More news on this day
Travelers passing through Hong Kong now face heightened digital scrutiny after new implementation rules under the city’s national security framework made it a criminal offense to refuse to provide passwords to personal mobile phones and other electronic devices during certain investigations.
Get the latest news straight to your inbox!
Image by U.S. Consulate General Hong Kong & Macau (.gov)
New National Security Rules Expand Police Access to Devices
According to publicly available government documents and recent international press reports, Hong Kong has amended the implementation rules of its 2020 National Security Law so that police may compel people under national security investigation to reveal passwords or other decryption methods for mobile phones, computers, and storage media. These changes were gazetted in late March 2026, tightening an already far‑reaching security regime that has reshaped the city’s legal and political landscape.
The rules apply to individuals suspected of offenses such as secession, subversion, terrorism, and collusion with foreign forces, as defined under the existing national security framework. If a device is believed to contain information relevant to such an investigation, the person designated in the order can be required to unlock it, provide a passcode, or otherwise assist with decryption.
Refusal to comply is now described in media and legal commentary as a standalone criminal offense. Reports indicate that individuals who decline to provide passwords face up to one year in prison and a fine of up to 100,000 Hong Kong dollars. Providing false or misleading information about passwords or decryption keys can attract even heavier penalties, with potential imprisonment of up to three years and a substantially higher fine.
Officials have publicly argued that the new measures are a necessary tool to address modern communications technology and encrypted messaging, which they say complicate national security investigations. Human rights groups and digital privacy advocates, however, contend that the changes significantly raise the risks associated with electronic searches and self‑incrimination.
Scope of the Powers and “Specified Persons”
The latest rules, as described in official summaries and legal analyses, allow officers handling national security cases to apply for court orders requiring a “specified person” to assist with access to digital evidence. A “specified person” can include the device owner, a user of the device, or any individual reasonably believed to know the password or decryption method for the relevant equipment or data.
In most situations, police are expected to obtain a warrant from a magistrate or judge before they can demand passwords or decryption assistance. Public explanations by senior justice officials have emphasized that officers are not empowered to demand codes from random people on the street and that there must be a clear link to an active national security investigation.
However, reports of legislative debates and expert commentary highlight that there are narrowly defined “exceptional circumstances” where officers may act without a warrant if a suspected offense is considered both imminent and obvious, and there is no time to seek judicial authorization. In such cases, individuals can still be compelled to disclose passwords, although the precise threshold for what constitutes an emergency remains subject to interpretation.
The powers extend beyond smartphones to cover laptops, tablets, external drives, and cloud‑linked data if access is reasonably obtainable via the device. Legal observers note that this broad definition reflects an intent to capture the full range of modern digital storage used for communication, organization, or documentation.
Penalties, Legal Standards, and Human Rights Concerns
Under the amended regime, the failure to comply with a password disclosure order is treated as a criminal matter separate from any underlying national security allegation. Penalties reported in publicly available summaries include up to one year of imprisonment and a substantial fine for non‑compliance, with harsher sanctions for intentionally misleading investigators about passwords or decryption keys.
Human rights organizations argue that this structure exerts strong pressure on suspects and associates to assist law enforcement, even where doing so may reveal information unrelated to any offense. They contend that the combination of broad national security definitions, compelled decryption, and the potential use of recovered material in subsequent prosecutions risks undermining protections against self‑incrimination.
Hong Kong authorities, in contrast, maintain in official statements that the National Security Law and the Safeguarding National Security Ordinance are consistent with international human rights standards. They emphasize that the laws require national security to be balanced with rights such as privacy and freedom of expression, and that investigative powers are subject to oversight through the courts.
Legal commentators also point out that compelled access to digital devices is not unique to Hong Kong. Various jurisdictions allow investigators to require passwords or biometric access under certain conditions. Critics counter that Hong Kong’s framework stands out because the underlying national security legislation is drafted in broad terms and has already been associated with a sharp contraction of political dissent and media freedom.
Implications for Travelers and Business Visitors
For international travelers, the criminalization of password refusal introduces a new layer of risk when entering or transiting through Hong Kong. While the rules are framed around national security investigations rather than routine immigration checks, visitors could become subject to them if they are linked, even tangentially, to an inquiry or communication deemed sensitive under the law.
Business visitors who routinely carry corporate devices or confidential client data may face particularly complex dilemmas. Compliance with a password request could expose trade secrets, legal advice, or personal information about colleagues and customers. Failure to comply, on the other hand, could itself become a criminal offense if the request is tied to a formal national security investigation.
Travel security experts cited in international media coverage recommend that organizations review their data handling policies for staff who travel to Hong Kong. Common strategies include minimizing the amount of sensitive information stored on devices, using travel‑only hardware with limited access to corporate systems, and ensuring that critical data is held in secure locations outside the device, accessible only through tightly controlled channels.
Individual travelers are being advised, in various public guidance notes, to consider what is stored on their phones and laptops before arrival and to understand that refusing to share passwords in a national security context may carry legal consequences that did not exist a few years ago.
Broader Impact on Hong Kong’s Global Image
The new password disclosure offense emerges against a backdrop of wider concern about Hong Kong’s evolving legal environment. Since the introduction of the Beijing‑imposed National Security Law in 2020 and the local Safeguarding National Security Ordinance implementing Article 23 of the Basic Law in 2024, the city has undergone sweeping changes in how political activity, protest, and expression are regulated.
International media outlets and advocacy groups interpret the latest rules as another sign that Hong Kong is aligning more closely with mainland Chinese approaches to digital control and surveillance. They argue that the ability to compel passwords in national security cases, coupled with severe penalties for non‑compliance, could chill online speech and discourage open communication even on platforms that use strong encryption.
Business chambers and professional associations have adopted a more cautious tone, emphasizing the need for legal certainty and data protection guarantees. While some groups note that stable security laws can provide predictability, others warn that perceptions of intrusive powers over digital devices may make Hong Kong a less attractive hub for regional headquarters, data‑heavy industries, or civil society organizations.
For travelers and expatriates considering Hong Kong, the practical effect of the new rules may vary widely depending on their activities and risk profile. Yet the development underscores a clear trend in the city’s governance: digital privacy and encryption are increasingly viewed through a security‑first lens, and declining to unlock a phone for investigators can now, in specific circumstances, be treated as a crime in itself.