On 20 July 2022, the Cybercrime Sub-committee of the Law Reform Commission (the “Sub-committee”) published a consultation paper on cyber-dependent crimes and jurisdictional issues (the “Consultation Paper”). The Consultation Paper focused on cyber-dependent crimes, making preliminary proposals for law reform to address the challenges to protection of individuals’ rights caused by the rapid developments associated with information technology and the potential for information technology to be exploited for carrying out criminal activities. The consultation period will end on 19 October 2022.
The Consultation Paper identified the following cyber-dependent offences as the core species of cybercrime recognised globally:
1. illegal access to program or data;
2. illegal interception of computer data;
3. illegal interference of computer data;
4. illegal interference of computer system; and
5. making available or possessing a device or data for committing a crime.
Currently, Hong Kong does not have a specific ordinance that is designated for cybercrime solely. The cyber-related offences are scattered in the Crimes Ordinance (Cap. 200) (“CO”) and the Telecommunications Ordinance (Cap. 106) (“TO”). Some of the offences are outdated.
The Consultation Paper examined the laws of other jurisdictions, including but not limited to Australia, Canada, England and Wales and the United States of America and concluded that such jurisdictions have either enacted bespoke cybercrime legislation or dedicated a part of their codified law to cybercrime. As such, the Sub-committee proposed that a new legislation focusing on cybercrime in Hong Kong should be enacted.
Recommendations of the Sub-committee
In view of the above, the Sub-committee has made the following recommendations in response to each of the abovementioned cyber-dependent offences.
Illegal access to program or data
Section 161 of the CO provides that it is an offence to obtain access to a computer with criminal or dishonest intent. It is held in Secretary for Justice v Cheng Ka Yee (鄭嘉儀)  HKCFA 9 that it is not applicable to (i) the use of one’s own computer to set up a phishing website; and (ii) upskirting using one’s own smartphone. On the other hand, section 27A of the TO has a narrower application that the unauthorised access to a computer must be obtained by the use of another telecommunications device (i.e. another computer).
Taking into account the nature of the virtual space, the authorisation to access program or data is implicitly granted by an online user, the Sub-committee proposed: (i) to make mere unauthorised access a summary offence subject to a statutory defence of reasonable excuse; and (ii) it shall constitute an aggravated offence if such unauthorised access is with intent to carry out further criminal activity.
Illegal interception of computer data
Pursuant to section 27(b) of the TO, any person is guilty of an offence if he/she damages, removes or interferes with a telecommunication installation with intent to intercept or discover the contents of a message. Since the TO came into force in 1960s, the relevant expressions were initially referred to telephones and yet with the advancement in technology, a computer can now amount to a telecommunication installation as well. However, the TO does not apply to cyberspace, nor metadata.
In order to better safeguard the integrity of communications, the Sub-committee recommended that unauthorised interception, disclosure or use of computer data (including metadata) should be an offence and such provision shall not limit to protecting private communications, but also general communications.
Illegal interference of computer data
Interference of computer data (eg Hacking) is treated as a form of criminal damage under sections 60(1) and (2) of the CO and it is considered by the Sub-committee to be satisfactory. However, it is also suggested that intentional interference (damaging, deletion, deterioration, alteration or suppression) of computer data without lawful authority or reasonable excuse should be an offence.
Illegal interference of computer system
Similar to interference of computer data, interference of computer system (e.g. DDoS – Distributed Denial of Service) is also treated as a form of criminal damage under the CO. The Sub-committee recommended that the new provisions regarding illegal interference of computer system be phrased in the same way as those for illegal interference of computer data.
Making available or possessing a device or data for committing a crime
Under section 62 of the CO, it prohibits the custody or control of anything intended for use in destroying or damaging property. However, the current provision does not differentiate between things that can be used for both legitimate and illegitimate purposes and things with only illegitimate uses. In addition, in deciding whether a person with custody or control of a thing in question is liable depends largely on the person’s intent. The subjective nature of a person’s mental state may give rise to evidentiary issues in enforcement.
As such, the Sub-committee proposes that the offence shall be applicable to a device or data so long as its primary use (which will be determined objectively) is to commit an offence.
Considering the nature and consequences of the five offences are different, the Sub-committee proposes that each of the five offences shall have two maximum sentences, one to summary conviction and the other one to the convictions on indictment. It is proposed that offences should have a maximum sentence of 2 years’ imprisonment on summary conviction and 14 years’ imprisonment for convictions on indictment.
In view of the increasing number of cybercrimes in Hong Kong, it is contemplated that a new piece of bespoke legislation on cybercrime would provide more tools to the law enforcement agencies to prosecute against criminal activities in the cyberspace and provide better protection towards the right of netizens and persons in the information technology industry.