By Alex Liu
Hong Kong, 6 September 2022: It is obvious to many that Hong Kong’s laws to combat cybercrime are badly outdated. This city completed its last review of online security more than two decades ago, since when the digital revolution has transformed almost every aspect of our lives. So new proposals to introduce specific legislation against cybercrime are both welcome and overdue.
The Law Reform Commission (LRC) has published a consultation paper which recommends introducing a string of new cybercrime offences and giving courts scope to hand out tougher penalties, including life imprisonment in the most serious cases.
Currently, there is no single ordinance in Hong Kong which deals specifically with cybercrime. Until now, law enforcement officers have relied chiefly on Section 161 of the Crimes Ordinance (Cap 200), for the offence of “access to a computer with criminal or dishonest intent”, and section 27A of the Telecommunications Ordinance (Cap 106), forbidding “unauthorized access to any program or data held in a computer”. It is worth noting that Section 161 was enacted in 1993, a time when the internet was only in its formative stages and before the advent of smartphones and social media.
But then came a landmark decision by the Court of Final Appeal in April 2019 which ruled Section 161 did not apply to the use by a person of his or her own computer, including a smartphone. Until that point, Section 161 had been used to prosecute a wide range of smartphone and computer-related crimes, including the taking of up-skirt photos. The need for new legislation was clear.
In fact, the LRC’s Sub-committee on Cybercrime had commenced its study three months before that key judgment, seeking to identify the challenges posed by rapid developments in cybercrime, review existing legislation and make recommendations. In doing so, it examined the regulatory regimes in seven other jurisdictions, namely Australia, Canada, England and Wales, Mainland China, New Zealand, Singapore and the United States.
After three and a half years of deliberations, the LRC has produced its consultation paper. At the heart of this document is the suggestion that new legislation should be enacted to cover five types of offences, namely:
- illegal access to program or data;
- illegal interception of computer data;
- illegal interference of computer data;
- illegal interference of computer system; and
- making available or possessing a device or data for committing a crime.
The paper recommends maximum penalties of two to 14 years’ imprisonment for most offences – compared with two to five years under existing laws – while summary convictions could result in a sentence of up to two years. However, for “aggravated offences”, such as illegal interference with computer data or a computer system, the highest penalty could be life imprisonment.
Given the nature of cybercrime, Hong Kong would be justified in giving the new laws extra-territorial application, says the LRC. As an illustration, the courts here may assume jurisdiction if the perpetrator’s act has caused or may cause serious damage to Hong Kong.
The LRC has stopped short of allowing whistle-blowers who expose wrongdoing to rely on a public interest defence. It maintains that a “reasonable excuse” defence allows courts flexibility to determine what may or may not be acceptable by reference to societal standards. However, it is seeking industry stakeholders’ views on whether there should be any specific defence or exemption for certain professionals or businesses, for example cybersecurity personnel.
It is also worth noting the LRC’s Sub-committee on Cybercrime began its study well over a year before enactment of the national security law in the summer of 2020. “The duty of Hong Kong to safeguard national security reaffirmed the need for reform of cybercrime laws in Hong Kong and the sub-committee has taken this into consideration in its pursuit of the cybercrime project,” says the consultation paper.
In drafting its recommendations, the LRC has weighed the need to protect the public’s interest and right not to be attacked when using their computer system against the rights of netizens and the interests of persons in the IT industry. In short, it is seeking a balance between effective law enforcement and safeguarding individual rights. The consultation period, which ends on 19 October, is a welcome opportunity for industry stakeholders to have their say.
A Partner in BC&C since 2000, Alex Liu’s key areas of practice include commercial and corporate litigation, investigations by governmental bodies such as the SFC, ICAC and Commercial Crime Bureau, insolvency and debt restructuring, intellectual property, defamation, property and commercial contract drafting. He can be contacted at email@example.com.