The investigation power of the authorities is excessive and unprecedented
Originally published on Global Voices
Image by Oiwan Lam with elements from Canva Pro.
The Hong Kong government made a statement on August 20, about Bloomberg’s report on the city’s latest cybersecurity legislation, namely the Protection of Critical Infrastructure (Critical Computer System) Bill, accusing it of being biased. Introduced on July 2, 2024, the proposed law aims to protect Hong Kong’s critical infrastructures (CIs) against cyberattacks targeting CIs’ critical computer systems (CCSs), and the public consultation ended on August 1.
In a recent report on August 21, Bloomberg quoted critics and highlighted,
The proposals give authorities overly broad powers that could threaten the integrity of service providers and rock confidence in the city’s digital economy.
On the other hand, the government stressed that of the 53 consultation submissions it had received, 52 supported the legislation and made constructive suggestions.
So, what are the controversies surrounding the proposed bill? Let's examine some of its critics and constructive suggestions.
The drafted bill divided critical infrastructure into two categories. Category one covers eight sectors: energy, information technology (IT), banking and financial services, land transport, air transport, maritime, healthcare services, communications, and broadcasting. Category two covers infrastructure for maintaining important societal and economic activities.
As ARTICLE 19, an international free speech defense group, pointed out that the definition of IT in category one is too broad to be included as critical infrastructure.
The American Chamber of Commerce (AmCham) also recommended in its submission to the consultation to remove the IT sector from the list of CIs as it is a service provider sector that usually acts as a third party that doesn’t have the authority to decide on behalf of the computer system owner.
While the government defended itself by saying that only designated critical infrastructure organizations (CIOs), instead of listed sectors, will be regulated under the new law, the power to determine a CIO falls under the purview of the future Commission Office, while the definition of CI and CCS remains unclear under the proposal law. The AmCham urged for a clear definition of CI and CCS and specifically suggested that:
If there are multiple organizations providing substantially the same services or operating similar infrastructures in a particular sector, the severity, intensity, and magnitude of the impact of the disruption of the services or infrastructures would be limited, and therefore, the targeted infrastructure should not be regarded as a CI.
The proposal also stated that the future laws will apply to all CCSs, “regardless of whether they are physically located in Hong Kong or not.”
The AmCham stressed that the extraterritorial implications would result in legal conflicts as the CIOs may violate the laws in one country if they comply with the laws in Hong Kong. The AmCham recommended that the law apply to CIs and CCSs within the city. It warned:
By extending the proposed legislation to infrastructures and computer systems situated outside Hong Kong, it is disproportionate to the regulatory purpose, and may result in regulatory fragmentation and lead to higher compliance costs and deter multinational companies from operating businesses and investing in Hong Kong.
The proposed law will empower local authorities to investigate CIOs in security incidents by posing questions, requesting information, entering premises, accessing and checking the relevant computer systems, and more.
ARTICLE 19 described such power as excessive and highlighted that the mandatory disclosure of “design, configuration, and security operations of computer systems could amount to disclosing trade secrets.”
In Annex II, the bill specifies that if the CIOs do not comply with police requests, the investigation authorities could even “connect equipment to or install a program in the CCS.”
The AmCham called such a power “unprecedented” and stressed that it “could have a significant impact on a CIO’s operation and could harm the users of the services provided by the CIO.”
We submit that introducing this power is likely to have a chilling effect on technology investment and Hong Kong digital economy and will undermine trust in service providers who operate in Hong Kong.
The AmCham also recommend that the government release “an exhaustive list of actions” that the CIO may be directed to take.
The proposed law also empowers the Secretary for Security to amend the law by way of subsidiary legislation on several aspects, including the determination of the CI sector, the list of mandatory information disclosure by CIOs, the scopes of computer system security management plans, security audits, risk assessments and emergency response plans, and the content and deadlines of the mandatory report on security incidents.
In a similar manner, the Commission Office will be empowered to issue a CoP to CIOs detailing actions and standards to be taken in their mandatory security incident report, security audit, management, assessment, monitoring mechanism, etc.
Both ARTICLE 19 and the AmCham pointed out that the subsidiary legislation will bypass the Legislature and public consultation.
Against the backdrop of the implementation of the National Security Law, which results in the dismantling of the independent media and civil society sectors, Michael Caster, Asia Digital Programme Manager at ARTICLE 19, warned that “the proposed critical infrastructure bill appears modelled more to close additional gaps in internet freedom than addressing authentic cybersecurity challenges.”
