Protection of Critical Infrastructure (Computer System) Bill in Hong Kong

The proposed Protection of Critical Infrastructure (Computer System) Bill in Hong Kong aims to enhance cybersecurity measures for critical infrastructure operators (CIOs).

Overview of the Proposed Legislation

1. Objective and Scope

   • The bill seeks to regulate organizations responsible for critical services, requiring them to secure their critical computer systems (CCSs). It targets sectors such as energy, IT, banking, transport, healthcare, and communications.
   • The protection of critical infrastructure legislation aims to align Hong Kong's cybersecurity framework with other jurisdictions like Mainland China, Singapore, and Australia, addressing the increasing risks of cyberattacks.

2. Regulatory Framework

   • A new Commissioner’s Office will be established under the Security Bureau to oversee the implementation of the protection of critical infrastructure law. This office will designate CIOs and CCSs, monitor threats, assist in incident response, and enforce compliance.
   • CIOs will be required to report serious security incidents within two hours and other incidents within 24 hours. Non-compliance could result in financial penalties ranging from HK$500,000 to HK$5 million, with additional daily fines for ongoing offenses.

Controversies and Criticisms

1. Broad Powers and Privacy Concerns

   • Critics argue that the proposed law grants authorities excessive investigative powers, potentially leading to the disclosure of trade secrets and impacting service providers’ operations.
   • The broad definition of critical infrastructure, especially the inclusion of the IT sector, has raised concerns about stifling innovation and investment.

2. Extraterritorial Implications

   • The law's application to CCSs located outside Hong Kong could lead to legal conflicts and increased compliance costs for multinational companies.

3. Impact on Freedom of Expression

   • Organizations like ARTICLE 19 have expressed concerns that the bill could further deteriorate freedom of expression and privacy rights in Hong Kong, given the existing climate of censorship and surveillance.

Legislative Process and Next Steps

1. Consultation and Feedback

   • The public consultation period ended on August 1, 2024, with the majority of submissions supporting the legislation, though critics have voiced significant concerns.
   • The bill is expected to be introduced to the Legislative Council by the end of 2024, with further consultations and refinements anticipated.

2. Implementation Timeline

   • Upon passage, the Commissioner’s Office is expected to be established within a year, with the legislation coming into force six months thereafter.

The proposed protection of critical infrastructure legislation represents a significant step in Hong Kong's efforts to bolster cybersecurity for critical infrastructure. However, it faces substantial criticism regarding its potential impact on privacy, freedom of expression, and the broader business environment.

Citations:

1. https://www.cdr-news.com/categories/competition-and-business-crime/21074-hong-kong-to-enact-new-cyber-security-law
2. https://thediplomat.com/2024/07/whats-in-hong-kongs-proposed-critical-infrastructure-bill/
3. https://www.aoshearman.com/en/insights/ao-shearman-on-data/hong-kong-proposes-new-critical-infrastructure-cybersecurity-law
4. https://www.eversheds-sutherland.com/en/asia/insights/shaping-hong-kong-cybersecurity-strategy
5. https://www.article19.org/resources/hong-kong-proposed-critical-infrastructure-bill-is-a-fresh-assault-on-the-freedom-of-expression-online/
6. https://advox.globalvoices.org/2024/08/23/what-are-the-controversies-over-hong-kongs-latest-cybersecurity-bill/
7. https://www.mondaq.com/hongkong/security/1490616/hong-kong-government-introduces-new-laws-to-enhance-protection-of-computer-systems-of-critical-infrastructure