Hong Kong is overhauling its fragmented cybercrime regime. In response to an increasingly complex threat landscape, driven by AI‑enabled attacks, growing reliance on digital infrastructure, and the cross‑border nature of cyber activity, the Law Reform Commission of Hong Kong (LRC) has recently published its report on Cyber‑Dependent Crimes and Jurisdictional Issues (the “Report”).
The Report makes 16 recommendations for a bespoke legislative framework. Drawing in part on the UK Computer Misuse Act 1990 (the “CMA1990”) and comparable common law regimes, the proposals centre on five core offences targeting unauthorised access, interception, and interference with computer data or systems.
The five proposed offences
- Illegal access to program or data
- This offence targets any person who, without lawful authority, intentionally secures or enables unauthorised access to a program or data, knowing that the access is unauthorised. It covers both a basic form (mere unauthorised access) and an aggravated form (where access is carried out with intent to commit a further offence).
- The offence is modelled on sections 1, 2 and 17 of the CMA1990, subject to certain adaptations including the proposed introduction of statutory defences (discussed below).
- Illegal interception of computer data
- The unauthorised interception of computer data (including metadata) for a dishonest or criminal purpose, is another new offence. It covers all types of communications and conduct analogous to illegal phone tapping.
- The LRC also originally criminalised the unauthorised disclosure or use of intercepted data, but concerns about its wide scope and potential overlap with existing doxxing offences under HK’s data privacy legislation led to that limb being deferred. It is expected that a revised formulation will be proposed at a later stage, given that the absence of such an offence could undermine the regime’s overall effectiveness.
- Illegal interference with computer data
- This targets those who intentionally or recklessly damage, delete, alter or suppress computer data without lawful authority. It also includes an aggravated tier attracting a maximum sentence of life imprisonment, where the defendant intends to endanger life or is reckless as to that risk.
- The approach is broadly similar to sections 3 and/or 3ZA of the CMA1990, subject to certain differences (for example around sentencing length).
- Illegal interference with a computer system
- The LRC recommends a separate offence targeting intentional or reckless interference with a computer system without authorisation, where the interference may impair access to or proper use of the system. The offence could also capture conduct such as introducing software with malicious code during manufacture.
- The LRC recommends a separate offence targeting intentional or reckless interference with a computer system without authorisation, where the interference may impair access to or proper use of the system. The offence could also capture conduct such as introducing software with malicious code during manufacture.
- Making available or possessing a device, program or data for committing a cyber-related crime
- This offence targets those who knowingly make available, or possess for the purpose of making available, devices, programs or data (such as ransomware or viruses) whose primary purpose is to commit one of the four cyber‑dependent offences above. Making available such items with intent that they be used to commit a cyber‑related crime constitutes an aggravated offence.
- The approach is broadly similar to section 3A of the CMA1990, but with a potentially wider scope of prohibited items (i.e. “device, program or data”) and a two‑tier offence structure
Proposed defences
In addition to the offences, a number of defences may be deployed:
- “Reasonable excuse” defence: A general statutory defence of “reasonable excuse” applies across most proposed offences (except illegal interception). The defence is deliberately left undefined to preserve flexibility; notably, the LRC does not propose to prescribe specific categories of qualifying conduct, taking the view that doing so may unduly narrow its scope
- Cybersecurity defence: A specific defence for cybersecurity activities is also proposed to accommodate legitimate work by cybersecurity professionals (e.g. white‑hat hackers), subject to conditions including appropriate accreditation, a genuine cybersecurity purpose, and conduct that is reasonable in the circumstances.
- Other statutory defences: The Report also recommends limited additional defences for specific offences, including for research and educational purposes, protection of children or vulnerable persons, and certain consent and property protection defences. For intermediary actors, tailored protections (such as service provider defences) are proposed, while the LRC refrains from introducing broad carve‑outs for particular sectors.
Comment
The LRC Report represents an important step in bringing Hong Kong’s criminal law into the digital age, addressing gaps in the enforcement framework for modern cybercrime. It should be noted that further studies on cyber‑enabled crimes (such as online dissemination of child pornography and the setting up of phishing websites) and procedural issues are expected to be carried out by the LRC, although no timeline has yet been specified. These further phases may, in due course, enhance and complete the proposed legislative framework. Businesses with operations in Hong Kong should continue to monitor these developments
Many thanks to Electa Yeung for her assistance with this post.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-25-15-28-39-656-6a3d49271b5212dcba9047d5.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-24-08-08-15-748-6a3b906f9b1c050b1e34b2cb.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-19-08-43-24-403-6a35012c73211f29ec55ff1e.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-17-09-20-04-638-6a3266c4c1395307a646fd94.jpg)