Home / News & Media / Latest News / Internet Regulation in Hong Kong: An overview

Internet Regulation in Hong Kong: An overview

14Nov2024

1. Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern the internet in Hong Kong?

An internet service provider (ISP) will need a telecommunications licence to provide internet services in Hong Kong. It is for this reason that certain responses below refer to the telecommunications sector as well.  

The internet in Hong Kong is primarily governed by the following legislation:

  • the Communications Authority Ordinance (Cap 616);
  • the Telecommunications Ordinance (Cap 106);
  • the Trade Descriptions Ordinance (Cap 362); and
  • the Control of Obscene and Indecent Articles Ordinance (Cap 390).

1.2 Which bodies are responsible for enforcing the laws and regulations that apply to internet service providers? What powers do they have?

The Communications Authority is the independent regulatory body responsible for enforcing, overseeing and regulating ISPs, as well as the telecommunications and broadcasting sectors.

The Communications Authority shares concurrent jurisdiction with the Customs and Excise Department to enforce the fair trading provisions of the Trade Descriptions Ordinance (Cap 362) in the telecommunications and broadcasting sectors.

The Communications Authority also shares concurrent jurisdiction with the Competition Commission to enforce the Competition Ordinance (Cap 619) for the telecommunications and broadcasting sectors.

The Communications Authority operates through its executive arm, called the Office of the Communications Authority (OFCA).

The Communications Authority’s powers include the power to:

  • grant, renew, regulate and monitor telecommunications and broadcasting licences;
  • manage and administer the radio frequency spectrum and the telecommunications numbers;
  • develop technical standards and conduct equipment testing in line with international best practices; and
  • conduct examination and issuing certificates for the operating personnel of radiocommunications systems.

1.3 What is the general approach of those bodies in regulating internet service providers?

According to OFCA, the Communications Authority “adopts a light-handed and pro-competition approach in the regulation of the telecommunications sector”.

1.4 What other industry codes of conduct or best practices apply to internet service providers?

The Communications Authority issues codes of practice and guidelines in respect of telecommunications services. The guidelines of the Communications Authority are practical guidance and elaborations on provisions of legislation, and are not to be considered a complete or authoritative statement of the law or court practice.

2. Ownership

Who is eligible to provide internet services in Hong Kong? Are there any restrictions on foreign ownership? Do any domicile requirements apply? What other requirements or restrictions apply in this regard?

Telecommunications services in Hong Kong are fully liberalised and are all provided by the private sector. There are no restrictions on foreign ownership of a telecommunications licence in Hong Kong. The only mandatory requirement is that a licence applicant be a company registered under the Companies Ordinance (Cap 622) in Hong Kong.

A company that wishes to apply for a telecommunications licence must apply to the Communications Authority for assessment. The Communications Authority will assess any telecommunications licence application based on various criteria, including:

  • whether the applicant and all persons exercising control of the applicant are fit and proper persons;
  • the scope of the proposed services;
  • the company structure;
  • the applicant’s financial soundness;
  • the applicant’s technical expertise; and
  • previous relevant experience.

3. Authorisations/licences

3.1 What authorisations and/or licences are required to operate as an internet service provider? Do any exemptions apply? Do these vary depending on the service to be provided?

The basic licensing requirement is that no person in Hong Kong can do any of the following without a licence:

  • establish or maintain any means of telecommunications;
  • offer in the course of business a telecommunications service;
  • possess or use any apparatus for radiocommunications or any apparatus of any kind that generates and emits radio waves;
  • deal in the course of trade or business in apparatus or material for radiocommunications or in any component part of any such apparatus or in apparatus of any kind that generates and emits radio waves; or
  • demonstrate, with a view to sale in the course of trade or business, any apparatus or material for radiocommunications.

The Communications Authority is the competent authority with the power to issue telecommunication licences, including:

  • carrier licences, including the unified carrier licence and space station carrier licence;
  • localised wireless broadband service licences;
  • wireless internet of things licences;
  • public radiocommunications service licences, including licences for public radio paging service operators, trunked mobile radio service operators, and railway signalling service operators;
  • services-based operator licences;
  • class licences; and
  • other specific licences.

There are certain limited exemptions where a person that establishes or maintains a means of telecommunications does not need a telecommunications licence under the Telecommunications Ordinance (Cap 106). An example of a specific exemption would be in relation to a radiocommunications transmitting apparatus that is in air transit cargo or air transhipment cargo.

3.2 What are the key features of such authorisations/licences?

The key features of telecommunications licences are:

  • the period of validity;
  • the payment of fees and royalty; and
  • the frequency of payments.

For licences other than exclusive licences and carrier licences, the Communications Authority may determine:

  • the form of licence;
  • the conditions for grant of the licence;
  • the period for which the licence is valid;
  • the types of licence (including class licences) to be issued; and
  • the fees payable, including for the grant and renewal of licences and by way of annual fees.

The conditions of licences can include:

  • the manner of service provision;
  • interconnection;
  • interference;
  • adherence to technical standards;
  • compliance with directions, guidelines, codes of practice, regulations, the Telecommunications Ordinance (Cap 106) and international obligations;
  • universal service obligations;
  • accounting practices;
  • the provision of information;
  • tariffs;
  • network coordination;
  • the protection of customer information;
  • the prohibition of unfair market practice;
  • the regulation of a dominant licensee; and
  • the provision of performance bonds (Section 7 of the Telecommunications Ordinance (Cap 106))

The Communications Authority has published sample licences for a number of licences, including:

  • the unified carrier licence;
  • the localised wireless broadband service licence; and
  • the localised wireless broadband service (private) licence.

3.3 What are the procedural and documentary requirements to obtain such authorisations/licences?

An applicant must complete all parts of the relevant application form in English and submit the application form with supporting documents to the Office of the Communications Authority (OFCA) to obtain a telecommunications licence.

The supporting documents to be submitted includes:

  • an application proposal setting out how the applicant meets the criteria to be granted a licence;
  • documents showing the company structure of the applicant; and
  • financial documents showing the applicant’s financial capability.

3.4 What does the authorisation/licensing process involve? How long does it typically take? What costs are incurred?

OFCA will review each application and the supporting documents and decide whether to grant a licence. Each application is evaluated on its merits having regard to the information provided as required in the relevant guidelines of the licence and to the broad licensing criteria under the Telecommunications Ordinance (Cap 106).

The length of time it takes to process each application depends on:

  • the type of telecommunication licence;
  • the quality of the submission; and
  • specific features of the application.

For example, OFCA has stated that it takes about three months to process a service-based operator licence application.

The costs incurred include the licence fee if the applicable licence is granted by the Communication Authority. Licence fees payable upon grant of the licence by the Communications Authority range from HK$150 to HK$100,000. Some licence fees increase according to the number of stations operating under the licence, or other variables.

3.5 What are the ongoing rights and obligations of the authorisation/licence holder? How is compliance monitored? What penalties may be imposed for breach?

The ongoing rights of a licence holder are that that the licence holder may conduct the activities set out in its licence for the validity period of the licence.

The ongoing obligations for each licence holder vary according to the specific licence in question. Common ongoing obligations include:

  • ensuring that all persons exercising control of the licence holder are fit and proper persons;
  • following conditions imposed under the licence to the satisfaction of the Communications Authority;
  • ensuring that its articles of association comply fully with the provisions of the Telecommunications Ordinance (Cap 106) and the terms and conditions of its licence;
  • operating, maintaining and providing a good, efficient and continuous service in a manner satisfactory to the Communications Authority;
  • supplying the Communications Authority with information upon request under the Telecommunications Ordinance (Cap 106); and
  • allowing the Communications Authority inspection rights of the premises or place of the licensee.

The Communications Authority will monitor holders of telecommunications licences to ensure that they are meeting their licence conditions and regulations. The Communications Authority has the power to investigate any suspected contravention of the licence conditions, codes of practice and the Telecommunications Ordinance (Cap 106). The public can also lodge a complaint or report to the Communications Authority in respect of a telecommunications licence holder. The Communications Authority publishes enforcement activity and consumer complaints on its website on at least a semi-annual basis.

Breaches of the Telecommunications Ordinance (Cap 106) may result in fines or imprisonment, depending on the breach. The Communications Authority also has the power to cancel, withdraw or suspend a telecommunications licence.

3.6 For how long is the authorisation/licence valid? Are variations to the terms possible? How is the authorisation/licence renewed?

Various telecommunications licences have different periods of validity. The validity of a licence is stated for the specified licence. A localised wireless broadband service licence may be valid for up to five years and a unified carrier licence may be valid for up to 15 years.

Variations to the terms of a telecommunication licence are possible. The licensee may apply to the Communications Authority to change its scope of service, for example. The Communications Authority may act on its own volition to vary the terms of a licence, but any such variation will require the consent of the licensee.

There are special rules for variations in respect of class licences. The Communications Authority may vary a class licence by:

  • providing notice in the Government Gazette to allow for representations from the public; and
  • proceeding with the variation having duly considered the representations it has received.

Each telecommunications licence has different provisions and processes for renewal. For example, a carrier licence does not automatically renew and a licence holder must apply for a new licence before expiry. A services-based operator licence can be renewed for two years at a time, and there is a specific procedure to do this.

3.7 Can an authorisation/licence be transferred? If so, what is the process for doing so?

Subject to the terms of the specific licence, a licensee may generally transfer its licence only:

  • with the prior written consent of the Communications Authority; and
  • subject to such reasonable conditions as the Communications Authority thinks fit.

The licence holder must apply to the Communications Authority in writing.

4. Internet

4.1 What provisions apply to high-speed broadband in Hong Kong? Are there any government incentives to promote broadband penetration?

There are no specific legal provisions that apply to high-speed broadband in Hong Kong.

There are government incentives to promote broadband penetration. Hong Kong currently has a broadband penetration rate of over 95%.

In 2018, the Hong Kong government launched a subsidy scheme to extend fibre-based networks to 235 remote villages in the New Territories and on outlying islands of Hong Kong.

4.2 What net neutrality regulations apply in Hong Kong? Are any exemptions and/or exceptions available?

There are no specific net neutrality regulations that apply in Hong Kong. The existing laws and licence conditions provide safeguards to prevent an internet service provider from acting unilaterally to violate net neutrality.

The relevant safeguards in place are as follows:

  • The Communications Authority may determine the terms and conditions of interconnection.
  • The Communications Authority may issue directions in writing to a licensee requiring it to take such action in relation to any interconnection or secure the connection of any telecommunications service.
  • Any person that offers a public telecommunications service must supply information to the Communications Authority as requested.
  • There are licence conditions for licensees that govern:
  • the provision of service;
    • control of interference and obstruction;
    • the provision of satisfactory service; and
    • information requirements for licensees.
  • Sections 6 and 21 of the Competition Ordinance (Cap 619):
  • prevent agreements, concerted practices or decisions that prevent, restrict or distort competition in Hong Kong; and
    • prohibit the abuse of a substantial degree of market power by preventing, restricting or distorting competition in Hong Kong.
  • Sections 7A and 13E of the Trade Descriptions Ordinance (Cap 362) prohibit unfair trade practices such as false trade description of services and misleading omissions.

4.3 Are internet service providers (ISPs) obliged to block or restrict access to specific websites or types of content in Hong Kong?

There are four scenarios in which an ISP is obliged to block or restrict access to specific websites or types of content in Hong Kong:

  • The website or website content infringes a copyright by making available copies to the public through the Internet;
  • The website or website content is considered obscene or indecent in accordance with the Control of Obscene and Indecent Articles Ordinance (Cap 390);
  • The commissioner of police has reasonable grounds to suspect that an electronic message published on an electronic platform is likely to constitute an offence endangering national security or is likely to cause the occurrence of an offence endangering national security, and a request is issued to the ISP; or
  • The website or website content discloses personal data of a data subject (who is a Hong Kong resident or present in Hong Kong at the time of disclosure) without consent and this constitutes an offence under the Personal Data (Privacy) Ordinance (Cap 486) (PDPO). Two offences that target doxxing under the PDPO are:
  • a summary offence for disclosing any personal data of a data subject without the relevant consent of the data subject, in circumstances in which the discloser has an intent to or is being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
  • an indictable offence for disclosing any personal data of a data subject without the relevant consent of the data subject where:
  • the discloser has an intent to or is being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
    • the disclosure causes any specified harm to the data subject or any family member of the data subject.

4.4 Is the use of virtual private networks permitted in Hong Kong?

Yes, the use of virtual private networks is permitted in Hong Kong.

4.5 In what circumstances will ISPs be held liable for offending content carried on their networks? What defences are available?

Obscene and indecent content: An ISP may be found liable for publishing or possessing for the purpose of publishing obscene (Class III) or indecent (Class II) content under the Control of Obscene and Indecent Articles Ordinance (Cap 390) (COIA), which attracts a maximum fine of HK$1 million and imprisonment for three years.

The defences available for publishing, possessing or importing obscene articles are as follows:

  • The ISP can prove that, at the time the offence is alleged to have been committed, the article was classified as a Class III (ie, obscene) article; but it may be convicted of any other offence under the COIA as if it had been charged with that other offence.
  • The ISP can prove that the article is, or was at the time the offence is alleged to have been committed, classified as a Class I (ie, neither obscene nor indecent) or a Class II (ie, indecent) article.
  • In respect of possession or importing, the ISP can prove that, at the time the offence is alleged to have been committed, the relevant article was possessed or imported:
  • by it for the purpose of submitting it, a copy or a print to the registrar for classification by a tribunal; or
    • by a person licensed under the Broadcasting Ordinance (Cap 562) for the purpose of submitting the articles under the relevant provisions of the ordinance.
  • For the purposes of possessing, the ISP can prove that, at the time that offence is alleged to have been committed, it:
  • had no reasonable opportunity to inspect the relevant article; and
    • had reasonable grounds to believe that article was not obscene.
  • In respect of importation, the ISP can prove that, at the time that offence is alleged to have been committed, it had reasonable grounds to believe that the relevant article was not obscene.

Copyright infringement: The mere provision of physical facilities for enabling the making available of copies of works to the public does not of itself constitute an act of infringement of copyright by actually making available copies of works to the public.

An ISP may be liable for copyright infringement if:

  • it is found to have engaged in unauthorised acts by the copyright owner;
  • it is held responsible for contributing to or making possible the act of infringement; or
  • it knowingly possesses or deals with infringing copies of copyright works.

An ISP may also be found liable under civil liability as a joint tortfeasor for deliberately collaborating with a third party to commit an infringing act or otherwise procuring another to commit the tort.

Available defences include proving that the ISP was merely providing physical facilities for enabling the making available of copies of works to the public.

National security: If an ISP fails to comply with a requirement by the police to remove messages endangering national security or to restrict or cease access to messages or platforms, or a request by the police to provide assistance, the ISP will be liable on conviction to a fine of $100,000 and to imprisonment for six months.

It is a defence if:

  • the technology necessary to comply with the requirement was not reasonably available to the ISP; or
  • there was a risk of incurring substantial loss to, or otherwise substantially prejudicing the right of, a third party.

Anti-doxxing: If an ISP’s website or website content discloses personal data of a data subject (who is a Hong Kong resident or present in Hong Kong at the time of disclosure) without consent and this may constitute a doxxing offence under the PDPO, the Office of the Privacy Commissioner for Personal Data (PCPD) may issue a cessation notice to the ISP to demand actions to cease or restrict disclosure of the doxxing contents. If the ISP does not remove the disclosure of personal data of a data subject before the date specified in the cessation notice, then the ISP commits an offence and is liable to a fine and imprisonment.

Potential defences for an ISP contravening a cessation notice include that:

  • the ISP had a reasonable excuse for contravening the cessation notice; or
  • it was not reasonable to expect the ISP to comply with the cessation notice:
  • having regard to the nature, difficulty or complexity of the cessation action concerned;
    • because the technology necessary for complying with the cessation notice was not reasonably available to the ISP; or
    • because there was a risk of incurring substantial loss to, or otherwise substantially prejudicing the right of, a third party.

4.6  How are digital platforms regulated in Hong Kong?

Digital platforms are not regulated in Hong Kong by virtue of their digital delivery of services, except as mentioned above and in respect of data privacy mentioned below. Digital platforms may provide services in respect of regulated sectors of the economy (e.g. financial services), and may be subject to the laws and regulations that apply to services in those regulated sectors generally.

5. Competition

5.1 What competition-related provisions (e.g., structural or functional separation requirements; significant market power requirements; media plurality rules) apply in the internet sector?

The Competition Ordinance (Cap 619) governs the competition-related provisions relevant for the telecommunications sector.

The Competition Ordinance (Cap 619) prohibits anti-competitive conduct under the first conduct rule, the second conduct rule and the merger rule. The first conduct rule prohibits anti-competitive agreements, concerted practices and decisions. The second conduct rule prohibits the abuse of market power.

The merger rule prohibits mergers that would substantially lessen competition. The merger rule applies only if one or more of the participants in the merger (eg, the acquirer or the entity being acquired):

  • holds a carrier licence;
  • indirectly or directly controls a carrier licence holder; or
  • conducted business immediately before the acquisition under a carrier licence under the Telecommunications Ordinance (Cap 106).

Also, the Communications Authority has the power to regulate a licensee in a dominant position in the telecommunications market, including regulating conduct that it considers exploitative. ‘Exploitative conduct’ includes:

  • fixing and maintaining prices or charges at an excessively high level; and
  • setting unfair trading terms and conditions for the provision on interconnection arrangements.

The Communications Authority has published guidelines to assist licensees in complying with the relevant competition provisions.

5.2 To what extent can the national competition regulator intervene in the internet sector?  What is the interplay between the competition regulator and the various sectoral regulators?

Under the Competition Ordinance (Cap 619), the Communications Authority is to enforce the Competition Ordinance (Cap 619) in respect of the conduct of undertakings operating in the telecommunications sectors. Specifically, the Communications Authority may perform the functions of the Competition Commission under the Competition Ordinance (Cap 619) insofar as they relate to the Telecommunications Ordinance (Cap 106).

The Communications Authority and the Competition Commission have signed a memorandum of understanding to coordinate the performance of their functions on which they have concurrent jurisdiction. Competition cases will be handled by the two authorities according to the arrangements set out in the memorandum of understanding.

If the matter falls within the scope of concurrent jurisdiction, the initiating authority will inform the other and determine which will be the lead authority. For cases involving the telecommunications sector and falling within the concurrent jurisdiction, the Communications Authority will ordinarily take the role of the lead authority and will assume responsibility for exercising the relevant powers and functions conferred upon it under the Competition Ordinance (Cap 619). The other competent authority will play a supporting role in such a manner as is appropriate or agreed, including by providing staffing support to assist the other side to the extent that resourcing allows.

If, at any point, it is not appropriate for the lead authority to continue considering a matter, the lead authority may refer the matter to the other competent authority.

5.3 How are mergers and acquisitions in the Internet sector treated from a competition perspective?

The Competition Ordinance (Cap 619) prohibits mergers that substantially lessen competition in Hong Kong. This is referred to as the ‘merger rule’. A merger will typically arise from:

  • an amalgamation of undertakings;
  • an acquisition of control; or
  • an acquisition of assets.

The merger rule is not breached if there is likely to be no material reduction in competition.

The merger rule applies only if one or more of the participants in the merger (eg, the acquirer or the entity being acquired):

  • holds a carrier licence;
  • indirectly or directly controls a carrier licence holder; or
  • conducted business immediately before the merger under a carrier licence under the Telecommunications Ordinance (Cap 106).

If the lead authority believes that the merger rule is relevant to a transaction, it will conduct an assessment of the competitive effects of the merger transaction. This will entail an assessment of whether the transaction has, or is likely to have, the effect of substantially lessening competition in an identified market.

The merger rule does not apply to a merger if the economic efficiencies that arise or may arise from the merger transaction outweigh the adverse effects caused by any lessening of competition in Hong Kong.

There is no requirement to notify either the Communications Authority or the Competition Commission of a merger falling within the merger rule. Recommended best practice is for parties to a merger transaction which is likely to fall within the merger rule to notify the competent authority at the earliest opportunity and seek informal advice.

The lead authority may accept a commitment from parties to a merger transaction in respect of conduct that the lead authority considers appropriate to address its concerns about a possible contravention of the merger rule (eg, the 2019 acquisition of WTT Holding Corp by HKBN Ltd), in return for the lead authority’s agreement not to commence an investigation or bring proceedings in the Competition Tribunal, or to terminate any investigation or proceedings that have been commenced.

Before accepting a commitment, the lead authority must:

  • give notice of the proposed commitment to those that are considered likely to be affected by the merger;
  • allow at least a period of 15 days for representations to be submitted; and
  • consider any representations that are made.

Any commitment accepted by the lead authority will be made public by the lead authority.

The parties to a merger transaction can also apply for a formal decision that the transaction is excluded from the scope of the merger rule.

Ultimately, if the lead authority, after carrying out an investigation, has reasonable cause to believe that a merger or an anticipated merger contravenes, or is likely to contravene the merger rule, it may bring proceedings before the Competition Tribunal seeking orders to stop the contravention. This will have the practical effect of stopping or unwinding the merger transaction.

5.4 What other specific challenges or concerns do the internet sector present from a competition perspective?

In general, there are few specific challenges or concerns from a competition perspective in respect of the telecommunications and internet sector. All sectors of Hong Kong’s telecommunications market have been liberalised, with no foreign ownership restrictions on telecommunications operators. The Communication Authority adopts policies to maintain a level playing field in an open and competitive telecommunications market.

Taking each of the key elements of the telecommunications sector in turn, the trends noted in the 2021 Annual Report of the Communications Authority include the following:

  • Mobile communication services: As at March 2022, there were four major mobile network operators, providing a wide range of public mobile services in a market that the Communications Authority has described as keenly competitive.
  • Fixed communication services: The local fixed communications services market has been fully liberalised, with no pre-set limit on the number of licences to be issued for fixed services or deadline for the submission of licence applications. There is no specific requirement on network rollout and investment, and licensees may provide their services according to their proposals. As at March 2021, there were 27 local fixed carriers.
  • Fixed broadband services: As at March 2021, 27 facility-based operators and 237 service-based operators were authorised to provide broadband internet access services in Hong Kong.
  • Internet of Things services: Three wireless Internet of Things licences have been issued since the introduction of that licence in December 2017.
  • Public WiFi services: As at March 2021, eight network operators and 183 class licensees were providing public WiFi services in various locations in Hong Kong.
  • External telecommunications services: The external telecommunications facilities market has been fully liberalised in Hong Kong. As at March 2021, 42 fixed carriers were authorised to provide cable-based or non-cable-based external telecommunications facilities. There were eight cable landing stations in Hong Kong, and Hong Kong was connected to 11 regional and transcontinental submarine cable systems.
  • Satellite services: Hong Kong has adopted an ‘open sk’ policy in regulating the provision of satellite services. Licences are required for the operation of satellites and associated facilities. As at March 2021, two Hong Kong companies were licensed to operate satellites for providing communications services, operating a total of 10 in-orbit satellites.

6. Data security and cybersecurity

6.1 What data security regimes apply in the Internet sector?

The main legislative regime with provisions relating to data security is the Personal Data (Privacy) Ordinance (Cap 486) (PDPO).

Telecommunications providers are likely to be considered data users under the PDPO, and are subject to the obligations and requirements set out in the PDPO. A ‘data user’ means a person that, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data.

The PDPO sets out six data protection principles (DPPs):

  • DPP1: Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his or her personal data.
  • DPP2: Personal data must be accurate and up to date, and kept for no longer than necessary.
  • DPP3: Personal data should only be used for the purposes for which it was collected or a directly related purpose. Otherwise, the data user must obtain the ‘prescribed consent’ of the data subject.
  • DPP4: The data user must have measures in place to ensure the confidentiality and security of personal data.
  • DPP5: Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data is used.
  • DPP6: Data subjects must be given a right to access their personal data and a right to correct it.

DPP4 is the most relevant in respect of data security and requires data users take all practical steps to protect the personal data they hold against unauthorised and accidental access, processing, erasure, loss or use. Data users must have particular regard to:

  • the nature of the data;
  • the potential harm if such events were to happen; and
  • measures to ensure the integrity, prudence and competence of persons with access to the data.

If personal data is entrusted by the data user to a data processor, the data user is liable as the principal for any act done by its authorised data processor. The data user must adopt contractual or other means to prevent:

  • any personal data transferred to the data processor from being kept for longer than necessary for processing the data; and
  • unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the personal data.

The PCPD has published a guidance note for mobile service operators in respect of personal data concerns. The guidance covers recommended best practices in:

  • handling mobile phone service applications;
  • audio-recording customer conversations;
  • maintaining customer service accounts;
  • disclosing customer account data;
  • protecting service account data; and
  • engaging third-party agents and dealers.

Also, telecommunications operators that are licensees are prohibited from disclosing information about a customer, except with the consent of the customer in accordance with a prescribed form designated by the Communications Authority, except:

  • for the prevention or detection of crime;
  • for the apprehension or prosecution of offenders; or
  • as may be authorised by or under any law.

6.2 What cybersecurity regimes apply in the internet sector?

Hong Kong does not have a single overarching cybersecurity law, though this will in the coming months with the coming into law of the Protection of Critical Infrastructure (Computer System) Bill. The communications and broadcasting sectors are designated as essential services under the Bill, and the Communications Authority will be designated authority to monitor ongoing obligations of those sectors with the planned statutory requirements.

Currently, offences relating to cybersecurity are contained in various laws.

Telecommunications Ordinance (Cap 106): The Telecommunications Ordinance (Cap 106) criminalises actions involving:

  • damage to telecommunications infrastructure with intent;
  • unauthorised access to computers by telecommunications; and
  • transmission of false or deceptive distress messages.

Crimes Ordinance (Cap 200): The Crimes Ordinance (Cap 200) criminalises access to a computer with criminal or dishonest intent.

PDPO: The PDPO provides for offences for the disclosure of personal data without consent, among other things.

Unsolicited Electronic Messages Ordinance (Cap 593): This criminalises the initiation of transmissions of multiple commercial electronic messages from telecommunications devices that are accessed without authorisation and with the intent to deceive or mislead recipients as to the source of the messages.

Interception of Communications and Surveillance Ordinance (Cap 589): Subject to limited exceptions, it is unlawful for a public officer to carry out intercepting acts relating to communications. ‘Intercepting acts’ involve the inspection of some or all of the contents of the communication, in the course of its transmission by a postal service or by a telecommunications system, by a person other than its sender or intended recipient. One relevant exemption is that the prohibition does not apply to any interception of telecommunications transmitted by radiocommunications (other than the radiocommunications part of a telecommunications network for the provision of a public telecommunications service by any carrier licensee under the Telecommunications Ordinance (Cap 106)).

Enforcement: There is no single authority responsible for enforcing cybersecurity laws in Hong Kong. Rather, the competent enforcement authority will depend on the nature of the offence in question.

The Hong Kong Police Force is the enforcement authority for crime in Hong Kong. The Cybersecurity and Technology Crime Bureau is responsible for:

  • handling cybersecurity issues;
  • carrying out technology crime investigations and computer forensic examinations; and
  • preventing technology crime.

The PCPD is the competent authority for regulation of personal data matters, and will conduct investigations and issue enforcement notices.

The commissioner on interception of communications and surveillance is responsible for overseeing compliance by law enforcement agencies and their officers with the relevant requirements under the ICSO.

Policy: At a policy level, information security and cybersecurity fall under the remit of the Office of the Government Chief Officer (OGCIO). Its work involves the following:

  • The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) is the centralised contact on computer and network security incident reporting and response for local businesses and internet users in case of security incidents.
  • The Cybersec Infohub is a partnership programme to promote closer collaboration among local information security stakeholders in different sectors to share cybersecurity information and jointly defend against cyberattacks. It is not intended for cybersecurity incident reporting, which is the role of HKCERT.
  • The OGCIO has established an information security website portal to facilitate the public’s access to various information security-related resources and updates.

6.3 What other specific challenges or concerns do the internet sector present from a data security/cybersecurity perspective?

Hong Kong’s accelerated digitalisation has resulted in a greater risk of cyberattack and cybercrime in recent years. This represents significant challenges to both the cybersecurity of critical information infrastructure and personal data protection in Hong Kong. Over the past decade, Hong Kong has seen a significant increase in cybercrime, rising from 2,206 reported cases in 2011 to 16,159 in 2021. The value of those crimes also increased twentyfold from HK$148 million in 2011 to HK$3.02 billion in 2021.

Although cybercrime-related offences are scattered across various laws, there is no legislation that specifically addresses cybercrime or designated authority enforcing cybersecurity law in Hong Kong. At present, the main laws that deal with cybercrime-related offences include the Telecommunications Ordinance (Cap 106) and the Crimes Ordinance (Cap 200). There are plans to review and consolidate cybercrimes in Hong Kong law, and to introduce a legal framework for cybersecurity protection in Hong Kong.

7. Trends and predictions

What are the legislative trends and developments in Hong Kong for the internet sector?

Trends:

  • Ongoing implementation of real-name registration of SIM cards: As from 1 March 2022, all SIM cards issued by telecommunications operators of Hong Kong to be used for local person-to-person communications must have real-name registration before activation. The programme addresses issues arising from the anonymous nature of SIM cards and is intended to assist law enforcement agencies in the detection of crimes involving the use of SIM cards.
  • 5G implementation: The most significant trend in the TMT industry landscape in Hong Kong is the increasing development and use of the 5G spectrum. In total, 1,730 MHz of new spectrum has been supplied to the industry which is equivalent to almost three times of the spectrum previously released for the provision of 2G, 3G and 4G services.

Developments:

  • Cybersecurity: The Protection of Critical Infrastructure (Computer System) Bill will likely be considered and passed by the Legislative Council within 2024. The Commissioner’s Office proposed under the legislation will be established within the Security Bureau within one year from passing of the legislation, and the legislation will come into force six months after.
  • New cybercrime offences: On 20 July 2022, the Cybercrime Sub-committee of the Hong Kong Law Reform Commission published a consultation paper with its recommendations to introduce five new cybercrimes into law in Hong Kong. The proposed new cybercrime offences are:
  • illegally accessing a computer program or data;
    • illegally intercepting computer data;
    • illegally interfering with computer data;
    • illegally interfering with a computer system; and
    • making available or possessing a device or data for committing a crime.

The Law Reform Commission has also recommended that the nature of cybercrime justifies the extra-territorial application of Hong Kong law. Legislative change may follow once the consultation conclusions are considered by the Department of Justice.

  • Copyright amendment proposal for AI technology: Under the existing Copyright Ordinance in Hong Kong, works generated by generative artificial intelligence are likely protected by copyright. Legislative proposals are presently being considered to provide more certainty and to allow for an exception for reasonable use of copyright works analysis and processing for the AI model training.

8. Tips and traps

What are your top tips for new entrants seeking to operate in the internet and ISP sector in Hong Kong?

The new proposed cybersecurity legislation signifies a new chapter in data protection and cybersecurity development in Hong Kong. It is possible that businesses in Hong Kong, including ISPs, will be subject to higher regulatory compliance standards when establishing their information and communication technology security systems. To comply with the relevant regulatory standards, ISPs should watch out for further updates on cybersecurity legislative developments.

Pádraig Walsh and Tara Chan

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 14 November 2024.

Padraig Walsh, Data Privacy, Latest News, News & Media, Legal Updates