data should only be relegated to individual cybersecurity operators of critical infrastructures rather than through a centralized system.
New Macau Society also criticized that the proposal for being draconian as it only stressed the responsibility of citizens and business sectors while it had not defined any mechanisms for the public to monitor and counterbalance the power of cybersecurity police to prevent abusive act.
Political activist Jason Chao believes that once enacted, the Cybersecurity Law would authorize a “legal framework for mass surveillance.”
Chao points out that by authorizing cybersecurity police to monitor internet binary codes, data flow and data package formats, police will have excessive power to intercept communication data.
Chao believes that further extending police power may undermine reporters’ privileges regarding the protection of information sources, pointing out that media outlets are defined as one of the 11 critical infrastructures.
As a tourist city, Macau has issued 1.38 million prepaid SIM cards sold in vending machines and convenience stores. With the implementation of real-name registration legislation, tourists would have to register their identity when purchasing a SIM card. Chao stresses that the new law would not only affect Macau local residents but tourists as well.
After the consultation process is complete, the government will draft a bill for further deliberation in the legislature.