Cybersecurity laws in Hong Kong

Cybersecurity law is not a single, unified topic. However, cybersecurity has been at the forefront of a large number of important legal topics in recent years: cybercrime, which regularly makes the news in Hong Kong, and data protection and privacy, which the Hong Kong government is planning on strengthening in the near future.

Cybersecurity laws are concerned with cybersecurity, the measures taken to protect a computer or a system against any unauthorised use, entry or attack.

Since it is made up of a number of laws, one of the ways to classify cybersecurity laws is by looking at who is affected by them. In this article, we will consider recent news and debates in relation to cybersecurity laws, from the perspective of citizens, companies, and the government.

For people living in Hong Kong, there rarely goes a week without a news report of online fraud or hacking. The typical scheme involves online romance scams, or phone scams targeting unsuspecting Mainland students, who fall prey to criminals by transferring money to someone’s account, believing for instance that they are the subject of an investigation. Once transferred, the money is generally very difficult to trace and to recover, since the culprits often operate from overseas. However, when the money is first to a Hong Kong bank account, the police have sometimes managed to act quickly enough to prevent or limit the loss of property. Most of these crimes are committed over the phone, and do not concern cybersecurity. But in some cases, attempts to induce someone to transfer money is done through cybersecurity breaches and attacks, for instance by first accessing a first person’s mailbox, before using the first victim’s mailbox to email a contact, thus increasing the chances that the second victim will be induced to transfer money to the scammers.

In other cases, cryptocurrency exchanges were targeted by hackers, with Bitfinex losing the equivalent then of USD 72 million in an intrusion a few years ago, the largest ever property loss in a hacking case in Hong Kong.

For these victims, the chances of recovering the lost property are slim: investigations typically struggle to get past a territory’s borders, and Hong Kong is no exception. In addition, the Hong Kong legal framework to deal with cybercrime is fairly simplistic, and not always useful in capturing the behaviour of modern online criminals. Section 161 of the Crimes Ordinance[1] deals with access to a computer with a criminal or dishonest intent. It makes it an offence to “obtain access to a computer” (which potentially covers hacking, but also, for instance, using the laptop or smartphone of someone who left it unattended), with intent to commit an offence, with a dishonest intent to deceive, with a view to dishonest gain for himself or another, or with a dishonest intent to cause loss to another. Section 161 constitutes the only real cybercrime statutory provision in Hong Kong. The legislator’s choice of making the act of accessing someone’s computer a crime in itself, rather than defining cybercrime (for instance, cyber fraud) as a type of crime in itself is interesting. This contrasts with the United States for instance, where Congress enacted Section 1343, also known as “the wire fraud statute”.[2] In Hong Kong, hacking into someone’s computer to steal that person’s bank account information, to then use it to transfer money out of the victim’s bank account, constitutes two crimes: first, the hacking in itself, punished by Section 161, and then the transfer of money, which is potentially theft under the Theft Ordinance.[3] For investigators and enforcers, this presents a challenge: to bring the entire criminal act to court, they must prove two crimes beyond reasonable doubt. Since Section 161 is punished by 5 years in jail, and theft by 10 years, it is likely that prosecutors will focus their resources on proving theft, which carries a heavier sentence, if they cannot convince the court to impose consecutive sentences.

Incidentally, the Court of Final Appeal confirmed in a recent case that Section 161 does not apply to a person’s use of his or her computer.[4] Until this recent case, the authorities had relied extensively on Section 161 as a “catch-all” offence for many crimes committed on a computer or a smartphone, such as secretly taking intimate pictures of an individual, or, as in the case in question, teachers disclosing exam questions via their mobile phones and a school computer. Section 161 has thus been firmly redefined as what the legislator has always intended it to be: a tool against cybercrime.

The second aspect of cybersecurity of interest to the public is data protection and privacy. In Hong Kong, this is ruled by the Personal Data (Privacy) Ordinance (“PDPO”).[5] It defines personal data as “any data relating (a) directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.”[6] In its most important aspects, the law gives Hong Kong data subjects the right to be informed about what personal data is collected about them, how this data is used, and gives them the right to object to this as well as to access their own data. However, the PDPO is now almost 25 years old, and has failed to keep pace with recent developments in other major jurisdictions, such as the European Union, Australia, or California. In particular, its weak regulation of cookies (small files used by websites and apps to track our behaviour), its poor regulation of consent, week penalties, the lack of serious extraterritorial reach, combined with a very business-friendly approach to enforcement by the current Privacy Commissioner for Personal Data, Stephen Wong, mean that the PDPO is not a suitable tool to tackle threats to privacy in 2020.

From the perspective of companies, the PDPO pales in comparison to the threat posed by the General Data Protection Regulation (the “GDPR”), the 2018 European framework rules for data protection, now in place in all European member states. With much increased penalties, a strong extraterritorial reach, much focus on the notion of consent, the obligation to appoint data protection officers to advocate for data users inside of the business, and the concepts of “privacy by default” and “privacy by design”, almost any sizeable company in the world had to worry about the GDPR to an extent. The first fines are beginning to hit businesses, in a way that is certain to continue to capture the attention of C-suite executives for the years to come: it is no longer possible, for anyone dealing with the European Union, to ignore the fact that the balance of power tilted, however so slightly, in favour of data users. In 2019, Google was hit with a EUR 50 million fine by the French data protection regulator, for its alleged lack of transparency, the inadequate information provided to its users, and for lacking specific consent from users about ad personalisation (an appeal by Google is ongoing).

At the government level, the recent attempt to reform the PDPO may have fallen flat: among a number of innovations aiming at strengthening the existing framework (increased fines, mandatory notification for data breaches, wider definition of personal data), the government indicated that it is “deeply concerned about the incidents of doxxing that took place over a recent period of time in the society”, citing a large number of cases referred to the regulator since June 2019.[7] This was quickly identified by the opposition as a pro-police move since, in the context of the protests that have rocked Hong Kong since June 2019, the accusations of doxxing (divulgating a person’s personal details) have focused on protesters allegedly publishing information about members of the Hong Kong Police Force, including members accused of police violence against protesters. The ensuing Legislative Council meeting was almost entirely focused on the question of doxxing, with legislators making clear that they would not support a proposal seen as pro-police. At this time, the future of the PDPO suggested amendments is unclear.

Aside from crafting the framework for the fight against cybercrime and personal data and privacy, one government office is in charge of cybersecurity: the Office of the Government Chief Information Officer (“OGCIO”). The OGCIO’s mission is wide: to “sustain Hong Kong position as Asia’s leading digital city”. Its cybersecurity work consists of providing information and guidelines on cybersecurity inside the government (by publishing guidelines) and in the wider community (by providing information and raising awareness).

Overall, the lack of a unified cybersecurity regime, or even the lack of genuine cybersecurity statutes in Hong Kong is questionable, if Hong Kong truly intends to be a digital city. However, the example of China might be telling us why the city is potentially better off without a unified statute. The Cybersecurity Law 2017[8] came into force in several phases. It effectively reinforced data protection principles, by imposing security requirements and transfer prohibitions on network operators, with a particular focus on “critical information infrastructure”. The law has been criticised as too strict, and potentially hampering the activities of foreign businesses in China. The law does not only prohibit the transfer of personal information outside of China, but also of sensitive business data, making it difficult for many cross-border operators (especially foreign technology companies) to integrate their China operations into their wider network. It is difficult to ignore the geopolitical context around the law. When looking at the Hong Kong government’s clumsy attempt to widen the PDPO to fight against doxxing, this raises questions about the need for any additional focus on cybersecurity.

 

[1] (Cap. 200).
[2] 18 USC § 1343 (2011).
[3] (Cap. 210), Theft Ordinance, Section 9.
[4] Secretary for Justice v Cheng Ka Yee [2019] HKEC 1046, at 48.
[5] (Cap. 486).
[6] Ibid., Section 2.
[7] Legislative Council Panel on Constitutional Affairs, LC Paper No. CB(2)512/19-20(03), para. 18.
[8] The Cyber Security Law of the People's Republic of China.

Lecturer, University of Law (Hong Kong).