What Does Hong Kong’s National Security Law Mean for Tech Companies?
The Hong Kong national security law will have implications for privacy, cybersecurity, data, and trade issues.
On May 28, China’s national legislature, the National People’s Congress (NPC), approved a decision to introduce a national security law in Hong Kong. According to the Chinese government, the new law will be intended to prevent, stop, and punish acts in Hong Kong that threaten national security, including secessionist and subversive activity as well as foreign interference and terrorism.
In reality, the central government’s patience with Hong Kong protesters has run out. The Communist Party leadership carefully planned the surprise introduction of the national security law so that the public was not aware of the existence of such a proposal until a week before it was voted on by the NPC, an unusual practice for the highly visible political event. Even after the vote, the only publicly available text of the decision is a seven-point brief summary. As Beijing moves forward to draft, promulgate, and implement the law, the local Hong Kong opposition will not have a channel to influence the rollout process.
This action presents a major shift away from the “one country, two systems” governing model. The decisions allow central government bodies overseeing national security to set up branches in Hong Kong, implying mainland agents would have power to enforce the law in Hong Kong. The aforementioned and upcoming developments will have far-reaching consequences for global commerce and transform the ways that foreign companies operate in Hong Kong. This analysis discusses the national security law’s implications for the technology and service sectors across privacy, cybersecurity, data, and trade issues.
Impact on Privacy
Early this year, Hong Kong’s Legislative Council started a discussion on the Amendment to the Personal Data (Privacy) Ordinance 2012. This legislative proposal stemmed from public outcry over personal data breaches and cyberbullying triggered by the extradition bill protests since last June. The proposed amendment includes a new provision to require online platforms to facilitate law enforcement’s access to cyber offenders’ identities and personal information when approached by regulators with reasonable evidence.
Given the introduction of Hong Kong’s national security law, this amendment should be interpreted in a different political and legal context now. It is possible that the upcoming passage of the national security law will speed up the drafting process of the amendment, which would facilitate wider law enforcement access to personal data in Hong Kong. Even without a new amendment to the Privacy Ordinance, it is likely that the mainland Chinese security apparatus will be increasingly involved in enforcing the existing Personal Data Ordinance and leveraging the national security law to broaden and deepen their reach.
This change can take place as soon as the national security law passes and have immediate impact on internet companies, financial service providers, and data center operators in Hong Kong.
Impact on Data Flow, Cybersecurity, and Censorship
Hong Kong positions itself as a free trade and financial hub. Its government understands that data is the life blood of a modern economy and believes the free data flow mechanism set up by the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) is the right approach for Hong Kong. Last year, Hong Kong signed a bilateral free trade agreement (FTA) with Australia with an e-commerce chapter supporting the free flow of financial data.
Enforcement of the national security law is likely to raise concerns regarding the Hong Kong government’s ability to implement the Australia-Hong Kong FTA. Wider law enforcement access to data will also limit Hong Kong’s chance of committing to free data flow arrangements in the future, whether it is in the context of the FTA, the Asia-Pacific Economic Cooperation (APEC) platform, or CPTPP.
Hong Kong’s national security law is only applicable to Hong Kong; China’s Cybersecurity Law is applicable to mainland China. It is unlikely for Beijing to enforce the 2017 Cybersecurity Law in Hong Kong immediately. However, over the course of the next few years, elements of the Cybersecurity Law could be slowly introduced in Hong Kong, starting with law enforcement access to data, security and localization requirements for mainland citizens’ and organizations’ data, along with critical information infrastructure protection measures. To avoid escalating local and geopolitical conflicts around Hong Kong’s national security law, mainland Chinese authorities will proceed cautiously on content censorship within Hong Kong but continue to aggressively enforce Hong Kong-related content rules across media, social networks, Over The Top (OTT) services, and online gaming platforms behind the Great Firewall.
Impact on Trade and Export Control
The U.S. Department of State has certified that Hong Kong no longer has significant autonomy. President Donald Trump initiated the process of reviewing Hong Kong’s special economic status with United States after the national security law decision was passed. Under its special trade status, Hong Kong exports to the United States enjoy preferential tariff rates while U.S. exports to Hong Kong have a zero tariff rate. As a result, Hong Kong-U.S. trade of goods and services amounts to $67 billion annually.
The application of U.S. export control rules in Hong Kong is one element of the special treatment review. Currently Hong Kong enjoys status as a “cooperating country with multilateral export control mechanisms” and receives favorable treatment from the U.S. export control regime. Chinese and foreign companies have taken advantage of this special treatment to process dual-use technology deals they are not able to handle in other jurisdictions.
If the United States decides to revoke the special trade status, many American companies currently trading goods between Hong Kong and the U.S., leveraging favorable tariff rates, would lose that benefit and be subject to the tariffs imposed on both sides of the U.S.-China trade war. Companies that currently process business transactions through Hong Kong’s favorable export control status would have to make operational modifications for compliance. Consequently, many businesses will seek alternative import/export routes to avoid this negative impact. This will likely accelerate the ongoing trend of manufacturing supply chains moving out of China. Furthermore, technology and service companies that support manufacturing companies’ presence in Hong Kong may consider monitoring their clients’ movements closely to inform their own relocation decisions.