US firms warn against Hong Kong’s ‘unprecedented’ cyber rules

US firms have warned that parts of a proposed cyber law could give Hong Kong’s government unusual access to their computer systems, highlighting the latest challenge for Western tech giants in the city.

Asia Internet Coalition, which includes Amazon.com Inc., Alphabet Inc.’s Google. and Meta Platforms Inc., are among the bodies that have in recent weeks sought changes to parts of the legislation that officials say are designed to protect critical infrastructure. from cyber attacks. The government, in response to the Bloomberg story, said 52 of the 53 submissions it received on the legislation, including from the Coalition, “supported the legislation and made constructive suggestions”.

Critics say the proposals give authorities too broad powers that could threaten the integrity of service providers and erode trust in the city’s digital economy. The local American Chamber of Commerce and the Hong Kong General Chamber of Commerce have also submitted letters on the proposed legislative framework for public consultation.

Two of the three groups flagged the rules – which some worried could apply to IT systems outside Hong Kong – as “unprecedented”. One of their key objections was the proposed investigative powers that would allow authorities to connect their equipment to critical IT systems owned by private firms and install software on them.

“Such unprecedented power directly intervenes and could have a significant impact on the operation of a CIO and could harm service users,” AmCham wrote in an Aug. 1 letter, referring to critical infrastructure operators. Such a move “is likely to have a chilling effect” on Hong Kong’s tech investment, it added.

The government said in a statement late Tuesday in response to the Bloomberg News report that its proposal “in no way involves personal data and business information.” The statement added that “relevant legislation already exists in other jurisdictions such as the Mainland, Macao SAR, the United States, the United Kingdom, Australia, the European Union and Singapore.”

Hong Kong will only seek a court order to connect to computer systems or install programs in certain circumstances if operators are unwilling or unable to respond to potential cyber incidents. And the proposed legislation will not have “extraterritorial effect” outside its jurisdiction, according to the statement.

A Google spokeswoman declined to comment on the concerns raised in the Asia Internet Coalition letter. Amazon and Meta did not respond to requests for comment.

Officials have previously said the cybersecurity bill is needed to protect the city’s economy, public safety and national security. They are proposing the creation of a new commissioner’s office to oversee the implementation of the legislation.

Many countries have laws to protect strategic infrastructure and access networks—for example, US law enforcement and counterintelligence agencies can conduct wiretapping with court authorization. But it’s rare for government agencies to try to gain access to networks or private information by directly installing software.

“This initiative is vital to ensuring the resilience and security of Hong Kong’s critical infrastructure,” the internet coalition said in a public letter. “Government should provide assurances that information provided for investigation will only be used for specific use cases (for example, to investigate a particular incident) and will not be used for other cases and disclosed to third parties.”

While Hong Kong’s internet remains largely free compared to mainland China’s Great Firewall, in March the city’s top US diplomat sounded the alarm about lax online controls. President Xi Jinping’s crackdown on freedoms in the former British colony has raised fears of the city’s diminished appeal as a financial hub.

Hong Kong recently showed its willingness to intervene directly with online content in its showdown with Google for hosting pro-democracy protest songs on YouTube. The government – ​​armed with a local court order – forced the US giant to block the videos, giving city leaders a powerful new tool to order the mass removal of content.

Hong Kong’s relatively open flow of information is a key attraction for international business. Restrictions on Western tech firms and services could hamper efforts to revitalize the city’s image, which has been battered by years of restrictions caused by COVID-19 and a security law imposed by Beijing that has also been criticized as vaguely worded and too far-reaching .

Under proposed new cyber rules, companies would have to secure their IT systems and disclose serious breaches to the government within two hours. Fines for offenses could be up to HK$5 million ($642,000) and would be set by a court, according to the proposal.

The legislation could be presented to the city’s Legislative Council by the end of this year and passed, legal observers say.

While Hong Kong has a legitimate need for new cybersecurity rules, companies will be concerned about protecting user data, said George Chen, co-chair of the digital practice at The Asia Group, a business and policy consulting firm with headquarters in Washington.

“International platforms, especially cloud service providers, are also concerned about enforcement,” he added. The question will be “where to draw the line between protecting user data privacy and general cybersecurity concerns.”

Photo: Buildings shrouded in fog in Hong Kong, China, Monday, February 6, 2023. Photo credit: Lam Yik/Bloomberg

Copyright 2024 Bloomberg.

TOPICS
USA Cyber