Tech giants warn proposed Hong Kong cyber rules could undermine digital economy

Hong Kong’s proposed cybersecurity regulations have sparked controversy, with US tech giants and business groups warning the legislation could grant the government unprecedented access to computer systems and stifle investment in the city’s digital economy.

The Asia Internet Coalition (AIC), representing tech giants such as Amazon, Google, and Meta, has been vocal in its criticism, arguing that the regulations, intended to safeguard critical infrastructure, could overreach and jeopardize the integrity of service providers.

These concerns have been echoed by the American Chamber of Commerce (AmCham) and the Hong Kong General Chamber of Commerce (HKGCC), both of which have submitted formal objections during the public consultation phase.

A key issue raised by the AIC is the proposed power for authorities to connect their equipment to private company systems and install software — actions that could compromise the operational security of these firms. In a letter dated August 1, AmCham expressed fears that such measures would “significantly impact” the operations of critical infrastructure operators (CIOs) and could chill tech investments in Hong Kong.

“Such unprecedented power directly intervenes in, and could have a significant impact on, a CIO’s operation and could harm the users of the services,” the American Chamber of Commerce (AmCham) wrote in a letter, referring to critical infrastructure operators.

AmCham also warned the legislation could have a “chilling effect” on tech investment in Hong Kong. The firm has suggested removing the “power to install programs in CCS [critical computer systems]” by the authorities.

“Removing the power to connect equipment to or install program in CCS as this is likely to have a chilling effect on technology investment and Hong Kong digital economy, which will undermine trust in service providers who operate in Hong Kong,” Dr. Eden Wood, president of AmCham wrote in the letter.

The HKGCC has raised similar concerns asking the authorities to reconsider the proposed legislation and not to “impose unduly burdensome or disproportionate compliance costs” to businesses given the current economic climate.

“Given the business impact of the proposed law, we suggest that considerations be given to the introduction of balanced and proportionate legislation, which is principle and risk-based, technology-neutral, and aligned with internationally recognized standards, so as to promote stakeholder trust and support the city’s innovation and technology advancements,” Patrick Yeung, CEO at HKGCC wrote in a letter dated 12 August.

“It is important that businesses in Hong Kong, and those that may wish to establish operations here, have sufficient comfort,” the letter read.

“The tighter control and scrutiny from the government could have a significant implication on enterprises and will make CIOs rethink their IT strategy on how to sandbox company and users’ private data while maintaining openness to the watchdog’s monitoring for a controlled cybersecurity approach,” said Neil Shah, VP for research and partner at Counterpoint Research.

“The implications are on how to comply with the regulations while maintaining data sovereignty for their customers and employees which could go against the value and agreements of many international companies. While some might look to challenge, some might try to find a workaround and some might even could exit the market,” added Shah.

A query seeking comments from Google and Meta remains unanswered.

What raises the concern?

In June, the Hong Kong government proposed a new cybersecurity legislation, named the Critical Infrastructure (Computer System) Bill, which was thrown open for public discussion on July 2.

The proposed legislation was designed to regulate large organizations that provide critical services, requiring them to secure their essential computer systems. However, it does not cover personal data and business information stored within these systems.

Though the tech giants and associations such as AIC, AmCham, and HKGCC have acknowledged the criticality of a robust cybersecurity law, the bone of contention pertains to some “strict guidelines.”

The primary concern is related to the “Investigation Powers” of the Commission office. It proposes that in the case of security incidents against a CCS, the authorities hold the power to “connect equipment to or install programs in the CCS” which means authorities can install their programs in the computer systems of private companies like Google, Amazon or any other infrastructure providers.

The second important concern is the magnitude of the penalty and reporting structure. The proposed legislation includes mandatory breach reporting within two hours and fines of up to $641,800 (HK$5 million).

The clash comes amid Hong Kong’s heightened scrutiny over internet freedom. The region recently flexed its muscle over online content by forcing Google to block pro-democracy protest songs on YouTube, raising concerns about potential future content removal demands.