U.S. State Department Security Alert — March 26, 2026
“It is now a criminal offense to refuse to give the Hong Kong police the passwords or decryption assistance to access all personal electronic devices including cellphones and laptops. This legal change applies to everyone, including U.S. citizens, in Hong Kong, arriving or just transiting Hong Kong International Airport.”
On March 23, 2026, Hong Kong quietly amended the implementation rules of Beijing’s 2020 National Security Law — and the implications reach far beyond the city’s 7.5 million residents. For anyone passing through Hong Kong, whether you’re staying for a week or just changing planes, your devices are now legally accessible to police on demand. Refusing to hand over your password is no longer a judgment call. It’s a criminal offense.
The amendments were gazetted and took effect immediately, bypassing Hong Kong’s legislature entirely — a mechanism built into the original National Security Law framework that gives Beijing and the Hong Kong executive broad authority to expand enforcement rules without legislative debate.
The Penalties
| Offense | Prison | Fine (USD) |
|---|---|---|
| Refusing to unlock a device | Up to 1 year | ~$12,768 (HK$100,000) |
| Providing false or misleading information | Up to 3 years | ~$63,840 (HK$500,000) |
These aren’t administrative fines or grounds for denial of entry. These are criminal penalties, prosecuted under a national security framework that has already been used to sentence pro-democracy figures to multi-decade prison terms. The NSL doesn’t require a high evidential bar — it requires that authorities believe a device may hold relevant evidence.
It Applies to Everyone — Including Transit Passengers
This is the part that caught most international observers off guard. Under the new rules, transit status offers zero protection. If you’re routed through Hong Kong International Airport — one of the world’s busiest transit hubs, positioned within a five-hour flight of roughly half the global population — you are legally subject to the same requirements as a Hong Kong resident under investigation.
You don’t have to clear customs. You don’t have to leave the terminal. Simply routing a connecting flight through Hong Kong puts every file, message, app, and contact on your devices within reach of Hong Kong police under these rules.
“Encryption remains a security measure against theft. It does not shield against government-compelled access in Hong Kong.”
Attorney-Client and Doctor-Patient Privilege? Gone.
The scope of the obligation is sweeping. The new rules explicitly state they apply even to those with “a duty of confidentiality or any other restriction on the disclosure of information.” That language directly covers lawyers, doctors, journalists, and financial advisors. Professional privilege evaporates the moment the national security label is attached — and that label, since 2020, has been applied to acts as mundane as social media posts and candlelight vigils.
For corporate security teams and legal counsel advising executives traveling through the Asia-Pacific region, this creates an immediate and serious exposure. Any device carrying privileged legal communications, unreleased financial data, or sensitive client information is now a potential evidence seizure target.
The Government’s Response: “Nothing to See Here”
“These amendments have only improved some procedures and how we work; there are absolutely no newly added powers.”
— Chris Tang Ping-keung, Hong Kong Secretary for Security
This is a remarkable claim. Prior to March 23, refusing to unlock a phone during a police investigation in Hong Kong was not, in itself, a criminal offense. It is now. The secretary’s framing attempts to characterize a brand new standalone criminal offense as a procedural housekeeping update. It isn’t.
The Broader Surveillance Architecture Being Built
The device access rules are one piece of a broader set of amendments enacted simultaneously. Police now have expanded authority to seize items deemed to carry “seditious intention” — even without an arrest — and authorities can compel publishers, platform operators, and hosting services to remove electronic messages deemed likely to constitute or incite national security violations.
This brings Hong Kong’s digital enforcement architecture significantly closer to the PRC mainland model. Analysts at Strider Intel describe it as a “steady, deliberate convergence of Hong Kong’s legal and intelligence environment with that of the People’s Republic of China.”
What This Means for Security Professionals
For vCISOs, security consultants, and enterprise security teams, the practical implications are significant. Any organization sending personnel through Hong Kong — or with staff who transit via HKG on Asia-Pacific routes — needs to revisit travel device policies immediately.
Travel with clean devices. If your organization has staff traveling through Hong Kong, the only reliable mitigation is to ensure devices carried into the jurisdiction contain only what you’re willing to surrender. That means loaner devices with minimal credentials, no persistent VPN configs, and no access to sensitive internal systems.
Assume no encryption protection. Device encryption does not protect you here. The law compels decryption assistance. If you rely on encryption as your primary confidentiality control for traveling executives, that control is now void in this jurisdiction.
Re-route when possible. For routes that previously transited through Hong Kong International, alternative routing via Tokyo, Seoul, Singapore, or Taipei avoids the jurisdiction entirely. The risk calculus for using HKG as a transit hub has fundamentally changed.
Update travel briefings now. Security awareness training and travel security briefings should be updated immediately to reflect this change. Anyone traveling to or through Hong Kong needs to understand the exposure before they board.
The Bigger Picture
Hong Kong’s trajectory since 2020 has been a case study in how authoritarianism expands incrementally. The original NSL criminalized secession and subversion. Article 23 in 2024 added “theft of state secrets” — defined so broadly it could encompass virtually any sensitive business information. These new amendments extend compelled decryption to any national security investigation.
Each step has been accompanied by official assurances that law-abiding people have nothing to worry about. But as JURIST and multiple human rights organizations have documented, more than 80% of those convicted under NSL provisions since 2020 have been retroactively deemed wrongly criminalized. The definition of “law-abiding” in Hong Kong is now determined by Beijing — not by any independent judiciary.
The city that was once one of Asia’s most open financial centers is now a jurisdiction where digital privacy does not exist as a practical matter for anyone passing through it. Travelers, consultants, journalists, and executives should plan accordingly.
