Case Explained: Legal reform body suggests new cybercrime law with maximum life penalty for data and system interference – Legal Perspective

Hong Kong’s law reform body has suggested introducing new cybercrime legislation to target five types of offences, including illegal interference with computer systems and data, which it said should warrant a maximum sentence of life imprisonment in life-threatening cases.

Hong Kong should have a bespoke legislation on cybercrimes, as some existing computer-related offences – covered in the Crimes Ordinance and the Telecommunications Ordinance – are outdated, the Law Reform Commission of Hong Kong said in a report released on Friday.

The offences suggested by the commission’s panel, chaired by Senior Counsel Derek Chan, were illegal access to programs or data, illegal interception of computer data, illegal interference with computer data, and illegal interference with computer systems.

He also suggested criminalising making available a device, program, or data for committing a cyber-related crime.

These offences should be punishable by up to 14 years of imprisonment, with an exception for aggravated forms of interference, the commission said. The proposed maximum sentence for crimes involving interference that poses a danger to life, such as tampering with a railway signalling system, is life in prison.

The law should have extra-territorial effect, in line with international norms, the commission said.

“Hong Kong courts should have jurisdiction in a case where connections with Hong Kong exist. This includes cases where the perpetrator’s act has caused or may cause serious damage to Hong Kong, or where the victim was physically present in Hong Kong at the time when the offence was committed,” the report read.

An intent to carry out further criminal activity should be treated as an aggravating factor in the offence of unauthorised access to programs or data, the commission said. It suggested specific defences that would permit unauthorised access, such as for protecting the interests of vulnerable persons or demonstrating “genuine educational, scientific, and research” purposes.

Similar defences are allowed for the offences of illegal interference with computer data and systems, as well as the provision of tools, software, or data used to carry out cybercrimes.

Criminalising the unauthorised interception of computer data would protect private and public communications, the commission said. It deemed it unnecessary to provide any specific defence or exemption for professions or legitimate businesses to use computer data in their regular operations, saying that a high evidentiary threshold would be required to prove dishonest and criminal purpose.

The reform body reviewed similar legislation overseas, including in Australia, Canada, mainland China, England and Wales, and the US. These jurisdictions either enacted bespoke laws for the five offences and their related jurisdictional issues or dedicated specific parts of their codified law to cybercrime, the report read.

Friday’s report took into account responses received during a public consultation launched in July 2022. The consultation invited suggestions on whether there should be exemptions from criminal liability, lawful excuses, or specific defences for certain purposes or professions.

When asked whether public interest could be a reasonable excuse for illegally accessing a computer, Chan said at the time that the commission did not make specific recommendations.