Answer ... Although Hong Kong has no standalone cybersecurity legislation, cybercrimes are addressed in different laws, including the PDPO (in respect of personal data). For reasons of convenience, the Department of Justice has expanded the scope and application of existing laws to prosecute cybercrimes. The provisions are scattered among different statutes and apply to common computer-related and internet-related criminal acts. Examples include the following.
Unauthorised access to computer by telecommunications: Section 27A of the Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong) prohibits anyone from deliberately using telecommunications to cause a computer to perform any function or to obtain authorised access to any program or data held on a computer. This provision is usually used to prosecute hacking where telecommunications are used.
Access to computer with criminal or dishonest intent: Section 161 of the Crimes Ordinance (Chapter 200 of the Laws of Hong Kong) prohibits anyone from obtaining access to a computer:
- with the intent to commit an offence;
- with a dishonest intent to deceive;
- with a view to making a dishonest gain, either directly or for another; or
- with a dishonest intent to cause loss to another, whether at the time of obtaining such access or in the future.
The term ‘computer’ is not defined in the Crimes Ordinance. Case law suggests that the term covers smartphones as devices for electronic data storage, processing and retrieval. Alternatively, a ‘computer’ is defined under Section 22A of the Evidence Ordinance as “any device for storing, processing or retrieving information, and any reference to information being derived from other information is a reference to its being derived therefrom by calculation, comparison or any other process”; this may be used as a reference. Since its introduction in the early 1990s, Section 161 has been used as a ‘catch-all’ computer offence, and has often been relied on by prosecutors both for offenders who hacked into computers (whether through a telecommunications system, the Internet or otherwise) and for those who took indecent ‘upskirt’ photos or videos with their smartphones.
However, in April 2019 the Hong Kong Court of Final Appeal ruled that Section 161 should not apply to the use of the offender’s own computer or electronic device, unless that use involves accessing a third party’s device.
Criminal damage: Section 60 of the Crimes Ordinance stipulates that anyone who, without justification, intentionally or recklessly destroys or damages the property of others will be guilty of an offence. The term ‘property’ includes any program or data held on a computer or on a computer storage medium, regardless of whether it is property of a tangible nature. The phrase ‘destroy or damage any property’ covers any misuse of a computer, such as:
- tampering with a computer;
- altering or erasing a program or data; and
- adding a program or data to the content of a computer or to a computer storage medium.
Burglary: Section 11 of the Theft Ordinance (Chapter 210 of the Laws of Hong Kong concerns the offence of burglary and applies to cybercrimes only where an element of misuse of a computer is found. A person will be found guilty of burglary if he or she:
- enters a building or part of a building as a trespasser with intent; or
- having entered a building, steals from the building, inflicts grievous bodily harm on or rapes any person in the building, or does unlawful damage to the building or anything therein.
The term ‘does unlawful damage’ to anything in the building includes:
- unlawfully causing a computer in the building to function other than as it has been established; or
- unlawfully altering or erasing a program from, or unlawfully adding a program to, a computer or storage medium in the building.
Fraud: Section 16A of the Theft Ordinance sets out the elements of the offence of committing fraud. In particular, where a person who, by deceit and with intent to defraud, induces a person to commit an act (or not commit an act) which results in a benefit for anyone else or in prejudice or a substantial risk of prejudice to another person, this will amount to fraud. Theoretically, someone who uses internet services or software to defraud victims or take advantage of them may be charged with this offence.
Theft: Section 2 of the Theft Ordinance states that a person commits theft if he or she dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and Section 9 makes theft a criminal offence. As the definition of ‘property’ includes money and real, personal and intangible property, a person may be found guilty of this offence by stealing intangible property such as digital data or electronic files which belong to others.
Blackmail: Section 23 of the Theft Ordinance stipulates that a person commits blackmail if, with a view to gaining directly or for another (or with intent to cause loss to another), he or she makes any unwarranted demand with menaces. Accordingly, this offence includes the use of ransomware. However, prosecution will be difficult, given that more often than not, the wrongdoer will conceal his or her identity by hiding his or her IP address.
Disclosure of personal data without consent: In relation to personal data, Section 64 of the PDPO makes it an offence to disclose a data subject’s personal data without consent with the intent to make a gain or to cause loss to the data subject, or to cause psychological harm to the data subject.
Failure to take all practical steps to erase personal data: Section 26 of the PDPO criminalises a data user’s failure to take all practical steps to erase personal data held where that data is no longer required for the purpose for which it was used.
Publication of obscene articles online: Apart from the typical cybercrimes listed above, it is also an offence to publish obscene articles to the public or a section of thereof over the Internet, under Section 21 of the Control of Obscene and Indecent Articles Ordinance (Chapter 390 of the Laws of Hong Kong).