Biased Bloomberg report rejected
The Hong Kong Special Administrative Region Government today said it opposed Bloomberg’s biased report on the submissions made by some organisations on the proposed legislative framework to enhance protection of computer systems of critical infrastructures, taking the views of the submissions out of context.
In a statement published tonight, the Hong Kong SAR Government noted that in the one-month consultation that ended on August 1, it received 53 submissions, in which 52 supported the legislation and made constructive suggestions.
The supportive submissions came from organisations such as the Asia Internet Coalition, the American Chamber of Commerce in Hong Kong, and the Hong Kong General Chamber of Commerce.
The statement pointed out that the proposed legislative framework only concerns protecting the Critical Computer Systems (CCSs) of the Critical Infrastructure Operators (CIOs), which in no way involves the personal data and business information.
The Hong Kong SAR Government stressed that relevant legislation already exists in other jurisdictions, such as the Mainland, Macau SAR, the US, the UK, Australia, the European Union and Singapore.
It indicated that information technology (IT) is one of the sectors to be regulated under the proposed framework, revealing that IT or IT related sectors are also regarded as critical infrastructures in the relevant legislation in other jurisdictions, such as the US, Australia and Singapore.
Only individual organisations, instead of the entire IT sector, having regard to four factors, will be designated as CIOs to be regulated under the new regime, the Hong Kong SAR Government added.
These factors are: implications on essential services and important societal and economic activities in Hong Kong if there was damage, loss of functionality, or data leakage; level of dependence on information technology; importance of the data controlled; and degree of control on the critical infrastructure.
The Hong Kong SAR Government said that the proposed legislation does not have extraterritorial effect. The Commissioner’s Office will only request information accessible to CIOs and will allow reasonable time for preparation.
Furthermore, it stated that CIOs have the responsibility of properly responding to cyberattacks. Only when a CIO is unwilling or unable to respond to an incident on its own would the Commissioner’s Office consider applying to a Magistrate for a warrant to connect to the CCSs or install programmes in the CCSs.
Such applications are made in view of necessity, appropriateness, proportionality and public interest. Relevant regulators in other jurisdictions, such as Australia and Singapore, also have similar powers.
The Hong Kong SAR Government emphasised that it has been engaging, and will continue to engage all industry stakeholders in formulating the legislative regime and the related Codes of Practice.