Criminal Lawyers Hong Kong, Article 43: Passwords, Compelled Decryption & Police Powers

Last reviewed: 10 May 2026

Since 23 March 2026, criminal lawyers in Hong Kong have been advising clients on a fundamentally altered landscape: the implementing rules for Article 43 of the National Security Law are now in force, equipping police with explicit statutory powers to compel suspects and third parties to hand over passwords, decryption keys and other forms of electronic access. For anyone detained, investigated or simply approached by officers seeking device access, the legal stakes have risen sharply, refusal can now constitute a standalone criminal offence carrying fines and imprisonment.

This guide sets out the statutory framework, explains the new police powers Hong Kong residents and visitors must understand, and provides step-by-step practical guidance for suspects and their lawyers at every stage from on-scene encounter to pre-charge litigation.

Article 43 & the 23 March 2026 Implementing Rules, What Changed

Article 43 of the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (commonly referred to as the national security law Hong Kong) empowers designated law-enforcement agencies to take measures necessary to investigate offences endangering national security. The provision itself is broadly drafted, it authorises searches, surveillance, asset-freezing and the interception of communications, among other tools. However, the precise mechanics of how those powers are exercised were left to subsidiary implementing rules.

Statutory Text, What Article 43 Actually Says

Article 43 directs the HKSAR government to make implementing rules setting out the “measures, conditions and procedures” for investigative action in national security cases. The implementing rules gazetted as Legal Notice 27 of 2026 (LN27) fill that gap. They prescribe the circumstances in which officers can demand electronic access, the form of the demand, the obligations on the person receiving it, and the consequences of non-compliance. For criminal lawyers Hong Kong-wide, LN27 is now the core reference point for advising clients on compelled decryption.

Timeline, Key Dates and Their Practical Effect

The government press release accompanying LN27 described the revised rules as necessary to address “evolving digital threats” and to provide officers with “clear and lawful procedures” for accessing encrypted electronic evidence. Industry observers expect the courts to be called upon relatively quickly to define the boundaries of these powers, particularly where legal professional privilege or journalistic material is at issue.

Can Police Compel Passwords or Decryption? Legal Test, Scope & Police Powers Hong Kong

The short answer is: yes, in defined circumstances. Under the LN27 implementing rules, a police officer of or above a specified rank who is investigating, or assisting in the investigation of, a national security offence may issue a written requirement compelling a person to provide a password, decryption key, or other means of accessing electronic data. The requirement must state the statutory basis, describe the device or data targeted, and be served on the person in a prescribed manner. Understanding the scope of these police powers in Hong Kong is now essential for anyone carrying an encrypted device in the territory.

When Police Can Legally Require Access

Not every encounter with law enforcement triggers a compulsion power. The implementing rules impose threshold conditions that must be satisfied before a lawful demand can be made:

• National security nexus. The investigation must relate to an offence under the National Security Law or, where specified, the Safeguarding National Security Ordinance. Routine criminal investigations (fraud, theft, assault) do not fall within the Article 43 framework.
• Rank requirement. The demand must be authorised by a police officer at or above the rank specified in LN27. Junior officers acting alone lack authority to issue a valid compulsion notice.
• Written form. The requirement must be in writing. A purely verbal demand, without subsequent written confirmation within the prescribed period, may be challenged as procedurally defective.
• Warrant or authorisation. Depending on the circumstances, a magistrate’s warrant or the authorisation of the Secretary for Security may be required before certain classes of device data (such as journalistic material or material subject to legal privilege) can be compelled.

What “Compulsion” Means Practically, Passwords, Biometrics and Cloud Access

The implementing rules refer broadly to “providing access” to electronic data. In practice, this can encompass several distinct scenarios, each with different legal and practical considerations:

• Alphanumeric passwords and PINs. The clearest case, the suspect is required to disclose a memorised code.
• Biometric unlocking (fingerprint, face ID). The legal treatment of compelled biometric access is not fully settled. Industry observers expect that biometric compulsion will be treated as analogous to password disclosure under LN27, but defence arguments rooted in bodily autonomy may carry additional weight.
• Third-party cloud access. Where data is stored remotely, the requirement may extend to login credentials for cloud services. This raises cross-jurisdictional questions, particularly where the service provider is based outside Hong Kong.
• Device encryption obligations. Employers, IT administrators and service providers who hold master decryption keys or administrative credentials may also receive compulsion notices, creating compliance obligations distinct from those of the device’s primary user.

Limits and Safeguards, Procedural Protections and the Right to Counsel

The implementing rules are not unlimited. Several safeguards are built into the statutory framework:

• Right to legal representation. A person who receives a compulsion notice retains the right to consult a solicitor, although the rules may permit a delay in access to counsel where immediate consultation would prejudice the investigation.
• Privilege claims. Material subject to legal professional privilege cannot ordinarily be compelled without additional procedural steps. The precise mechanism for asserting privilege at the point of demand is an area where guidance from the Hong Kong Law Society and the Bar Association is anticipated.
• Proportionality. Any compulsion must be proportionate to the offence under investigation. Defence solicitors can, and should, challenge demands that are disproportionately broad, targeting devices or accounts with no apparent nexus to the suspected offence.

New Offences and Penalties for Refusal, Passwords Law 2026 Enforcement

One of the most consequential features of the LN27 implementing rules is the creation of distinct criminal offences for non-compliance with a lawful compulsion demand. Before 23 March 2026, refusal to assist police with device access might have been addressed through general obstruction charges or contempt proceedings. The passwords law 2026 changes codify specific offences with defined penalty brackets.

Summary of New Offences

• Failure to comply with a compulsion requirement. A person who, without reasonable excuse, fails to provide a password or decryption key as required by a valid written notice commits an offence.
• Providing false or misleading information. Deliberately supplying an incorrect password or misleading officers about the means of access constitutes a separate and potentially more serious offence.
• Destruction or concealment of data. Wilfully destroying, altering or concealing electronic data after receiving a compulsion notice (or having reason to believe one is imminent) is an aggravated offence.

Penalties and Likely Charging Patterns

The implementing rules prescribe penalty ranges that include both fines and terms of imprisonment. The precise sentencing outcome will depend on the seriousness of the underlying national security investigation, the nature of the non-compliance, and any aggravating or mitigating factors. Industry observers expect that:

The “reasonable excuse” defence is likely to become the most litigated element of these new offences. What constitutes a reasonable excuse, genuinely forgotten passwords, technical impossibility, or a good-faith belief that the demand was unlawful, will be defined case by case. Defence solicitors advising on legal defence refusal passwords scenarios should document every factual basis for a reasonable excuse contemporaneously.

Step-by-Step: What a Suspect Should Do When Police Demand Device Access

Knowing the law is one thing. Knowing what to do in the moment, on the street, in a police station, during a formal interview, is another. The guidance below is designed for suspects, individuals, and the criminal lawyers Hong Kong practitioners who advise them. It follows the chronological sequence of a typical encounter.

Immediate Steps, What to Say and What Not to Say

The critical first minutes after a demand is made will shape the entire case. The following scripted responses are designed to protect rights without unnecessarily escalating the encounter:

1. “I wish to speak to my solicitor before responding to any request for device access.”, Assert the right to legal representation immediately. Do not engage further on the substance of the demand until counsel is present or contactable.
2. “I note your request. Please confirm it in writing as required by the implementing rules.”, Insist on the written form. A purely oral demand may be procedurally defective and should be documented as such.
3. “I do not consent to a voluntary search of my device.”, Distinguish between voluntary cooperation and compelled access. If the officer is relying on statutory compulsion, the notice must say so. If not, consent should not be given lightly.
4. “I am recording the time, date and circumstances of this demand.”, Note details immediately: officer’s name and rank, badge number, time, location, the device(s) specified, and any witnesses present. If recording is not possible, write notes as soon as practicable.
5. “I require confirmation of the statutory basis and the specific offence under investigation.”, The implementing rules require the notice to state the statutory basis. If the officer cannot or will not specify it, this may form the foundation of a later challenge.
6. “I reserve all my rights and make no admissions.”, A catch-all reservation. Do not volunteer information about what is on the device, how it is encrypted, or who else has access.

Evidence Preservation and Chain of Custody

When a device is seized, the forensic integrity of its contents becomes a live issue. Defence solicitors should advise clients to:

• Request a receipt for every item seized, specifying make, model, serial number and condition.
• Ask for forensic imaging rather than direct examination of the original device. If officers intend to access the device directly, record an objection and note whether the device was powered on or off at the time of seizure.
• Document any damage to the device during seizure, cracked screens, removed SIM cards, disconnected cables, as these may affect the integrity of subsequent forensic analysis.
• Preserve external records such as cloud-sync logs, backup timestamps and service-provider correspondence that may corroborate or challenge the prosecution’s account of what was on the device.

Duty to Cooperate vs. Right to Silence, Practical Tradeoffs

The tension between the right to silence and the new compulsion offences is the central dilemma for anyone facing a device-access demand. Hong Kong’s common law right to silence remains intact as a general principle, but the implementing rules create a statutory exception in the specific context of compelled decryption under Article 43. Refusing to comply is no longer simply an exercise of silence, it is a potentially criminal act.

The practical tradeoff is as follows: complying with the demand may expose data that could be used in evidence; refusing may result in a separate criminal charge. A solicitor’s role at this stage is to assess, quickly, which course of action carries the lower combined risk. Factors include the strength of the underlying national security case, the nature of the data on the device, whether privilege applies, and the client’s personal circumstances. There is no one-size-fits-all answer, but the assessment must be made before the client acts.

Defence Strategies and Litigation Routes for Criminal Lawyers Hong Kong

Where a client has already received a compulsion notice, or is facing charges for refusal, the defence strategy must be assembled rapidly. The implementing rules impose tight timelines for compliance, and delay itself may be characterised as non-compliance.

Pre-Charge Representations and Urgent Applications

Before any charge is laid, defence solicitors should consider:

• Written representations to the investigating officer setting out the factual and legal basis for non-compliance (e.g. privilege, disproportionality, procedural defect in the notice).
• Urgent application to the court for a stay or injunction if the demand is arguably unlawful. The application should be supported by affidavit evidence and, where possible, filed ex parte in the first instance to prevent immediate enforcement.
• Disclosure requests seeking the internal authorisation documents, risk assessments and senior officer sign-offs that preceded the compulsion notice. Any gap in the paper trail may undermine the lawfulness of the demand.

Contesting Compulsion, Judicial Review and Proportionality Arguments

Compelled decryption engages fundamental rights. Defence arguments may include:

• Procedural ultra vires. The notice was issued by an officer below the required rank, was not in writing, or failed to specify the statutory basis.
• Disproportionality. The scope of the demand is broader than necessary, for example, requiring access to an entire device when the investigation concerns a specific messaging application.
• Privilege. The device contains legally privileged material, and the prescribed procedure for handling privileged material was not followed.
• Self-incrimination. While the implementing rules create a statutory compulsion, the common law privilege against self-incrimination may still be relevant to sentencing and admissibility arguments.

Likely Judicial Tests, Early Indications

No reported judgments on the LN27 compelled-decryption provisions have been handed down as of the date of this article. However, the likely practical effect, based on analogous Hong Kong case law and comparative common law jurisdictions, is that courts will adopt a two-stage test: first, whether the demand was lawfully issued (procedural validity); second, whether it was proportionate in scope and necessity. Defence solicitors preparing skeleton arguments should frame submissions around both limbs.

A sample opening paragraph for a defence application to quash a compulsion order might read:

“The Applicant seeks an order quashing the Requirement dated [date] issued pursuant to the Implementing Rules for Article 43 on the grounds that (a) the Requirement was not authorised by an officer of the requisite rank; (b) the Requirement is disproportionate in that it demands access to the entirety of the Applicant’s personal device when the investigation concerns a single communication platform; and (c) the Requirement fails to make adequate provision for the identification and exclusion of legally privileged material.”

Corporate and Compliance Note, Obligations for Employers and Internal Investigations

The Article 43 implementing rules do not only affect individual suspects. Employers, IT departments and in-house counsel face distinct device encryption obligations when company-owned devices are targeted by a compulsion notice.

How Article 43 Interacts with Internal Incident Response

When police serve a compulsion notice on a corporate officer or IT administrator, the company must balance cooperation with the preservation of privilege and confidential business information. The following compliance checklist is a starting point for in-house counsel:

• Activate the incident-response protocol immediately. Notify external criminal counsel before providing any access or information.
• Separate privileged material. Identify and segregate any legally privileged documents, communications or files on the device before access is provided. Assert privilege in writing.
• Preserve logs. Maintain a contemporaneous log of every step taken: who was contacted, what was provided, what was withheld, and on what legal basis.
• Limit individual exposure. Ensure that the corporate officer serving as point of contact understands that personal criminal liability may attach to non-compliance, and that they are separately represented if necessary.
• Review employee policies. Update acceptable-use, BYOD and encryption policies to address the possibility of Article 43 demands. Employees should be informed that company devices may be subject to compelled access in national security investigations.

Practical Resources and How to Get Legal Help

If you are facing a device-access demand, have been arrested in connection with a national security investigation, or need urgent advice on compelled decryption, the following resources are available:

• Duty Lawyer Service. Hong Kong’s Duty Lawyer Scheme provides legal representation at magistrates’ courts. Contact the Duty Lawyer Service immediately if you cannot reach a private solicitor.
• Legal Aid Department. Means-tested legal aid is available for criminal proceedings. Apply as early as possible, processing takes time, and national security cases often move quickly.
• Hong Kong Law Society. The Law Society maintains a referral list of solicitors practising in criminal defence. Contact them if you need help identifying a specialist.
• Global Law Experts directory. Find a criminal lawyer through the GLE directory for Hong Kong-based practitioners with national security and police-powers experience.

For additional context on Hong Kong’s evolving legal landscape, see our analysis of Hong Kong’s merger and M&A rule changes in 2026.

Conclusion, Protecting Your Rights Under the New Criminal Lawyers Hong Kong Landscape

The 23 March 2026 implementing rules for Article 43 represent a significant expansion of police powers in Hong Kong, particularly in the realm of compelled decryption and password disclosure. For suspects, the immediate priority is to understand the new obligations and to seek legal advice before responding to any demand. For criminal lawyers in Hong Kong, the priority is to build defence strategies around procedural validity, proportionality and the developing case law on reasonable excuse. The law is new, judicial interpretation is pending, and the practical stakes, for individuals and corporations alike, are high. Early, specialist legal advice is not optional; it is essential.

Sources

1. Hong Kong e-Legislation, Implementing Rules (LN27) for Article 43 (National Security Law)
2. news.gov.hk, Government press release on Article 43 implementation (23 March 2026)
3. Hong Kong Free Press (HKFP), Explanatory news briefing on Article 43 implementing rules
4. Hogan Lovells, Briefing on National Security Law Article 43 developments
5. The Law Society of Hong Kong, Professional guidance on police contacts and client obligations
6. Hong Kong Bar Association, Guidance on counsel conduct in national security proceedings