Following in the steps of various countries around the world that have drafted legislation on cybersecurity - including the People’s Republic of China’s Cybersecurity Law that came into force on June 1st, 2017 – the Macau’s Legislative Assembly has recently approved its own draft law on cybersecurity (the “Cybersecurity Law”).
Based on principles of national security, safeguard of public interest and the protection of legitimate rights and interests, the draft law offers a legal framework on the administration of cybersecurity in Macau that should be explored in correlation with the Cybercrime Law enacted in 2009 (Law 11/2009/M) that has set out the types of cybercrimes and respective applicable penalties.
The direct scope of applicability of the draft law falls over the public sectors’ networks and data systems as well as over the private entities that operate critical infrastructures in Macau such as transportation, telecommunication, banking and insurance, medical affairs, electricity and water supply, in order to protect and maintain the integrity and security of data and information systems and networks.
A set of special duties ensure cybersecurity lies with the entities that operate critical infrastructures. This set of duties essentially entails: duties of management of cybersecurity, including the setting up of the respective management structures and the appointment of a manager in charge of implementing the necessary and relevant measures as well as duties of observation and supervision, of reporting incidents, responding to complaints and cooperating with supervisory and regulatory authorities.
It should be noted that the appointed manager for cybersecurity must be a suitable professional with a certain background and experience and a Macau resident, for reasons of proximity and accessibility with the cybersecurity supervisory entities in Macau.
In this respect, the Cybersecurity Law intends to create a specific entity entitled the CARIC (“Cybersecurity Incidents Alert and Response Centre”), under the coordination of the Macau Judiciary Police, to function as a receiving centre of all incidents, to coordinate measures and responses with all other relevant entities and to supervise and monitor the data flow and data transmission as well as examine the data’s specificities in order to prevent and detect cybercrimes.
Under the envisaged law, the applicable penalties for infringements to the cybersecurity duties set out for entities operating critical infrastructures consist of fines from MOP50,000 to MOP5,000,000 as well as additional sanctions, such as the inhibition of participating in public tenders for the acquisition of goods or services by public authorities; or the suspension of benefits or financial aids. Moreover, it is set forth that the entities operating critical infrastructures will be directly liable for infringements, regardless of whether they have outsourced their cybersecurity to third parties. In addition, it should be noted that liability does not depend on the effective identification of the responsible person for the infringement.
However, the authorities may decide to notify the entity to offer the possibility of remediation of the infringement within a certain period of time, unless (i) the situation consubstantiates a substantial cybersecurity threat, or (ii) in case the operator has been punished for an administrative offense of identical nature less than a year before the infringement.
In light of the above, it is expected that entities operating critical infrastructures in Macau become aware of this draft law and their duties in particular and, in anticipation to its publication, start making the necessary internal adjustments and implementing relevant measures regarding cybersecurity.