Hong Kong takes further step towards cybersecurity legislation

Out-Law News | 10 Jun 2022 | 6:35 am | 1 min. read

Hong Kong Special Administrative Region (SAR) of China has proposed introducing a cybersecurity law to address changing post-covid working practices and cybersecurity threats to critical infrastructure.

The plan was first announced in the legislative proposal accompanying the 2021 Policy Address but a paper submitted in April 2022 by the Innovation and Technology Bureau and the Office of the Government Chief Information Officer (OGCIO) to the Panel on Information Technology and Broadcasting of the Legislative Council outlines more outlines more detailed plans.

The Security Bureau will prepare cybersecurity legislation to clearly define "the cybersecurity responsibilities of critical information infrastructure operators and to enhance the protection of the operation and data of Hong Kong's network systems and critical infrastructure information systems."

According to the paper, the Hong Kong SAR administration has taken five steps to tackle cyber security threats. In data security protection, the Security Bureau issued the Security Regulations. The rules define the security classification of administration's information, requiring administrative departments to classify their information and to take proper measures based on the classification in order to protect the information in storage and business operations. 

The OGCIO has also developed IT security policies and guidelines in administrative departments under the framework of the Security Regulations to protect data and tackle information security threats.

The Hong Kong SAR administration deputy chief information officer told a Legislative Council panel meeting in April this year that the Security Bureau was making preparations for cybersecurity legislation and expected to submit a paper to the Legislative Council during June to December to begin public consultation.

Jennifer Wu of Pinsent Masons said: “It would be interesting to see the details of this paper and interested parties in the relevant industries, such as finance, telecommunications and some technology companies dealing with critical infrastructure, should observe the upcoming changes and assess the likely impact to their operations.”