On 20 July 2022, the Cybercrime Sub-committee of the Law Reform Commission (“Sub-committee”) published a consultation paper on Cyber-Dependent Crimes and Jurisdictional Issues (“Consultation Paper”). The Consultation Paper made preliminary proposals for law reform to address the challenges to protection of individuals’ rights caused by the rapid developments associated with information technology, the computer and internet, and the potential for them to be exploited for carrying out criminal activities. The consultation period ended on 19 October 2022. The conclusions have not yet been released.
What are Cyber-dependent Crimes?
Cyber-dependent crimes are crimes that can be committed only through the use of information and communications technology devices, where such devices are both the tool for committing the crimes and the target of the crimes.
The Consultation Paper identified the following five categories of cyber-dependent crimes recognised globally:-
- illegal access to program or data;
- illegal interception of computer data;
- illegal interference of computer data;
- illegal interference of computer system; and
- making available or possessing a device or data for committing a crime.
The Consultation Paper examined the laws in seven other jurisdictions, being Australia, Canada, England and Wales, Mainland China, New Zealand, Singapore and the United States of America. It was concluded that such jurisdictions have either enacted bespoke cybercrime legislation or devoted a part of their codified law to cybercrime.
Hong Kong’s Approach
Currently, Hong Kong does not have a single Ordinance that deals with cybercrime specifically. The cyber-related offences are scattered in the Crimes Ordinance (Cap. 200) (“CO”) and the Telecommunications Ordinance (Cap. 106) (“TO”), including:-
- Section 161 CO: Gaining unauthorised access to a computer with: (i) intent to commit an offence; (ii) dishonest intent to deceive; (iii) a view to dishonest gain for himself or another; or (iv) a dishonest intent to cause loss to another.
- Section 27A TO: Gaining unauthorised access to a computer by means of telecommunication.
- Section 27 TO: Damaging, removing or interfering with a telecommunications installation with intent to: (i) prevent or obstruct the transmission or delivery of a message; or (ii) intercept or discover the contents of a message (excuding metadata).
- Sections 59 and 60 CO: Destroying or damaging property, or intending to destroy or damage property, without lawful excuse, including misusing any computer program or data held in a computer.
- Section 62 CO: Possessing anything with intent to destroy or damage property.
Main Recommendations of the Sub-committee
The Sub-committee recommended the following in response to each of the abovementioned cyber-dependent offences:-
- Illegal access to program or data – Taking into account the nature of the cyberspace and the implicit authorisation to access program or data that is granted by an online user, mere unauthorised access should be a summary offence subject to a statutory defence of reasonable excuse.
- Illegal interception of computer data – To safeguard the integrity of communications, unauthorised interception, disclosure or use of computer data (including metadata) should be an offence and such provision shall not limit to protecting private communications, but also general communications.
- Illegal interference of computer data – Intentional interference (damaging, deletion, deterioration, alteration or suppression) of computer data without lawful authority or reasonable excuse should be an offence.
- Illegal interference of computer system – Similar to interference of computer data, the new provisions regarding illegal interference of computer system should be phrased in the same way as those for illegal interference of computer data.
- Making available or possessing a device or data for committing a crime – The offence should be applicable to a device or data so long as its primary use (which will be determined objectively) is to commit an offence, whether or not the device or data can be used for any legitimate purpose.
Considering the differing nature and consequences of the five offences, the Sub-committee proposed that the maximum sentence under most of the offences be 14 years. However, for the offences of illegal interference of computer data and illegal interference of a computer system, where the act endangers the lives of others, a sentence of life imprisonment may be imposed.
The rapid development in technology and our growing dependence on technology has led to an increasing number of cyberattacks in recent years, resulting in significant challenges to the cybersecurity of critical information infrastructures.
A new piece of bespoke legislation on cybercrime would better protect the rights of netizens and individuals in the information technology industry. Businesses in Hong Kong may soon need to account for cybercrimes laws when establishing their information and communication technology security frameworks.