The Law Reform Commission today published Cyber-Dependent Crimes & Jurisdictional Issues, a report that recommends the introduction of new legislation to address five types of “cyber-dependent” crimes.

The Government said it welcomed the report and will conduct a thorough study of its recommendations.

The five types of “cyber-dependent” crimes identified are ones that can be committed only by using information and communications technology devices. These are listed as illegal access to programs or data, illegal interception of computer data, illegal interference with computer data, illegal interference with computer systems, and making available a device, program or data for committing a cyber-related crime.

The commission’s Cybercrime Sub-committee has studied current laws in Hong Kong, as well as corresponding legislation in Australia, Canada, the Chinese Mainland, New Zealand, Singapore, the US, and England and Wales.

It highlighted that, at present, different computer-related offences are covered in Hong Kong’s Crimes Ordinance and the Telecommunications Ordinance, but that some of these are outdated.

Moreover, all of the other jurisdictions studied have legislated against the five types of cyber-dependent crime identified either through bespoke cyber-crime legislation or dedicating a part of their codified law to cyber-crime.

One of the report’s recommendations is that unauthorised access to programs or data without lawful authority should be a summary offence. It stresses that an aggravated form of the offence arises if the unauthorised access is accompanied by intent to carry out further criminal activity.

The commission also recommends that unauthorised interception of computer data carried out for dishonest or criminal purposes should be an offence. It says this would protect both private and non-private communications, and would apply to data generally.

In addition, the report proposes that both illegal interference with computer data and computer systems, and knowingly making available a device, program or data for use in committing a cyber-related crime, should be offences.

In line with international norms, it recommends that Hong Kong law should provide for the extra-territorial application of the five cyber-dependent offences proposed. It adds that Hong Kong courts should have jurisdiction in cases where connections with Hong Kong exist.

The report also advises that, as the severity of the harms caused by cyber-crime are wide-reaching, each of the proposed offences should carry a maximum sentence for summary convictions of two years’ imprisonment, and one of 14 years’ imprisonment for convictions on indictment.

For aggravated forms of Interference Offences involving danger to life – for example, interference with a railway signal system – the proposed maximum penalty is life imprisonment.

The commission said the report represents its first set of findings following the issuance of a consultation paper by its Cybercrime Sub-committee in 2022, and that responses to the paper were taken into account in formulating the recommendations contained in the report.

It added that the report adopted the guiding principle of balancing the rights of users of information and communications technology and the interests of persons in the information technology industry against the need to protect the public against being disturbed or attacked when using or operating computer systems.

In a statement, the Security Bureau said the Government will carefully consider how to follow up on the report and implement its recommendations.

The commission’s Cybercrime Sub‑committee is also conducting further research into other aspects relating to cybercrime. The Government said it will study all of the commission’s findings carefully and thoroughly with a view to formulating comprehensive legislation that addresses the challenges to public order arising from advancements in information technology.