U.S. Firms Warn Against ‘Unprecedented’ Hong Kong Cyber Rules

(Bloomberg) -- US firms have warned that proposed cyber regulations could grant the Hong Kong government unusual access to their computer systems, highlighting the latest challenge to Western tech giants in the city.

The Asia Internet Coalition, which includes Amazon.com Inc., Alphabet Inc.’s Google and Meta Platforms Inc., is among the bodies that have in recent weeks criticized new rules that officials say are designed to protect critical infrastructure from cyberattacks.

Critics argue the proposals give authorities overly broad powers that could threaten the integrity of service providers and rock confidence in the city’s digital economy. The local American Chamber of Commerce and Hong Kong General Chamber of Commerce have also submitted letters over the proposed legislative framework to a public consultation.

Two of the three groups flagged the rules — which would also apply to computer systems outside Hong Kong — as “unprecedented.” A key objection was to proposed investigative powers that would let authorities connect their equipment to critical computer systems owned by private firms, and install programs on them.

“Such unprecedented power directly intervenes in, and could have a significant impact on, a CIO’s operation and could harm the users of the services,” AmCham wrote in an Aug. 1 letter, referring to critical infrastructure operators. Such a move “is likely to have a chilling effect” on tech investment in Hong Kong, it added.

Related:Master IT Compliance: Key Standards and Risks Explained

The Hong Kong government and the city’s Security Bureau didn’t respond to requests for comment on the concerns outlined by business groups. A Google spokeswoman declined to comment on the concerns raised in the Asia Internet Coalition letter. Amazon and Meta didn’t immediately respond to requests for comment.

Officials have said previously the cybersecurity bill is needed to protect the city’s economy, public safety and national security, and cited what they call similar legislation in mainland China, Singapore and various Western nations.

They propose establishing a new commissioner’s office to oversee the legislation’s implementation. 

While Hong Kong’s internet remains largely free compared to mainland China’s Great Firewall, the city’s top US diplomat in March sounded the alarm over creeping online controls. President Xi Jinping’s crackdown on freedoms in the former British colony has fanned fears about the city’s reduced appeal as a finance hub.

Hong Kong recently showed its willingness to intervene directly with online content in its clash with Google over the hosting of pro-democracy protest songs on YouTube. The government — armed with a local court injunction — forced the American giant to block the videos, giving the city leaders a potent new tool to order the mass removal of content. 

Related:Meta Halts AI Training in EU, Brazil Amid Regulatory Concerns

The relatively open flow of information in Hong Kong is a key draw for international businesses. Restrictions on Western tech firms and services could hamper efforts to revitalize the city’s image, which took a hit from years of Covid curbs and a Beijing-imposed security law, also criticized as being vaguely worded and too far-reaching.

Under the proposed new cyber rules, companies would need to secure their computer systems and disclose to the government serious breaches within two hours. Fines for offenses could range as high as HK$5 million ($642,000) and would be determined by a court, according to the proposal. 

The legislation is likely to be submitted to the city’s Legislative Council by the end of this year and enacted, legal observers say.

While Hong Kong has a legitimate need for new cybersecurity rules, companies will be worried about protecting user data, said George Chen, co-chair of digital practice at The Asia Group, a Washington-based business and policy consulting firm.

“International platforms, especially cloud service providers, are also naturally concerned about the enforcement,” he added. The question will be “where to draw the line between protecting user data privacy and overall cybersecurity concerns.“