Hong Kong Police Can Now Demand Phone Passwords Under New Security Rules

Source 1 min read
encryptionprivacyhong-kongnational-security-lawtravel-securitydevice-securityvpnlegal-risk

Summary

As of 23 March 2026, Hong Kong’s amended National Security Law allows police to demand phone passwords, encryption keys, and biometric unlock without a warrant. Refusal carries up to 1 year in jail and HK$100,000 fine; providing fake credentials means up to 3 years. This fundamentally changes the risk calculus for anyone transiting Hong Kong with encrypted devices or sensitive business data.

Key Insight

  • The obligation extends beyond device owners to anyone who knows access details - spouses, business partners, IT admins. Enterprise encryption keys are explicitly covered.
  • VPN and encrypted messaging (Signal, etc.) usage itself becomes a liability if authorities classify your communications as a national security concern. The four trigger categories (secession, subversion, terrorism, foreign collusion) are deliberately broad.
  • Chief Executive John Lee implemented these changes unilaterally via gazette, bypassing the Legislative Council entirely. No judicial authorization is required for enforcement.
  • Since the 2020 NSL enactment, 386 people have been arrested with 176 convictions, showing active enforcement rather than just a deterrent on paper.
  • The practical impact: device encryption is only as strong as the legal framework around it. Hardware security becomes irrelevant when unlocking is compelled under criminal penalty.
  • Business travelers carrying client data, trade secrets, or privileged communications through Hong Kong now face a direct conflict between data protection obligations (GDPR, contractual NDAs) and local law.