Hong Kong Police Can Now Demand Phone Passwords Without Warrants Under New National Security Rules

New Powers Under the National Security Law

Hong Kong police have been granted sweeping new powers to demand passwords and decryption methods for electronic devices without judicial warrants, under amendments to the city's National Security Law that took effect on March 23, 2026.

The new rules allow authorities to compel anyone with knowledge of device credentials—including device owners, spouses, business partners, and IT administrators—to unlock phones, laptops, and encrypted storage upon request. Refusal carries penalties of up to one year in prison plus a HK,000 fine (approximately ,700 USD). Providing fake credentials can result in three years of imprisonment.

Expanding Scope

The amendments, gazetted by Chief Executive John Lee without Legislative Council oversight, represent a significant expansion of police powers that previously required higher-level authorization. The rules cover everything from smartphone PINs to enterprise-grade encryption keys, effectively making digital privacy contingent on government approval.

For travelers using encrypted messaging apps like Signal or running VPNs, Hong Kong has become a particularly challenging environment. Standard privacy tools now carry potential criminal liability if authorities determine communications threaten broadly defined national security categories: secession, subversion, terrorism, and foreign collusion.

Implications for International Business

The changes have immediate implications for international businesses operating in Hong Kong. IT administrators could be compelled to provide enterprise encryption keys, and corporate VPN usage falls under heightened scrutiny. The lack of judicial authorization requirements means these demands can be executed without any court oversight.

Digital rights organizations have expressed concern that the vaguely worded provisions could be applied to a wide range of legitimate activities, creating a chilling effect on both local residents and international visitors. The rules effectively transform encryption from a privacy protection into a potential legal liability.