Hong Kong Police Can Now Demand Phone Passwords by Law

My notes

Summary

As of 23 March 2026, Hong Kong’s amended National Security Law allows police to demand phone passwords, encryption keys, and biometric unlock without a warrant. Refusal carries up to 1 year in jail and HK$100,000 fine; providing fake credentials means up to 3 years. This fundamentally changes the risk calculus for anyone transiting Hong Kong with encrypted devices or sensitive business data.

Key Insight

• The obligation extends beyond device owners to anyone who knows access details - spouses, business partners, IT admins. Enterprise encryption keys are explicitly covered.
• VPN and encrypted messaging (Signal, etc.) usage itself becomes a liability if authorities classify your communications as a national security concern. The four trigger categories (secession, subversion, terrorism, foreign collusion) are deliberately broad.
• Chief Executive John Lee implemented these changes unilaterally via gazette, bypassing the Legislative Council entirely. No judicial authorization is required for enforcement.
• Since the 2020 NSL enactment, 386 people have been arrested with 176 convictions, showing active enforcement rather than just a deterrent on paper.
• The practical impact: device encryption is only as strong as the legal framework around it. Hardware security becomes irrelevant when unlocking is compelled under criminal penalty.
• Business travelers carrying client data, trade secrets, or privileged communications through Hong Kong now face a direct conflict between data protection obligations (GDPR, contractual NDAs) and local law.