Back to Asia Pacific Regional Forum publications

Pedro Cortés
Rato, Ling, Lei & Cortés, Macau
cortes@lektou.com

 

Luís Machado
Rato, Ling, Lei & Cortés, Macau
machado@lektou.com

 

Introduction

Law No 11/2009 (Law on computer crime combat) was enacted on 6 July 2009 by the Legislative Assembly of the Macau Special Administrative Region (Macau SAR) and its main purpose is to regulate and define computer crime as well as the establishment of an electronic evidence collection regime.

The law was amended out of necessity, taking into account technological advances of the last decade coupled with new types of criminality associated with computer crime methodologies and the challenges this represents for law enforcement. As such, Law No 4/2020 was enacted on 27 April 2020 to amend Law No 11/2009. Such amendments bring new mechanisms which are more capable of tackling the ever-evolving computer crime modus operandi.

This law is divided into five chapters:

• general provisions (Articles 1 and 2) – providing the law's objectives and definitions;
• criminal provisions (Articles 3 to 13) – establishing which types of crimes are subject to criminal prosecution;
• criminal proceedings provisions (Articles 14 to 16) – providing the specific criminal proceedings’ framework regarding computer crime;
• administrative offence (Articles 16-A and 16-B) – the administrative offences set out in the law are punishable with fines ranging from MOP50,000 to MOP150,000 (approximately US$6,300-18,800); and
• final provisions (Articles 17 and 18) – a repeal of Article 213 of the Macau Penal Code and the date Law no. 11/2009 comes into force.

Definitions

In order to correctly interpret Law No 11/2009, Article 2 sets out the following six definitions:

1. Computer system

Any isolated device or group of interconnected or related devices, in which one or more of them develops, in execution of a program, the automated processing of computer data.

1. Computer data

Any representation of facts, information or concepts in a form that can be processed in a computer system, including a program capable of causing a computer system to perform a function.

1. Software

Instructions which, when contained in a medium which can be exploited in a computer system, are capable of allowing the computer system to indicate, perform or produce a specific function, task or result.

1. Basic data relating to internet service subscribers

Information contained in the form of computer data or in any other form, held by an internet service provider and relating to its service subscribers, other than traffic data or computer data relating to the content of a communication or message. Such data makes it possible to determine the type of communication service used, the technical measures taken in that regard and the period of service, the identity, postal or home address and telephone number of the subscriber or any other contact number, billing and payment details, and any other information on the location of the communication equipment, available under a contract or service agreement.

1. Traffic data

All computer data related to a communication carried out by means of a computer system, generated by that system as an element of a chain of communication, indicating the origin of the communication, the destination, the route, the time, the date, size, duration or type of underlying service.

1. Electromagnetic emission

Signals or waves that are emitted by electronic components and wires carrying electronic signals.

Changes triggered by Law No 4/2020

Criminal provisions

Under the changes brought by Law no. 4/2020, two new crimes have been ring-fenced: the use of a computer device to simulate a mobile telecoms service station (article 9-A) and the illegitimate exposure of a serious computer security vulnerability (article 9-B).

The legal provision regarding article 9-A is to be applied when, outside the legal conditions or contrary to the specifications of the competent authority, a perpetrator uses software in tandem with computer devices, associated with other instruments or apparatus, in order to simulate a mobile telecoms service station. These types of simulated mobile telecoms service stations pass themselves off as random telephone numbers in order to broadcast messages – usually used for the dissemination of advertising of illegal activities such as prostitution, illicit gambling loans and scams. This crime is punishable by a fine or imprisonment for up to three years. The attempt is also punishable whenever:

• the perpetrator has a profit-making intention;
• the perpetrator intends to prepare, facilitate or execute another crime or
• the perpetrator’s conduct involves the transmission of any advertising banned by law or the dissemination of pornography, prostitution or illicit gambling content or any form of incitement of others to commit or consume such content.

The above are punishable with one to five-year prison sentences.

Article 9-B states that whoever, in the performance of their duties or because of them, becomes aware of a serious computer security vulnerability, even if temporary and, with any illegitimate intent, discloses this fact to another, in a manner appropriate to create danger of perpetrating the crimes provided for in this law, shall be punished by a fine or imprisonment of up to three years. A serious computer security vulnerability is construed as any weakness, shortcoming or design inadequacy, implementation or maintenance of the hardware or software supporting the operation of networks and computer systems that is likely to increase the chance of damages of considerable value to the respective user or owner, when third parties take advantage of it.

The regime also saw changes in the aggravation of penalties (one third added to its original minimum and maximum limits) regarding crimes perpetrated against:

• The operators of critical infrastructures provided for in Law No 13/2019 (Cybersecurity Law).
• The institutions of the Central People's Government established in Macau, defined in Article 1 of Administrative Regulation No. 22/2000 as – (1) The Central People's Government Liaison Office in the Macau Special Administrative Region; and (2) The Office of the Commissioner of the Ministry of Foreign Affairs of the People’s Republic of China in the Macau Special Administrative Region.
• The People's Liberation Army Macau Garrison.

Another change introduced by Law No 4/2020 is contained in article 12-A. It states that, except when the penalties are aggravated according to Article 12, the criminal procedures for the crimes provided for by Article 4(1) (Illegitimate access to a computer system); Article 5 (Illegal collection, use or disclosure of computer data), Article 7(1) and (2) (Damage to computer data) and Article 11(1) and (2) (Computer fraud) are dependent on a complaint.

On the gathering of cross-border digital evidence, Article 16(), (6) provides that where there are reasonable grounds to believe that computer data is relevant to a criminal investigation, the competent judicial authority may, by order and should, where possible, preside over the proceedings, authorise or order the following measures:

‘…expeditiously extend the search or access in a similar manner to a differentiated part of the computer system targeted by the initial proceedings, or to another computer system, when they have reason to believe that the data sought is stored on that differentiated part or on that other computer system and the data is lawfully accessible or obtainable from the initial system.’

This is a much needed change. In its previous version the law only provided for this type of search or access within the jurisdiction of Macau, unilaterally imposing a territorial restriction on itself that does not reflect current international standards, where the judicial authority evaluates whether conditions exist for the lawful collecting of computer data copies stored in a different jurisdiction on a case-by-case basis, provided access relates to publicly accessible data or has the consent of the legally authorised person. Take into account however, that the judicial authority still needs to rely on mechanisms of international cooperation in other instances, which are not always swift, as these processes are complex and time-consuming. They are sometimes even at the cost of a successful investigation where the relevant digital evidence may be destroyed, lost or is presented after a useful timeframe.

Administrative offences

Internet service providers are required to keep records for a year of private network address translations into public network addresses. Failure to do so constitutes an administrative offence, subject to fines ranging from MOP50,000 to MOP150,000.

The competent judicial authority may, when necessary, order the supply of these records, subject to the seizure measures set out in article 15(1)–(4), which state that seizures of a computer system, computer storage medium and computer data may be made or a copy made of computer data which can serve as evidence. Any copy shall be made in duplicate, sealed and kept, in order to preserve the integrity of the stored computer data. The seal may only be removed when authorised or ordered by a court order and provided that there is reasonable doubt as to the authenticity of the copy made. Seal-removing proceedings will be subject to the provisions of article 169 of the Criminal Procedure Code of Macau.

The Directorate for Post and Telecoms Services is the competent authority regarding the sanctioning procedures to apply for these administrative infringements.

Comment

The enactment of Law No 4/2020 has brought about changes necessary for tackling some loopholes in Law No 11/2009. These loopholes allowed for certain practices without criminal liability. The previous version of the law did not provide for the crime of use of a computer device to simulate a mobile telecoms service station which means the perpetrators would only be subject to an administrative offence under Article 26(1), (1) of the Administrative Regulation No 7/2002 (Operation of public telecoms network and provision of terrestrial public mobile telecoms services), that would range from MOP120,000 to MOP1,000,000 as well as an immediate termination of the activity. It also did not provide for the crime of illegitimate exposure to serious computer security vulnerability. To that effect, the described legal framework did not provide an effective method for combating growing instances of these practices.

Another purpose of Law No 4/2020 is to provide a guarantee of coordination with the recently-approved Law No 13/2019 (Cybersecurity Law) in order to grant greater criminal protection to the operators of critical infrastructures, along with the institutions of the Central People’s Government established in Macau. Ultimately, citizens and tourists in Macau will benefit from these changes which aim to protect their privacy rights better, as well as to prevent them from falling prey to predatory harassment practices.