Hong Kong’s Law Reform Commission (LRC) has released a key report recommending new standalone legislation to tackle cyber-dependent crimes, where computers act as both tools and targets. This initiative addresses gaps in existing laws like the Crimes Ordinance and Telecommunications Ordinance, which are deemed outdated for modern threats.
Final Call: FCRF Opens Last Registration Window for GRC and DPO Certifications
Overview of Cyber-Dependent Crimes
The proposed law targets five core offenses: unauthorised access to programs or data, illegal interception of computer data, unauthorised interference with computer data, interference with computer systems, and possessing or providing devices for such crimes. These build on a 2022 LRC consultation paper, with the recent report marking the first phase of reforms chaired by senior counsel Derek Chan.
Penalties vary by severity: summary convictions carry up to two years’ imprisonment, while indictable offenses reach 14 years, with aggravated cases potentially facing life imprisonment. The framework includes a statutory defense of “reasonable excuse” and extraterritorial jurisdiction if acts harm Hong Kong.
Current Legal Gaps and International Benchmarks
Existing provisions, such as section 161 of the Crimes Ordinance (access with dishonest intent) and section 27A of the Telecommunications Ordinance, fall short against evolving cyber threats. Secretary for Justice Paul Lam noted their obsolescence, prompting review of laws from Australia, Canada, England, Singapore, and others, most of which have dedicated cybercrime statutes.
This push aligns with broader efforts, including a separate cybersecurity ordinance effective January 2026 for critical infrastructure, imposing fines up to HK$5 million on non-compliant operators.
Implications and Next Steps
The reforms aim to enhance prosecution of cyber fraud, data breaches, and system sabotage amid rising incidents—Hong Kong saw 24,644 fraud cases in early 2025, 70% online. Implementation would strengthen enforcement via platforms like INTERPOL coordination and local tripartite collaboration.
Stakeholders await government response; full rollout could mirror phased cybersecurity measures by 2026. Businesses and netizens stand to gain robust protections, though concerns linger over extraterritorial reach and compliance burdens.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
