Hong Kong: when refusing to hand over your password becomes a confession
It is the latest extension of the implementation rules under Hong Kong's national security law. Police can now compel anyone suspected of endangering national security to hand over their password, their decryption method, or…

You are in transit at Hong Kong airport. You do not even leave the international zone. A police officer stops you, points at your phone and asks for your passcode. Not because you have done anything. Not because a judge has signed anything. Simply because he can. And since 23 March 2026, if you refuse, you are a criminal.
This is not fiction. It is the latest extension of the implementation rules under Hong Kong's national security law. Police can now compel anyone suspected of endangering national security to hand over their password, their decryption method, or any assistance deemed "reasonable and necessary" to access the contents of their devices. The words "anyone" are to be read broadly: the suspect, but also whoever holds, controls or knows the password. A colleague. A relative. A former user. Refusal carries up to a year in prison and a 100,000 Hong Kong dollar fine. Providing false information, up to three years.
1 an de prison + 100 000 HK$Penalty for refusing to hand over your passwordImplementation rules under Hong Kong's national security law (in force since 23 March 2026)The American consulate did not miss the point. On 26 March, it issued an unambiguous alert: this rule applies to everyone, including American citizens, including passengers simply in transit.
What it changes when you travel for work
For anyone who travels regularly across the Asia-Pacific region, Hong Kong was until now an obvious point of passage. One of the most connected air hubs in the world, a natural stopover between Europe and Southeast Asia. That is over, or at the very least it has become a calculation. If you are a consultant, an auditor, a lawyer, if you work in finance, tech or compliance, your laptop holds information covered by confidentiality agreements, client data, internal strategies, exchanges with regulators. Your phone holds your encrypted messaging apps, your authenticators, your VPN access. All of it can now be demanded of you in Hong Kong, without a warrant, and you have no right to say no.
The question is no longer posed in the abstract terms of digital liberties. It comes up on a Tuesday morning, when you book a flight with a stopover and have to decide whether passing through Hong Kong territory is worth the risk of exposing the data of your employer, your clients or your partners. Some companies have already started to make the call. A few are banning Hong Kong transits for staff carrying sensitive data. Others require blank phones dedicated to the trip. These are pragmatic responses, but they say something about the state of the world when an airport becomes a point of legal vulnerability.

What Hong Kong owns openly, others are preparing in silence
You could treat this as a Hong Kong problem. One more authoritarian slide in a territory where civil society's room to maneuver has been shrinking since 2020. That would be convenient. It would also be dishonest.
Because the principle that has just been written into law in Hong Kong, namely that encryption is an obstacle to be removed and that digital silence is suspect, is not a Chinese idea. It is an idea that has been circulating in most Western capitals for twenty years. The difference is that Hong Kong has stopped pretending.
In the United Kingdom, the Online Safety Act passed in 2023 gives the regulator Ofcom the power to require platforms to scan encrypted messages in order to detect illegal content. The British government actually used that lever in early 2025, serving Apple with a secret "technical capability notice" demanding access to end-to-end encrypted iCloud data. Apple chose to withdraw its Advanced Data Protection feature from the British market rather than comply. At the European level, the "Chat Control" project keeps coming back to the table: since 2022 the European Commission has been pushing to force messaging platforms to run automated scanning of communications, including encrypted ones, in the name of the fight against child abuse. The European Parliament has rejected the most intrusive versions, but the project is not dead. It mutates, it comes back under other names, it waits for the right news story to resurface.
In France, the debate turned concrete in 2025, during discussions on the anti-narcotics law. Amendments proposed to require providers of encrypted messaging services to install access mechanisms for the intelligence services. The word "backdoor" was never uttered officially, but that is exactly what it was. The National Assembly eventually backed down, notably under pressure from ANSSI itself, which restated what every cybersecurity professional knows: a backdoor created for the state is a backdoor usable by anyone else.
And that is not a theoretical claim. In 2015, security researchers discovered that a backdoor had been inserted into the firmware of Juniper Networks equipment. For years, that backdoor, most likely planted by a state intelligence service, made it possible to decrypt VPN connections without anyone knowing. When it was discovered, it was impossible to determine with certainty who had benefited from it, or how many actors had had time to exploit it. The Juniper affair became the textbook case that advocates of strong encryption cite systematically, and for good reason: it demonstrates in practice, not in theory, that there is no such thing as a vulnerability reserved for the good guys.

The French paradox
And this is where the French position becomes hard to ignore. On one side, France is struggling to transpose NIS2 on schedule, pushing back its deadlines, leaving its organizations in a regulatory fog that weakens the whole ecosystem. On the other, it finds the time to hold serious discussions about weakening encryption. We cannot manage to impose the basics of digital hygiene on companies and public bodies, yet we contemplate punching holes in the walls of those who have made the effort to protect themselves. There is something in this sequence that looks less like a strategy than like confusion about what "security" means.
The real issue is not technical
Hong Kong's Secretary for Security, Chris Tang, tried to reassure people by explaining that police could not make these demands "randomly" and that a justification tied to national security remained necessary. But that guarantee is worth only as much as the definition of "national security" is worth. And in the post-2020 Hong Kong context, that definition encompasses dissent, critical journalism and sometimes the mere expression of an opinion. When the perimeter of the threat is that broad, the guarantee is no longer one.
The mechanism, moreover, is remarkably clean. You are not physically coerced. You are placed before a choice whose two branches lead to the same place: hand over your data or be prosecuted. It is legal, administrative, and perfectly calibrated so that most people comply without even realizing they had an alternative. This is not brute coercion. It is a system that has understood that voluntary compliance costs less than repression.
The signal
Hong Kong is not inventing anything. Hong Kong is accelerating. What is happening there is not an authoritarian anomaly. It is a full-scale test of what many governments are considering without daring to spell it out so clearly. The criminalization of refusal to decrypt, the absence of prior judicial review, the extension to third parties: each of these elements exists as a proposal or a temptation in at least one Western democracy.
France would do well to look at Hong Kong not as a convenient foil, but as an uncomfortable mirror. You cannot at once claim to be building an ambitious European cybersecurity framework and flirt with the idea that encryption is a problem to be solved rather than a protection to be defended. A choice will have to be made.
Questions fréquentes
Who can be forced to hand over their password in Hong Kong?
Anyone suspected of endangering national security, but also whoever holds, controls or knows the password: a colleague, a relative or a former user of the device.
What is the penalty for refusing?
Up to a year in prison and a 100,000 Hong Kong dollar fine for refusal, and up to three years for providing false information.
Does the rule apply to travelers simply in transit?
Yes. On 26 March 2026 the American consulate issued an alert stating that it applies to everyone, including foreign nationals and passengers simply in transit within the airport's international zone.
Is this a Hong Kong peculiarity?
No. The same principle of weakening encryption exists as a proposal or a temptation in several Western democracies: the Online Safety Act in the United Kingdom, the Chat Control project in the EU, narcotics-trafficking amendments in France. Hong Kong has simply stopped pretending.
Sources & méthodologie

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
