On 25 June 2024, the Government announced its proposals to enact a new cybersecurity legislation, tentatively ‘the Protection of Critical Infrastructure (Computer System) Bill’ (“Bill”).

The Government first announced its plans to enact cybersecurity legislation as part of its 2021 policy address, as the number of cybersecurity incidents in the region continued to rise.  According to a Legislative Council paper published on 2 July 2024, cybersecurity threats in Hong Kong are “increasingly commonplace”.

From June 2023 to May 2024, the Hong Kong Computer Emergency Response Team Coordination Centre received a total of 9,017 cybersecurity incident reports. Meanwhile, in the first quarter of this year the Hong Kong Police received more than 18,000 reports of cybersecurity attacks, with the number of incidents involving robot zombie computers seeing the greatest increase. In response, and following the lead of other jurisdictions including Mainland China, Singapore, Australia, and the UK, the Government has been making efforts to build up the capacity of public and private organisations to strengthen their computer systems of critical infrastructures (“CI”) and enhance security of their networks and data against cyber-attacks. 

Hong Kong’s Cybersecurity Laws

Hong Kong does not currently have any cybersecurity laws in place regulating the protection of computer systems of CIs. Whilst the Personal Data (Privacy) Ordinance (“PDPO”) requires data users to protect personal data against unauthorised or accidental access, processing, erasure, loss or use, there is currently no legislation in Hong Kong SAR that directly deals with cybersecurity.

Cybersecurity refers to “a state in which necessary measures are taken to prevent cyber-attacks, network intrusions, cyber interference, cyber sabotage, unlawful use of network, and cybersecurity incidents”.1  

The purpose of the Bill is to promote the establishment of good preventive cybersecurity management systems by CI operators and secure the operation of their computer systems, thereby minimising the chance of essential services being disrupted or compromised due to cyberattacks. Under the Bill, a new Commissioner’s Office for the implementation of the legislation will be established.

The Proposed Bill

The Bill adopts an “organisation-based” approach, and it intends to govern the following two categories of infrastructures:

  • Category 1, which covers infrastructure for delivering essential services in Hong Kong of the following eight sectors: energy; information technology; banking and financial services; land transport; air transport; maritime; healthcare services; and communications and broadcasting.
  • Category 2, which covers other infrastructure for maintaining important societal and economic activities, where their damage, loss of functionality or data leakage may have serious implications on important societal and economic activities in Hong Kong. This includes major sports and performance venues, research and development parks.

The proposed statutory obligations to be imposed on CI operators have been broadly classified into the following three categories:

  • Organisational: CI operators must have a dedicated unit to manage the security of computer systems and follow up on the directions of the Commissioner’s Office;
  • Preventive: CI operators must take preventive measures, including preparing for possible incidents and devising a detailed plan on how to protect their computer systems. CI operators will be further required to conduct independent computer system security checks at least once every two years and submit a report to the Commissioner’s Office; and
  • Incident reporting and response: CI operators must have an effective and proper plans and procedures in place to manage and respond to emergency situations. In the event of a serious computer system security incident resulting in a major impact on the continuity of the normal operations of the organisation, and large-scale leakage of personal data, CI operators must notify the Commissioner’s Office within two hours after becoming aware of a serious system security incident, or within 24 hours after becoming aware of other computer system security incidents.

The proposed offences under the Bill include non-compliance by CI operators with statutory obligations and written directions or other requests of the Commissioner’s Office.

Penalties for non-compliance will only include fines, with maximum fines ranging from HKD500,000 to HKD5 million.

Final remarks – what this means for employers

The Bill is expected to be tabled to the Hong Kong Legislative Council by the end of this year. While the Bill is only available in outline form at this stage, it is recommended that organisations review their internal policies and systems against the proposed statutory obligations imposed by the Bill.

Whether an organisation falls within the two categories of infrastructures or not, it should be mindful of the existing legislations that deal with data security. As the Bill does not intend to replace the obligations set out in the PDPO (e.g. data protection principle 4, which requires a data user to take all practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure or loss), organisations should continue to observe and comply with the PDPO. If you have any legal issues concerning cybersecurity and data privacy, please contact our team.

1. Legislative Council – Panel on Security – Meeting on 2 July 2024 - Background brief on enhancing the protection of cybersecurity of critical infrastructure: se20240702cb2-930-4-e.pdf (legco.gov.hk)

Authors