Data centres in Hong Kong should be alert for the legislation of the new Hong Kong security law. The law is likely to directly affect data centres involved in national security activities, and may indirectly shape the data industry’s self-regulation to voluntarily comply with mainland Chinese law.

Hong Kong is one of the important global locations for data centres, including cloud and content providers, due to its stable electricity supply, relatively low risk for natural disasters, and the proximity to Mainland China. According to the Hong Kong Data Centre Market Report 2019, “Hong Kong has shifted from seeing growth in the financial services, securities, and insurance verticals to growth driven by large-scale cloud and content providers. While data centre construction was initially led by financial service and IT companies, it is now the large global multimedia companies that will drive data centre construction over the next five years.”

On 28 May 2020, the 13^th Chinese National People’s Congress (NPC) voted overwhelmingly to approve the decision to legislate a Hong Kong national security law. The decision has spurred significant international disturbance and debates.

NPC decision to enact a Hong Kong security law

The NPC decision itself is not a Hong Kong security law. The provisions of the ultimate Hong Kong security law are vitally important to assess its impacts on data centres in Hong Kong. Based on the limited information revealed in the NPC decision, three comments may be made:

First, the forthcoming Hong Kong security law aims to combat activities that split the country, subvert state power, organise terrorist activities, and any other actions that seriously endanger national security.  Article 6 of the decision also targets the activities of overseas and foreign forces interfering in Hong Kong affairs (hereafter “national security activities”). Therefore, data centres that are not involved in national security activities are likely to remain intact.

Second, some data centres located in Hong Kong store or process personal, financial, or other data related to individuals or entities conducting or supporting national security activities. Subject to defences under other Hong Kong laws, these data centres may have to provide such data to facilitate Hong Kong law enforcement officers or Hong Kong courts to investigate or prosecute national security activities crimes against the individuals or entities who allegedly commit such crimes. The investigation and defences are subject to Hong Kong law and will be heard in courts in Hong Kong instead of Mainland China.

Third, there are data centres located in Hong Kong and not operated by Mainland Chinese companies such as Google. Mainland law enforcement officers and courts are unlikely to have the extra-territorial jurisdiction to directly order them to surrender data related to Hong Kong national security activities. This is because neither Chinese National Security Law nor Chinese Cybersecurity Law applies to data centres located in Hong Kong.

Chinese National Security Law can be applied extra-territorially. However, Article 23 of the law provides that “[i]f an overseas organization or individual commits or instructs or sponsors another person to commit an act that jeopardises the national security of the People ’s Republic of China and constitutes a crime, the overseas organisation or individual is subject to criminal liability.” However, the sole activity of storing or processing data related to Hong Kong national security activities is unlikely to be considered as committing, instructing, or sponsoring an act that jeopardises the national security of China, so data centres located in Hong Kong do not commit a crime. China’s Cybersecurity Law is generally not to be applied extra-territorially because Article 2 provides that the law applies to the construction, operation, maintenance, and use of networks, as well as the supervision and management of cybersecurity within the territorial of People’s Republic of China. Article 75 of China’s Cybersecurity Law allows extra-territorial application, but is limited to cyberattacks on the key information infrastructure of China.

Article 18.3 of the Hong Kong Basic Law

Article 18.3 of the Hong Kong Basic Law provides that “[t]he Standing Committee of the National People’s Congress may add to or delete from the list of laws in Annex III after consulting its Committee for the Basic Law of the Hong Kong Special Administrative Region and the government of the Region. Laws listed in Annex III to this Law shall be confined to those relating to defence and foreign affairs as well as other matters outside the limits of the autonomy of the Region as specified by this Law.” (emphasis added)

For data centres in Hong Kong, the concern is whether the China’s cybersecurity and censorship laws would be applicable to Hong Kong. At the current stage, these laws have not been added to Annex III of the Basic Law, so they are not applicable to data centres in Hong Kong. We should pay close attention to whether the forthcoming Hong Kong security law may become a bridge to apply China’s cybersecurity and censorship laws in Hong Kong.

The example of Macao

In January 2009, the Macao security law was enacted. This law has never been invoked since its enactment. Although Hong Kong and Macao are different, both of them are special administrative regions of China, so the implementation and impacts of Macao’s security law may provide insightful references for Hong Kong.

The first impact is on the industry self-regulation. Internet content providers in Macao have been voluntarily complying with the Macao security law due to its deterrence effect. Similarly, the forthcoming Hong Kong security law may also foster internet content providers’ self-regulation to comply with the law.

Second, after the Macao security law was legislated, the Macao government gradually enacted several other laws to implement it and to strengthen institutional control of the Macao judicial system, such as precluding foreign judges from hearing national security cases and enhancing the protection of a national security police force. This also likely to happen in Hong Kong. The implications for data centres in Hong Kong will depend on whether the future Hong Kong judges have sympathy for data centres that invoke privacy as an argument for refusing to release the personal data of anti-Mainland activists in national security cases.

Practical implications

In conclusion, the forthcoming Hong Kong security law is unlikely to have any direct impacts on data centres that are not involved in national security activities. However, the law may indirectly shape the industry’s self-regulation to voluntarily comply with Mainland Chinese law due to its deterrence effects. It will also potentially influence the Hong Kong judicial system in issues such as how judges may balance individual privacy and national security. However, the devil will be in the details of the Hong Kong security law. It is prudent to closely watch its legislation process.

Dr Jie (Jeanne) Huang is an associate professor of the University of Sydney Law School in Australia. Jeanne specialises in conflict of laws and legal issues in digital trade/e-commerce.

This article is published under a Creative Commons Licence and may be republished with attribution.