Cybersecurity draft law approved by Macau Legislative Assembly

Following in the steps of various countries around the world that have drafted legislation on cybersecurity - including the People’s Republic of China’s Cybersecurity Law that came into force on June 1st, 2017 – the Macau’s Legislative Assembly has recently approved its own draft law on cybersecurity (the “Cybersecurity Law”).

December 04,2018

by: Joana Coimbra de Almeida

Based on principles of national security, safeguard of public interest and the protection of legitimate rights and interests, the draft law offers a legal framework on the administration of cybersecurity in Macau that should be explored in correlation with the Cybercrime Law enacted in 2009 (Law 11/2009/M) that has set out the types of cybercrimes and respective applicable penalties.

The direct scope of applicability of the draft law falls over the public sectors’ networks and data systems as well as over the private entities that operate critical infrastructures in Macau such as transportation, telecommunication, banking and insurance, medical affairs, electricity and water supply, in order to protect and maintain the integrity and security of data and information systems and networks.

A set of special duties ensure cybersecurity lies with the entities that operate critical infrastructures. This set of duties essentially entails:  duties of management of cybersecurity, including the setting up of the respective management structures and the appointment of a manager in charge of implementing the necessary and relevant measures as well as duties of observation and supervision, of reporting incidents, responding to complaints and cooperating with supervisory and regulatory authorities.

It should be noted that the appointed manager for cybersecurity must be a suitable professional with a certain background and experience and a Macau resident, for reasons of proximity and accessibility with the cybersecurity supervisory entities in Macau.

In this respect, the Cybersecurity Law intends to create a specific entity entitled the CARIC (“Cybersecurity Incidents Alert and Response Centre”), under the coordination of the Macau Judiciary Police, to function as a receiving centre of all incidents, to coordinate measures and responses with all other relevant entities and to supervise and monitor the data flow and data transmission as well as examine the data’s specificities in order to prevent and detect cybercrimes.

Under the envisaged law, the applicable penalties for infringements to the cybersecurity duties set out for entities operating critical infrastructures consist of fines from MOP50,000 to MOP5,000,000 as well as additional sanctions, such as the inhibition of participating in public tenders for the acquisition of goods or services by public authorities; or the suspension of benefits or financial aids. Moreover, it is set forth that the entities operating critical infrastructures will be directly liable for infringements, regardless of whether they have outsourced their cybersecurity to third parties. In addition, it should be noted that liability does not depend on the effective identification of the responsible person for the infringement.

However, the authorities may decide to notify the entity to offer the possibility of remediation of the infringement within a certain period of time, unless (i) the situation consubstantiates a substantial cybersecurity threat, or (ii) in case the operator has been punished for an administrative offense of identical nature less than a year before the infringement.

In light of the above, it is expected that entities operating critical infrastructures in Macau become aware of this draft law and their duties in particular and, in anticipation to its publication, start making the necessary internal adjustments and implementing relevant measures regarding cybersecurity.


Releated Stories
September 23, 2020 -

[UPDATED] Update of the Macau Insurance Companies Ordinance

by António Isóo de Azeredo (Senior Associate Lawyer) and José J. Rodrigues (Jurist) Around one year ago,  we shared an overview of what was, at the t...

February 20, 2020 -

The new Guideline on Cybersecurity for the Insurance Sector

by António Isóo de Azeredo and José Rodrigues The Macau Monetary Authority (AMCM) recently issued a new Guideline on Cybersecurity for the insurance ...

October 31, 2019 -

Who will be impacted by Macau’s new plastic bag law?

by: João Nogueira Marques and José Rodrigues This Law aims to reduce the negative impact of plastic bags on the environment and will apply to sales b...

September 26, 2019 -

New Regime on the Trade of Rough Diamonds in Macau

by: Nuno Sardinha da Mata & Gonçalo Figueiredo The KPCS was established in 2003 after the United Nations General Assembly Resolution A/RES/55/56 ...

September 11, 2019 -

Update of the Macau Insurance Companies Ordinance

by António Isóo de Azeredo and José J. Rodrigues Applicable since September 1997, MICO has been effective in facing the challenges and rapid evolutio...

August 19, 2019 -

Running a business in Macau

by: Vera Bastos Macau is known for its multiculturality and diversity – and this uniqueness is also reflected in the legal system. From the very begi...