ARTICLE 19 is concerned by the threat that Hong Kong’s Protection of Critical Infrastructure (Computer System) Bill poses to freedom of expression online, including independent media, and to the protection of personal data. Any legislation on cybersecurity must narrowly and precisely define ‘critical information infrastructure’, guarantee safeguards against arbitrary enforcement, and ensure that restrictions on the freedom of expression and the right to privacy comply with international human rights norms. In its current form, the proposal does not meet these standards.
Michael Caster, Asia Digital Programme Manager at ARTICLE 19, commented:
‘Under existing national security legislation and restrictive court orders, we have already witnessed how Hong Kong authorities have manipulated notions of security to silence and surveil online. Amid this climate, the proposed critical infrastructure bill appears modelled more to close additional gaps in internet freedom than to address authentic cybersecurity challenges.’
On 2 July 2024, the Hong Kong Security Bureau released a long-awaited proposal to the Legislative Council, along with a paper summarising background and stakeholder consultations. The proposal, titled the Proposed Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure (Proposed Framework), was prepared by the Security Bureau, the Office of the Government Chief Information Officer, and the Hong Kong Police Force.
Cybersecurity provisions to compel critical infrastructure operators to boost cyber resilience and hold them accountable for non-compliance are important to securing essential services. However, the same legislation imposed to protect national security or cybersecurity can also supercharge violations of international human rights law and the right to freedom of speech and expression online.
This is particularly the case in Hong Kong, which has experienced one of the starkest declines in freedom of expression in the past decade, as seen in ARTICLE 19’s Global Expression Report. This is in large part under the 2020 National Security Law and 2024 Safeguarding National Security Ordinance. Since 2020, thousands have been arrested, some 20 online media outlets have been shuttered, and websites blocked. For well over a year, authorities have sought to pressure internet intermediaries into removing the pro-democracy anthem Glory to Hong Kong from their streaming services. The result has been an atmosphere of censorship and self-censorship.
Against this backdrop, the proposed bill is likely to be abused to further restrict the freedom of expression and right to privacy. In our analysis, ARTICLE 19 highlights the following concerns:
Definition of information technology under ‘critical infrastructure’ is overbroad
The proposed bill identifies two major categories of critical infrastructure, with Category 1 covering ‘essential services in Hong Kong’ which includes ‘information technology’. This is a broad and ambiguous category, which leaves businesses unclear whether the strict requirements are applicable to them and paves the way for entities such as popular messaging companies or internet exchanges to be treated as critical infrastructure operators and subjected to heightened investigative powers. This violates the principle of legal predictability and could be misused by the state to impose compliance costs on businesses that are working on issues critical of the government.
ARTICLE 19 believes that Hong Kong should precisely stipulate specific kinds of entities that fall within the “information technology” sector. Content delivery platforms should be explicitly excluded as compliance costs on these platforms could pose significant business costs and potentially compel them to exit the market. This could deny users an online platform to exercise freedom of expression.
Meanwhile, Category 2 includes ‘other infrastructures for maintaining important societal and economic activities,’ with an illustrative set of examples including performance venues and research institutions. With academic and research freedom in Hong Kong already in jeopardy, this legislation could be used to further impose onerous compliance burdens on entities and restrict research. Beyond this, there is no real threshold for designation as critical information operator. ARTICLE 19 believes Category 2 should be removed in its entirety as it is vague and provides unfettered discretion to the authorities.
Concern over potential conflicts with the Privacy Regulator
The vague wording also risks potential conflict with Hong Kong’s privacy regulator, the Privacy Commissioner for Personal Data. While the background paper excludes personal data, the proposed legislation covers the harm of data leaks as part of the designation for critical infrastructure operators, which logically implies that personal data leakages could fall under the legislation. However, the office responsible for administering the legislation is tasked from a national security or public order perspective and does not have procedures to notify victims of personal data leakage. The legislation should clearly stimulate that the Privacy Commissioner for Personal Data will be tasked with addressing and remedying cases where personal data has been leaked.
Carte blanche government exemption should be removed
The proposed legislation provides a carte blanche exemption for government entities designated as critical infrastructure operators. Critical infrastructure run by government entities are equally vulnerable, and so exempting them from more stringent regulation seems contrary to the purpose of the legislation to actually protect Hong Kong’s critical infrastructure. Exempting government entities while exposing private entities to enhanced investigative powers and compliance requirements furthermore suggests that the government may use this legislation to clamp down on the rights of private sector entities such as internet intermediaries already targeted to comply with censorship or surveillance orders, while not holding government actors accountable for genuine statutory violations. The exemption for government entities should be removed from the proposed legislation.
Excessive information disclosure requirements should be removed
The proposed legislation requires critical infrastructure operators to reveal excessive amounts of information to the authorities. This is concerning, apart from leading to unwarranted surveillance, the storing of unnecessarily large quantities of information could actually increase cybersecurity risks by potential attackers. In particular, sharing the design, configuration, and security operations of computer systems could amount to disclosing trade secrets. Such requirements for mandatory disclosure should be removed.
Investigative powers are excessive
Under the proposed bill, the Security Bureau will establish a Commissioner’s Office. It is authorized to require the warrantless production of any ‘relevant information’ if it suspects that an offence has occurred. This is an exceptionally broad scope with no clarity on what ‘relevant’ information may be. Without any guidelines or exemptions, this power could be used to compel disclosure of trade secrets or personal data. The Commissioner’s Office could also demand sensitive details including encrypted data and passwords. Apart from violating the right to privacy and empowering government surveillance, this could become a honeypot for cyber attackers if not secured effectively.
The legislation must clarify what ‘information’ the Commissioner’s Office can seek. Personal information or trade secrets should be exempt unless there is a magistrate’s warrant, though in light of the current lack of judicial independence in Hong Kong even this may be insufficient. The legislation should also stipulate secure storage provisions and prevent unwarranted access or interference to any information in its custody. The appeals procedure should be amended.
Core issues delegated to subsidiary legislation by the Executive are problematic
According to the legislative proposal, core issues, including clarifications to some of the concerns raised here by ARTICLE 19, have been passed onto subsidiary legislation that will be issued by the Secretary for Security. By its very nature, subsidiary legislation does not require assent from the legislature and may not involve consultation with other stakeholders at all. The primary legislation should include provisions on the type of essential services that may be designated as critical infrastructure; information that may be required by the Commissioner’s Office; and any information, including material changes to Critical Computer Systems that is required to be reported to the Commissioner’s Office.
ARTICLE 19 acknowledges that organisations operating critical infrastructure should ensure that they have processes to prevent and respond to cyber-attacks. However, we find that the proposed legislation, rather than addressing cybersecurity vulnerabilities, risks further entrenching the existing deterioration of freedom of expression and right to privacy in Hong Kong. It should be revised to address these concerns. We further reiterate our calls for Hong Kong to bring all provisions, in particular the National Security Law and Safeguarding National Security Ordinance, in line with its obligations under international human rights law and especially the International Covenant on Civil and Political Rights (ICCPR).
For more information
Michael Caster, Asia Digital Programme Manager, [email protected].