HKSAR Government opposes biased report on critical infrastructure submissions

     The Government of the Hong Kong Special Administrative Region (HKSAR) today (August 20) opposed Bloomberg's biased report on the submissions made by some organisations on the proposed legislative framework to enhance protection of computer systems of critical infrastructures, taking the views of the submissions out of context.

     In the one-month consultation of the legislative framework ended on August 1, the HKSAR Government received 53 submissions, in which 52 submissions supported the legislation and made constructive suggestions, including those from the Asia Internet Coalition, the American Chamber of Commerce in Hong Kong, and the Hong Kong General Chamber of Commerce.

     The proposed legislative framework only concerns protecting the Critical Computer Systems (CCSs) of the Critical Infrastructure Operators (CIOs), which in no way involves the personal data and business information. Relevant legislation already exists in other jurisdictions, such as the Mainland, Macau SAR, the United States, the United Kingdom, Australia, the European Union and Singapore.

     "Information Technology" (IT) is one of the sectors to be regulated under the proposed framework. IT or IT related sectors are also regarded as critical infrastructures in the relevant legislation in other jurisdictions (such as the United States, Australia and Singapore). Only individual organisations, instead of the entire IT sector, having regard to the following factors, will be designated as CIOs to be regulated under the new regime, i.e.

(a) implications on essential services and important societal and economic activities in Hong Kong if there was damage, loss of functionality, or data leakage;
(b) level of dependence on information technology;
(c) importance of the data controlled; and
(d) degree of control on the critical infrastructure.

     The proposed legislation does not have extraterritorial effect. The Commissioner's Office will only request information accessible to CIOs and will allow reasonable time for preparation.

     CIOs have the responsibility of properly responding to cyberattacks. Only when a CIO is unwilling or unable to respond to an incident on its own would the Commissioner's Office consider applying to a Magistrate for a warrant to connect to the CCSs or install programmes in the CCSs in view of necessity, appropriateness, proportionality and public interest. Relevant regulators in other jurisdictions (such as Australia and Singapore) also have similar powers.

     The HKSAR Government has been engaging and will continue to engage all industry stakeholders in formulating the legislative regime and the related Codes of Practice.