Concerns over the proposed intercept legislation in Macau

Jason CHAO
Nov 7, 2018 · 5 min read
Macau government officials presenting the consultation paper (Photo credit: the Macau SAR Government)

The following is a compilation of my opinions on the Macau government’s proposal to introduce a new law to enhance the police forces’ power to intercept communications, break encryptions and seize data.

The essence of the new powers

Since the publication of the consultation paper on wiretapping legislation published by the Macau government, the public discussion on the matter revolved around the adequacy in the safeguard against misuse. In my view, the proposed authorisation of new methods to seize data is the real “meat and potatoes” in the proposal. Also, the new obligations for the operators of websites and mobile apps will very likely lead to an impediment to the adoption of the latest privacy and security practices.

In section 3.1 (1) of the consultation paper, the Macau authorities are trying to solve the problem presented by locked and encrypted devices. According to the paper, those who own or in possession of the locked or encrypted devices may be compelled by court order to unlock or decrypt the data for the authorities. Whether or not defendants may be compelled to decrypt or unlock their electronic devices for extraction of evidence remains a controversial issue. There is no sign of a universal consensus on whether such orders would, or would not, violate the defendants’ “right to remain silent” in criminal proceedings.

In section 3.1 (2) of the consultation paper, the Macau authorities are proposing not only a penalty for those who refuse or delay the compliance with the order, but also the legitimisation of access to data and devices “by all technical means”, which inevitably invokes the notion of “hacking”, for the purpose of criminal investigations. It raises concerns over the legalisation of Macau police authorities’ possession and use of tools with intrusive hacking capabilities.

In section 3.2 of the consultation paper, the Macau authorities are proposing a new obligation for operators of websites and mobile applications (categorised as “provider of web communication services” in the paper) to retain user data for one year. According to the proposal, those who fail to comply with the requirement to keep the records would be liable to an administrative fine. In the wake of revelations of “weaponisation” of data in elections and data breaches, logging of user activities on websites and mobile applications now often carry a very negative connotation.

Especially, since the EU General Data Protection Regulation (GDPR) coming into effect, more and more web service providers are moving towards the “zero-knowledge” practice in the processing of user data. Against the background in which “no-logging” becoming a desirable practice in the design of web services, “mandatory logging” will present an impediment to the adoption of the latest security practices by operators of websites of mobile applications based in Macau.

“Civil law tradition” not an excuse to avoid public oversight

Regarding the press releases by the Judiciary Police of Macau (PJ) dated 07 and 09 October 2018 covering the incompatibility of the practice of publishing statistics on wire-tapping with Macau’s legal order, I would like to make the following statement.

Regarding the press releases by the Judiciary Police of Macau (PJ) dated 07 and 09 October 2018 covering the incompatibility of the practice of publishing statistics on wire-tapping with Macau’s legal order, I would like to make the following statement.

Before going into the question of wire-tapping statistics, I must remind the public of the history that the development of the Portuguese legal system was under heavy German influence since the early 20th century. The criminal procedural codes of Macau, Portugal and Germany may be considered as belonging to the same family. Similar to the flow-chart contained in PJ’s press release of 09 October 2018, under the German criminal justice system, lawful interception of telecommunication requires the approval of the court.

The German government is required to by law to publish the statistics on ordered interceptions of telecommunications every year. According to Section 100b (5) of the German Code of Criminal Procedure, the Federal Public Prosecution Office and the Länder shall submit a report on the orders to intercept communications to the Federal Office of Justice every year (by 30th June). The Federal Office of Justice then makes available a summary of the orders on the Internet. Therefore, the safeguard in Macau’s existing criminal procedural code and the fact that Macau’s legal order is of “civil law tradition” shall not constitute the argument against the call for the figures on telecommunication interception to be published.

Data retention law ruled invalid by ECJ for violating human rights

The Macau authorities continue proposing a legal requirement for telecommunication operators and web service providers to retain records of user activities. An administrative penalty of a fine up to five hundred thousand Macau Patacas is proposed for the entities that fail to comply with the data retention requirement. In the consultation paper, a provision from Portuguese law no. 32/2008 was included to give support the proposal. I must draw the public attention to the fact that the origin of Portuguese law no. 32/2008 has been declared invalid by the European Court of Justice (ECJ) in 2014 for violation of fundamental rights.

European legislation is one of the sources of laws for Portugal as a member of the European Union. Portuguese law no. 32/2008 is a product of the transposition of European Union (EU) Directive 2006/24/EC into the national law of Portugal. However, in 2014, the ECJ ruled that data retention requirement breached of the right to private life and the right to personal data protection thus nullified Directive 2006/24/EC.

The nullification meant that Directive 2006/24/EC would not be observed by all EU member states. Portuguese law no. 32/2008 survived merely a piece of domestic legislation yet did not go unchallenged in Portugal. The legal challenge to law no. 32/2008 reached the level of the Portuguese Constitutional Court in 2017. The Constitutional Court of Portugal did not see law no. 32/2008 “unconstitutional” and upheld its validity in Portugal.

The omission of key legal developments in the comparative law section in the consultation paper would mislead the public to believe that the data retention requirement was widely accepted. The fact is that requiring web service providers to retain user activities remains highly controversial.

I also regret that the Macau Office for Personal Data Protection (GPDP) backed the wiretapping consultation paper without critically examining the proposals contained therein in a view to protect Macau residents’ personal data and privacy. In line with my past criticism on the GPDP, the GPDP has exhibited the practice of cherry-picking fragments from EU documents to aid the suppression of civil rights and liberties in Macau, without regard for the protection of human rights as a founding principle of the EU legal order.

In the absence of Macau officials’ goodwill to improve transparency, a mere mention of respect for fundamental rights is utterly inadequate. In line with my previous comments on the proposed cybersecurity law, without a mechanism to allow for effective public oversight, the civil society actors in Macau should not cede an inch of the territory of protected communications to the Macau authorities.

Jason Chao’s Depository

The work and thoughts of Jason Chao

Jason CHAO

Written by

postgraduate student, software developer and advocate of human rights / LGBT+ equality

Jason Chao’s Depository

The work and thoughts of Jason Chao

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade