It was clear at the release of Hong Kong’s National Security Law that it unapologetically brought Hong Kong more directly under Mainland China’s oversight. It created central government institutions in Hong Kong, took greater control of Hong Kong authorities. The new law directly imported the mainland’s criminal procedure for some crimes ‘endangering national security’ and expanded police powers.
When detailed implementation rules were released a month later, it became clear that these expanded police powers could present a massive challenge for foreign technology companies- and sadly it seems that those challenges are already manifesting. Hong Kong Police have requested that an Israeli web hosting service, Wix.com, remove messages from a website hosted outside of Hong Kong within 72 hours or face serious consequences. Wix initially complied, but later restored the content.
Article 43(4) of the Hong Kong National Security Law had given police the authority to request that those who publish information and related service providers remove offending information or provide other assistance. The implementation rules clarified that refusals to cooperate could result in steep fines and even jail time for the staff of non-complying companies (Section 12(1)). The schedule also made clear the law applied regardless of whether hosting or other web services were provided in Hong Kong or abroad. In addition to deleting content, requested ‘assistance’ has been defined to include identifying users and decrypting messages.
Requests for assistance usually do require a warrant, but the requirements for a magistrate to issue a warrant are minimal. They must only believe there is reasonable grounds to believe that (i) an electronic message has been published that (ii) likely constitutes an offense against national security OR is likely to cause an offence against national security, and (3) the service provider has control over the message so as to identify it, and find that the companies assistance is necessary to investigate or prevent an offense.
Article 38 of the National Security Law grants ‘protective jurisdiction’ applying the law to the actions of non-Hong Kong residents outside of Hong Kong. The actions of Hong Kong permanent residents anywhere are of course also included (article 37), justifying investigation and requests for assistance abroad. This type of jurisdiction is not entirely unique, consider lese majeste laws punishing insults to royalty in Thailand and elsewhere, but that hardly makes it less troubling.
The jurisdiction of the Hong Kong National Security Law over crimes committed abroad goes beyond that of the Mainland Chinese Law. P.R.C. Criminal Law article 8 grants authority over some crimes committed by foreigners overseas, but requires that the offense also be illegal under the local laws where it occurred. Article 6 does also grant jurisdiction over any crime where the ‘consequences’ of the crime occur in China, so offenses involving the incitement of further crimes in China would likely be covered, as with the Hong Kong law.
While Wix was not accused of doing anything illegal but was only requested to cooperate with an investigation, it faces potential consequences for refusal. These penalties are unlikely to be enforced if they have no presence within Hong Kong or mainland China. I note this because the threat of direct punishment here seems qualitatively different than past mainland cases where a company’s own ‘offensive’ speech or conduct was noted, but the primary threat was potential loss of access to the Chinese market through loss of licenses etc., rather than actual prosecution and potential jail time.
The potential penalties for Wix, of 6 months jail time, and $100,000 HKD are no laughing matter. As a point of reference, China’s Cybersecurity Law, penalties for failure to assist or publishing illegal content generally results only in fines, and under Criminal Article 311, refusing to provide evidence on someone one knows has already committed a spy, terrorist, or extremist, the maximum penalty is 3 years imprisonment.
What lies ahead?
The Hong Kong National Security Law places tech companies with a presence in mainland China and Hong Kong in an untenable situation. They risk jail time for their employees for failure to jeopardize their clients. The Wix case is the first I’ve heard of, but suspect it will not be the last given China’s expansive understanding of what speech and actions jeopardize its national security. To avoid this difficult position, companies may have no choice but to avoid have a presence in Hong Kong or China; and maybe that is one goal of the Law.
On the other hand, the risk of arbitrary enforcement, and even detention of employees, is not an entirely new risk to those with a presence in China. Distressingly, this has seemingly been an acceptable cost of doing business to many thus far. Perhaps this will change as mainland law arrives in Hong Kong, or as aggressive requests for ‘assistance’ reach even further.