In this snapshot legal update, we report that on 25 May 2022, in a written reply by Mr. Alfred Sit, the Secretary for Innovation and Technology, to Legislative Council questions on cybersecurity standards in Hong Kong, Mr. Sit confirmed that the Hong Kong Government is considering legislation to clearly define cybersecurity obligations of critical infrastructure operators in Hong Kong.

This has been foreshadowed since the Chief Executive’s 2021 Policy Address. The Policy Address noted that, along with the direction in a number of countries and regions, the Hong Kong government would promote the establishment of management system by operators of critical information infrastructure (“CII operators”) for the safe operation of those information systems and networks. This would be combined with preparatory work for the enactment of cybersecurity legislation, with a view to strengthening the cybersecurity of critical information infrastructures in Hong Kong through clear delineation of cybersecurity obligations for the operators.

This policy statement was further repeated in the Legislative Council briefing on information security by the Office of the Government Chief Officer (OGCIO) to the Panel on Information Technology and Broadcasting. In its concluding statements on the way forward for information security in Hong Kong, the OGCIO stated that it would support the Security Bureau in its preparatory work for enacting cybersecurity legislation to clearly define the cybersecurity responsibilities of CII operators and strengthen the protection of the operation and data of Hong Kong’s network systems and critical infrastructure information systems.

The key additional points in the response of the Secretary for Innovation and Technology on 25 May 2022 are:

  • Legislation was needed to supplement the cybersecurity guidelines and requirements imposed by individual regulatory authorities, as Hong Kong does not have specific legal requirements on the cybersecurity of critical information infrastructures.
  • The legislative proposals will take into account cybersecurity standards adopted by other jurisdictions around the world.
  • Most importantly, a public consultation would be launched before the end of 2022.

In general, a unified approach to cybersecurity in Hong Kong is a welcome development. As with all legislative change, the devil will be in the detail. The details that will define the policy effect and direction of the proposed laws will be:

  • the proposed scope of terms such as CII operators.
  • any proposed restrictions on the transfer out of Hong Kong of data collected or generated by CII operators.
  • whether network operators will be included within the scope of regulation, and if so, the proposed scope applied to that term.
  • the proposed authority designated as the competent authority for oversight and enforcement.

This is a policy initiative primarily under the remit of the Security Bureau.

The full question and response by the Secretary for Innovation and Technology regarding the proposal review and public consultation on cybersecurity is available here.