Comment on the Proposed Cyber-security Legislation in Macau
The Public Consultation on Cybersecurity Law is proposing the establishment of a network security agency with vast new powers headed by the Judiciary Police (PJ) known as “Cybersecurity Incident Alert and Response Centre” (CARIC). Upon scrutiny, I concluded that the proposed legislation might be seen as an attempt to authorise a legal framework for mass surveillance. Based on Macau government’s poor record in transparency, accountability, and respect for the rule of law, I strongly oppose the proposal.
In the consultation paper, the government claims that the Cybersecurity Law “was conceived on the basis of three principles: 1. Ensuring people’s safety and respect for people’s privacy; 2. Legislative proportionality […]; 3. Simplicity and effectiveness of the institutional framework”. Paradoxically, proportionality and respect for privacy are not reflected at all in the proposal.
Section 4.2 proposes authorising the PJ to monitor live Internet data flow and packet characteristics to “prevent, detect and combat cyber-attacks and intrusions”. In effect, it is just another way of saying legalising Macau government’s interception of Internet traffic. We must pay attention to the clause “to prevent … cyberattacks and intrusions” as a justified condition for intervention. Since choosing a time to apply preventive measures is highly discretionary, it should be interpreted as the power to intercept Internet traffic anytime.
Section 5.1 proposes mandatory background checks of persons in charge of critical infrastructures based on “qualification” and “professional experience” to be conducted by the PJ. The paper had a list of criteria for disqualification. However, whether the list is exhaustive or not is not specified. Moreover, there is no elaboration on “professional experience”. Any flexibility in interpreting “professional experience” and “proper qualification” granted to the authorities may open the door to highly subjective judgement based on personal relations and level of “cooperation”. Unless the criteria are all objectively measurable and may be reviewed by the court, it means that the PJ will have the power to veto any person appointed to run critical infrastructure.
Section 5.2 proposes that supervisory may issue binding procedures, circulation and other instructions. The proposal provides no requirement for disclosure of these documents. These documents might open the door to new ways of abuse if the public could not check the binding advice made by the supervisory bodies.
Section 5.4 (1) proposes a power for the PJ to have access to the premises and the offices of the entities running a critical infrastructure to extract data in the name of “compliance review”. Such power will make surrendering data to the PJ a legal obligation. Under existing law, data seizures by the police authorities are subject to judicial review under the criminal justice system. This power will virtually strip the procedural safeguards against unjustified data collection by the PJ.
Nevertheless, except the entities that surround data to the PJ, affected parties are not guaranteed a right to know data about them being requested by the PJ for “preventive duties”. Legal remedies for the affected parties are virtually non-existent. On the part of the critical infrastructure, non-compliance carries a heavy administrative penalty.
Section 4.3(10) classifies radio stations and TV stations as “critical infrastructure” in the scope of monitoring. In conjunction with the obligations listed above, the PJ will have unimpeded access to the offices and network facilities of media organisations. Not only can it harm the confidentiality of journalists’ undisclosed sources but also gives police authorities room to interfere with published contents. Such level of access will take Macau a step closer to full dictatorship.
The proposal of mandatory real identity registration for network users appears “relatively insignificant”, in comparison to the new powers listed above. Still, it deserves no merit considering a weak civil society in the face of a government with strong surveillance capabilities.
The Personal Data Protection Office’s (GPDP) role in the public consultation is indeed shameful. Data protection laws were made based on the ideas of individual autonomy and freedom from government surveillance. Macau’s data protection law was modelled after the EU Directive 95/46/EC. And the EU data protection framework was heavily influenced by the federal data protection law enacted in West Germany in the 1970s. The underlying principle of data protection legislation is the individual right to self-determination. The GPDP’s lack of a genuine interest in protecting the citizens’ privacy has been manifested in cases like the 2014 Civil Referendum. The GPDP should critically review the proposed law rather than openly back the proposal in its entirety. Unfortunately, the GPDP seems more active in endorsing government surveillance.
A mere mention of “respect for privacy” in the consultation paper by no means reflects true respect for the privacy. Without effective measures to defend people from government’s abuse of power, any reference to “privacy” is no more than “lipstick on a pig”. Mentioning other countries as examples does not justify enhanced surveillance capabilities because of different political systems and realities. Officials and politicians in the West can be held criminally liable for having lied to the parliament. Government heads may be changed through free and fair elections.
The proposed Cybersecurity Law, if adopted, will accord strong protection to those in power rather than the general population. No mechanisms for public oversight and appeals are suggested in the consultation paper. Merely a PJ’s unilateral affirmation of respect for privacy is hard to be convincing, not to mention the PJ’s strong interest in intrusive and convert surveillance tools of exposed by leaked emails of HackingTeam in 2015. Despite the inability of the public to obtain concrete evidence about clandestine phone tapping, the PJ’s interest in the tools impermissible under Macau law has exhibited its strong intention to overstep into citizens’ private lives beyond its legal limits.
To conclude, the proposed Cybersecurity Law will indirectly give PJ a broad range of new powers to achieve cyberespionage of the residents and visitors. It deserves no support unless it is rewritten to introduce mechanisms to prevent abuse, enhance transparency and allow judicial intervention.
11 January 2018
