The Takeaway
Hong Kong’s new national security rules, enacted on March 23, 2026, empower police to compel warrantless access to devices and premises, with no justifiable grounds for refusal.
This development creates significant compliance and data protection risks for international businesses — including Canadian banks in Hong Kong, which are obligated to safeguard sensitive data under Canadian law — and introduces risks for personnel.
The measures also further erode Hong Kong’s ‘One Country, Two Systems’ framework, raising questions about the durability of the Special Administrative Region's legal distinctiveness and its operating environment as a global financial centre.
In Brief
- The Hong Kong government enacted new implementation rules under Article 43 of the Safeguarding National Security in the Hong Kong Special Administrative Region (NSL). Beijing imposed the NSL on Hong Kong in 2020 to quell citywide protests that began in 2019.
- The new rules allow law enforcement to demand passwords, decryption, and other forms of access to devices and premises without a warrant. They also remove any legal or security grounds to refuse compliance, meaning companies cannot decline to provide access even to protect trade secrets. Failure to comply constitutes an offence punishable by imprisonment of one year and a fine of approximately C$17,510 (100,000 Hong Kong dollars).
- These new rules are the latest in a long string of steps bringing Hong Kong’s legal system closer in line with the PRC’s system.
Implications
The imposition of the NSL marked a turning point in Beijing's efforts to control Hong Kong. Since the NSL came into force on June 30, 2020, the law, together with British colonial-era laws, has been actively used by Hong Kong authorities in ways that have significantly reshaped the city’s civic and political landscape. Hundreds of people have been arrested and dozens imprisoned under the NSL and these laws, including for activities such as participation in election primaries. This broad application of the NSL fosters uncertainty among international stakeholders regarding the scope and predictability of enforcement — concerns unlikely to be alleviated by the new rules.
The new rules for implementing Article 43 of the NSL expand already broad police authorities to search, seize, and detain individuals suspected of endangering national security. Previously, a warrant was required to access digital devices. While formally limited to cases involving “reasonable” suspicion, the application of these new warrantless powers must be understood in the broader context of how national security is defined by the Chinese Communist Party (CCP). Under the CCP’s doctrine of “holistic national security” (总体国家安全), the concept extends to economic, social, and technological domains. Developments in mainland China illustrate the implications of this expansive approach, including the 2023 raids on foreign due-diligence firms that led to the imprisonment of five employees of a U.S. company for two years. Cases such as that of Hong Kong media tycoon (and Ontario hotelier) Jimmy Lai — who was sentenced to 10 years in prison for engagement with foreign governments — illustrate the expansive interpretation of national security in Hong Kong as well. This growing alignment with Beijing’s interpretation undermines efforts to reassure the global business community that the One Country, Two Systems’ framework, under which Hong Kong retains a high degree of legal and economic autonomy from the PRC, will continue to bring opportunities for global enterprises and talents.
The new rules exacerbate an already challenging operating environment for private companies with operations in Hong Kong. Financial institutions, in particular, already have to navigate increasingly divergent sanctions regimes between the U.S. and China. By mandating compliance with warrantless access demands — without any justifiable grounds for refusal — the rules create potential conflicts with banks’ obligations to safeguard sensitive data, including trade secrets and client information, under the laws of their home jurisdictions. For example, Canadian financial institutions — seven of which operate or maintain representative offices in Hong Kong — are required to protect sensitive client information. Obligations to disclose such information under threat of immediate imprisonment could also place employees of international companies in untenable legal and professional positions.
What’s Next:
1. Securitization likely to deepen
The trend toward securitization in Hong Kong is likely to deepen as legal and regulatory alignment with Beijing continues. While many organizations have taken steps to separate Hong Kong operations from those in other jurisdictions, the increasing codification of PRC-style security laws is likely to widen these differences, making legal and compliance conflicts more frequent and operations more complex and costly.
2. Hidden enforcement risks
Authorities indicate these powers will not be used for routine ‘street-level’ searches; any departure from this should be closely monitored as a signal of further erosion of the ‘One Country, Two Systems’ framework. Greater concern lies in the potential use of these powers in corporate settings, where limited transparency may obscure enforcement and increase risk exposure.
• Edited by Vina Nadjibulla, Vice-President Research & Strategy, and Ted Fraser, Senior Editor, APF Canada.
