US firms have warned that parts of a proposed cyber law could grant the Hong Kong government unusual access to their computer systems, highlighting the latest challenge to Western tech giants in the city.
The Asia Internet Coalition, which includes Amazon.com Inc., Alphabet Inc.’s Google and Meta Platforms Inc., is among the bodies that have in recent weeks sought changes to parts of the legislation that officials say are designed to protect critical infrastructure from cyberattacks. The government, in response to the Bloomberg story, said 52 of the 53 submissions it received about the legislation, including from the coalition, “supported the legislation and made constructive suggestions.”
Critics argue the proposals give authorities overly broad powers that could threaten the integrity of service providers and rock confidence in the city’s digital economy. The local American Chamber of Commerce and Hong Kong General Chamber of Commerce have also submitted letters over the proposed legislative framework to a public consultation.
Two of the three groups flagged the rules — which some were concerned could apply to computer systems outside Hong Kong — as “unprecedented.” One of their key objections was to proposed investigative powers that would let authorities connect their equipment to critical computer systems owned by private firms, and install programs on them.
“Such unprecedented power directly intervenes in, and could have a significant impact on, a CIO’s operation and could harm the users of the services,” AmCham wrote in an Aug. 1 letter, referring to critical infrastructure operators. Such a move “is likely to have a chilling effect” on tech investment in Hong Kong, it added.
The government said in a statement late on Tuesday in response to the Bloomberg News report that its proposal “in no way involves the personal data and business information.” The statement added that “relevant legislation already exists in other jurisdictions, such as the Mainland, Macau SAR, the United States, the United Kingdom, Australia, the European Union and Singapore.”
Hong Kong will only seek out a court warrant to connect to computer systems or install programs in certain circumstances if operators won’t or can’t respond to potential cyber incidents. And the envisioned legislation won’t have “extraterritorial effect” beyond its jurisdiction, according to the statement.
A Google spokeswoman declined to comment on the concerns raised in the Asia Internet Coalition letter. Amazon and Meta didn’t respond to requests for comment.
Officials have said previously the cybersecurity bill is needed to protect the city’s economy, public safety and national security. They propose establishing a new commissioner’s office to oversee the legislation’s implementation.
Many countries have laws to safeguard strategic infrastructure and access networks — for instance, US law enforcement and counterintelligence agencies can conduct wiretaps with court authorization. But it’s rare for government agencies to try and gain access to private networks or information by directly installing software.
“This initiative is vital to ensuring the resilience and security of Hong Kong’s critical infrastructure,” the internet coalition said in a public letter. “The Government should provide assurance that information provided for investigation will be used only for specific use cases (e.g., for investigating a particular incident) and will not be used for other cases and disclosed to third parties.”
While Hong Kong’s internet remains largely free compared to mainland China’s Great Firewall, the city’s top US diplomat in March sounded the alarm over creeping online controls. President Xi Jinping’s crackdown on freedoms in the former British colony has fanned fears about the city’s reduced appeal as a finance hub.
Hong Kong recently showed its willingness to intervene directly with online content in its clash with Google over the hosting of pro-democracy protest songs on YouTube. The government — armed with a local court injunction — forced the American giant to block the videos, giving the city leaders a potent new tool to order the mass removal of content.
The relatively open flow of information in Hong Kong is a key draw for international businesses. Restrictions on Western tech firms and services could hamper efforts to revitalize the city’s image, which took a hit from years of COVID curbs and a Beijing-imposed security law, also criticized as being vaguely worded and too far-reaching.
Under the proposed new cyber rules, companies would need to secure their computer systems and disclose to the government serious breaches within two hours. Fines for offenses could range as high as HK$5 million ($642,000) and would be determined by a court, according to the proposal.
The legislation is likely to be submitted to the city’s Legislative Council by the end of this year and enacted, legal observers say.
While Hong Kong has a legitimate need for new cybersecurity rules, companies will be worried about protecting user data, said George Chen, co-chair of digital practice at The Asia Group, a Washington-based business and policy consulting firm.
“International platforms, especially cloud service providers, are also naturally concerned about the enforcement,” he added. The question will be “where to draw the line between protecting user data privacy and overall cybersecurity concerns.”
Photograph: Buildings shrouded in fog in Hong Kong, China, on Monday, Feb. 6, 2023. Photo credit: Lam Yik/Bloomberg
Was this article valuable?
Here are more articles you may enjoy.
Second US Judge Blocks FTC Ban on Worker ‘Noncompete’ Agreements 
The Huge Profits Investors Have Made on Catastrophe Bonds Are Raising Eyebrows 
Can a Streaming Service Agreement Require Arbitration in a Food Allergy Death? 
Construction Defects Are Not Covered Property Damage in Commercial Liability Policy 
