Hong Kong has introduced new national security rules that make it a criminal offence to refuse to hand over passwords for phones, laptops and other devices during national security investigations, a move that is prompting fresh concern among travellers transiting the city’s busy international airport.
Get the latest news straight to your inbox!
New Amendments Expand Police Powers Over Digital Devices
According to publicly available legal documents and media coverage, Hong Kong authorities recently amended implementation rules for the 2020 National Security Law to require people under national security investigation to provide “reasonable assistance” to law enforcement, including disclosing passwords to encrypted phones, computers and online accounts. Refusal can itself be treated as an offence, exposing individuals to prosecution even if no separate national security charge is ultimately laid.
The change builds on a security framework that has expanded steadily since the Beijing-imposed National Security Law came into effect in June 2020 and the Safeguarding National Security Ordinance, commonly known as Article 23 legislation, was enacted in March 2024. The latest rules are framed as technical and procedural, but digital rights advocates argue they significantly deepen the reach of the security regime into the private data of residents, visitors and those merely passing through the city.
Legal analyses note that similar “technical assistance” requirements exist in a number of jurisdictions, but the broad language of Hong Kong’s security legislation and its history of expansive enforcement have intensified concerns over how far password demands could extend in practice.
Airport Screening: What Travellers Could Face
Hong Kong International Airport remains one of Asia’s major hubs for long-haul and regional connections, which means the new password rules are drawing particular attention from business travellers, journalists, academics and tourists who rely on the city as a transit point. Publicly available guidance on the National Security Law and Article 23 indicates that the rules apply across Hong Kong territory, including ports of entry such as the airport and seaports.
Reports indicate that, in a national security investigation, police can now seek passwords when they have grounds to believe an electronic device contains evidence related to suspected offences such as secession, subversion, collusion with foreign forces or external interference. In theory, this could include devices inspected during secondary screening at the airport if an individual is flagged in connection with a security-related inquiry or existing warrant.
Travel advisers note that routine border checks for immigration and customs purposes are distinct from formal national security investigations. However, the existence of overlapping legal powers, including those granted by the National Security Law and Article 23 ordinance, leaves scope for screening at the airport to escalate rapidly if an inspection is reframed as a security matter. This blurring of lines is central to many of the questions now being raised by frequent travellers and multinational companies.
Human Rights and Data Privacy Concerns
Rights groups, legal commentators and academic researchers have warned that the new password requirement risks further undermining privacy and freedom of expression in Hong Kong. They argue that compelling travellers to unlock devices can expose extensive personal and professional data unrelated to any alleged offence, including messages, contact networks, cloud storage and documents involving third parties who have never set foot in the city.
Analyses from civil society organisations tracking Hong Kong’s security legislation highlight that national security offences are broadly defined, while safeguards such as judicial oversight or limits on data retention are comparatively narrow. They caution that this imbalance could encourage “self-censorship by design,” as residents and visitors scrub devices, move data offshore or avoid carrying sensitive material whenever they pass through the territory.
Data privacy specialists also note that many international travellers are bound by professional confidentiality obligations in their home jurisdictions, whether as lawyers, doctors, journalists or executives handling trade secrets. Being compelled to hand over passwords at a border crossing can therefore create conflicts with overseas legal and ethical duties, a tension that multinational firms are now weighing in their risk assessments for staff transiting Hong Kong.
Comparisons With Other Borders and Security Regimes
Observers point out that Hong Kong is not alone in seeking access to travellers’ digital devices. Border agencies in countries such as the United States and New Zealand can already request passwords or require travellers to unlock phones and laptops, and refusal may result in device seizure, fines or denial of entry. In many of these systems, however, non-compliance is typically treated as an administrative or immigration matter rather than a standalone criminal offence tied to national security.
By contrast, Hong Kong’s updated rules fold password disclosure into a framework in which national security offences can carry lengthy prison sentences, and where bail is tightly restricted. Critics argue that this raises the stakes of a password request far beyond those of a typical customs inspection, particularly if the request is made in connection with speech or association that would be lawful in other jurisdictions.
Policy analysts also note that the city’s role as a global financial centre and air hub makes it a test case for how far governments can extend security powers without deterring international travel and investment. The added risk that a routine trip could intersect with a wide-ranging security investigation is now part of many organisations’ calculus when deciding routing, conference venues or regional headquarters locations.
How Travellers and Companies Are Responding
Travel risk consultants and legal practitioners are advising organisations to review digital hygiene policies for staff visiting or transiting Hong Kong. Common recommendations in publicly available guidance include limiting the amount of sensitive data carried on devices, using loaner phones or laptops configured with minimal information, and ensuring that critical corporate or personal data is stored on secure remote servers rather than locally on hardware that could be searched.
Some universities, media outlets and non-governmental organisations are updating internal travel protocols that already exist for trips to jurisdictions with far-reaching security laws. These may include pre-travel briefings, checklists on device configuration and clear instructions on how to respond if border or security personnel request passwords or account access.
Individual travellers, meanwhile, are left weighing the practical realities. Cybersecurity experts caution that deleting content shortly before travel does not guarantee it cannot be recovered, and that refusal to comply with a lawful order in Hong Kong can now bring potential criminal liability. For many, the decision comes down to whether they are comfortable transiting through a jurisdiction where intimate digital lives are more exposed to security scrutiny than before.
