Proposed cybercrime law needs long reach ‘to cover offences outside Hong Kong’

Lawmakers discuss blueprint to create five specific new offences to rein in cyber-dependent crimes and say lack of long-arm jurisdiction would make proposal useless.

A proposed law to clamp down on cybercrimes must enjoy a “long-arm jurisdiction” to cover offences outside Hong Kong and be able to compel technology giants to assist in investigations, legislators have said.

The lawyers overseeing the effort said the proposed offences should in principle allow for extraterritorial reach if a case involved a Hong Kong victim or affected the city, but they added that more research was needed to determine how it would be enforced.

The discussion took place at a Legislative Council meeting on Monday, where legislators and legal experts discussed the Law Reform Commission’s proposal to create five specific new offences to rein in cyber-dependent crimes.

The five crimes, proposed in July, would be illegal access to a programme or data, computer data interception and interference, computer system interference, and provision or possession of devices or data for criminal purposes.

Beijing loyalist lawmaker Junius Ho Kwan-yiu argued at the Legco meeting that the proposed law would be useless if it could not be applied to companies based overseas.

“I don’t care if Google or Twitter’s data is stored in California or Alaska. Would you require all internet service providers to keep a copy of their data in our city if they want to operate here?” he asked.

“This is how to give the law some teeth, otherwise the law could be well-written with gates and walls made of metal, but with a back door made of straw.”

Legislator Carmen Kan Wai-mun agreed the proposed law must allow Hong Kong to have extraterritorial jurisdiction because the internet world was “boundless”.

The national security law imposed by Beijing two years ago, which outlaws acts of secession, subversion, terrorism and collusion with foreign forces, also has a long-arm element designed to cover offences committed outside Hong Kong.

Lawmakers have said any proposed law without extensive jurisdiction will be useless in handling cybercrimes.

Allen Leung Chun-yue, chairman of the commission’s cybercrime subcommittee, said that under their proposal, Hong Kong’s courts would have extraterritorial jurisdiction in certain situations.

“For example, if the main criminal elements took place in Hong Kong, the victims or criminals are in Hong Kong, the targeted computers are in Hong Kong, or the criminal act caused serious damage to Hong Kong,” he said.

“So a company has to obey Hong Kong’s laws as long as it has an office and a presence in the city.”

Hong Kong, for instance, would have jurisdiction if a hacker in a foreign country attempted to paralyse the city’s transport network, he said.

But Leung stressed that it was only a preliminary study and more work was needed to determine how the law would be enforced, which he admitted could be “challenging”.

“Whether [Hong Kong] can get foreign law enforcement agencies’ cooperation is also a big problem. Depending on the seriousness of the case, sometimes they cooperate, sometimes they don’t, and we also need to consider double criminality,” he said.

“If a company’s data is in a foreign country or place, we still have to see if Hong Kong can have the extraterritorial jurisdiction to force it to do something and give evidence, so law enforcement would be challenging.”

The subcommittee chairman added that enforcement of the proposed law and the criteria under which local courts could have long-arm jurisdiction were difficult subjects that required further study.

A long-reaching law is necessary to compel tech giants such as Google to cooperate with Hong Kong’s authorities, according to one legislator.

Leung also defended the need to create a new law with the five new offences, even though the criminal activities involved were covered by existing legislation, as cybercrimes posed challenges for internet service providers, users and police.

“Technological developments related to computers and the internet have been rapid, and were used in criminal activities, so we wanted to look from a criminal law perspective, how personal rights and law enforcement were being challenged,” he said.

“Many other jurisdictions, including Australia, Canada … and China, have already enacted laws to prohibit the five types of crimes we proposed.”

The subcommittee also proposed that when a criminal act was so serious it endangered lives, a sentence of life imprisonment would be imposed, in line with the present penalty for criminal damage.

Leung added the recommendations on cyber-dependent crimes were only the first of a three-part project, which will also deal with cyber-enabled crimes. The problems of enforcement procedure and jurisdiction would be discussed in the third instalment, he added, but did not outline a timetable.

Lawmaker Eunice Yung Hoi-yan, of the New People’s Party, suggested that rather than focusing on cybercrimes, the commission should consider looking at areas such as cyber and data security.

But Wesley Wong Wai-chung, secretary general of the commission, explained that cybercrime was also a broad topic, with the city’s Security Bureau also looking at a cybersecurity bill to protect key infrastructure and public services.