On 20 March, Hong Kong’s Legislative Council (LegCo) passed the Protection of Critical Infrastructures (Computer Systems) Bill into law, prompting concerns from human rights organisations and commercial entities about the broad investigative powers granted to the government under the new law. 

As passed by the LegCo, the new law empowers the Hong Kong government to seek a court warrant to connect to computer systems, or install programs onto “critical infrastructure systems”. These systems include sectors such as information technology, financial services, and telecommunications and broadcasting services. Government systems are exempt. 

The Security Bureau has insisted that the scope of the law will be limited to “critical infrastructure”, not small and medium enterprises (SMEs) or the general public. However, the potential application is still broad in scope, and the Secretary for Security has stated that the number of affected enterprises will not be made public.

Under the new law, the Security Bureau will also establish a Commissioner’s Office with the power to require private companies to provide unspecified “relevant information” if it suspects that an offence has occurred, without need for a warrant.

This means that internet service providers, media companies, and financial institutions could all be targeted by investigations and onerous compliance requests, granting the government new powers to restrict media freedom and increase surveillance via unrestricted access to private company data.  

The law was passed one day after the first anniversary of the Safeguarding National Security Ordinance, a draconian national security law which contains broad definitions of cybersecurity and “state secrets”, further underlining the data privacy and security risks to organisations in Hong Kong.

Megan Khoo, Policy Director at Hong Kong Watch, said:

“Freedom of expression has been badly damaged by increasingly repressive legislation in Hong Kong since 2020. This law looks set to continue this trend. 

Government bodies are exempt from reporting requirements, which is surely a significant weak point in a law ostensibly designed to protect critical infrastructure from cyber attacks. Instead, this looks like the Hong Kong government granting itself more powers to compel private companies to hand over sensitive data and further its ability to conduct surveillance and censorship.” 

香港新推網絡安全法 引發監視憂慮

3月20日，香港立法會三讀通過《保護關鍵基礎設施（電腦系統）條例草案》，引起人權組織和商業實體對新法例賦予政府廣泛調查權力的顧慮。

新法授權香港政府向法庭申請手令，連接「關鍵電腦系統」或在這些系統上安裝程式。這些系統包括資訊科技、金融服務、通訊和廣播服務等界別。政府系統獲豁免。

保安局堅稱，法例的規管範圍僅限於「關鍵基礎設施營運者」，中小型企業和一般市民不受影響。不過，法例的潛在應用範圍仍然廣泛，保安局局長亦表示不會公開受影響企業的數目。

新法建議成立一個隸屬保安局的專責辦公室，專責辦公室有權在懷疑有罪行發生時，要求私人公司提供未經指明的「相關資料」，而毋須申請手令。

換言之，互聯網服務供應商、傳媒公司和金融機構都有可能成為調查和繁重合規要求的目標，賦予政府新權力來限制新聞自由，並透過無限索取私人公司資料加強監視。

條例草案在《維護國家安全條例》（俗稱23條）國安苛法通過一週年後一日通過。23條對網絡安全和「國家機密」的定義寬廣，進一步突顯香港組織面臨的資料私隱和安全風險。

香港監察政策總監Megan Khoo表示：

「香港當局自2020年起不斷立法打壓，嚴重損害言論自由。這項法例似乎會延續這個趨勢。

政府機構獲豁免遵守報告要求，這對表面上旨在保護關鍵基礎設施免受網絡攻擊的法例，無疑是重大弱點。相反，這看來是香港政府意圖賦予自己更多權力，強迫私人公司交出敏感資料，進一步提升港府監視和審查的能力。」