Hong Kong can demand your phone password, and refusal is a crime

On 23 March 2026, the Hong Kong government gazetted amendments to the implementation rules for Article 43 of the National Security Law, giving police additional powers to obtain passwords, decryption help, and other access to electronic devices in national security cases, with new criminal penalties if you refuse.

According to Reuters, police can require a person under investigation whom they suspect of endangering national security to hand over access, and the US State Department warned in a consular security alert that the change applies in Hong Kong, including to people arriving or transiting through the airport.

If you work from a phone or laptop, you should treat this as a real compliance and data-exposure risk, not a distant policy story.

Context: what changed in March 2026

The 2020 National Security Law already reshaped how authorities investigate certain offences. The 23 March 2026 changes update the Article 43 implementation rules, not a brand-new stand-alone “airport only” law.

Under the new wording reported by Reuters, police can require passwords or decryption methods for devices and “any reasonable and necessary information or assistance.” The same reporting says customs officers have expanded powers to deal with material deemed to carry “seditious intention,” including at the border, even where no one has been arrested for a national security offence in connection with the items.

On penalties, Reuters states that refusing to comply can lead to up to one year in prison and a fine of up to HK$100,000 (roughly US$12,800 at the rates quoted in international coverage), while false or misleading information can bring up to three years and a fine of up to HK$500,000.

What is confirmed, and what still depends on the stop

Confirmed as of the March 2026 reporting window: the rules are in the official gazette process described by major outlets; the refusal offence and fine levels are reported consistently; and the US consulate frames the refusal to provide passwords or decryption help as a criminal issue for people in Hong Kong, including US citizens in transit, not only long-term residents.

Also clear from news reporting: the core password power is tied to national security investigations and suspicion of endangering national security, as Reuters put it, rather than a published scheme of random, suspicion-free device checks for every short-stay tourist. In practice, how often travelers see these powers, and what triggers a stop, will not be fully visible from one week of headlines.

What you should not do: do not read social threads and assume either “this never applies to visitors” or “everyone gets searched at the gate.” The US alert is written specifically so travelers do not ignore the risk.

What critics and officials each say

A Hong Kong government spokesperson told Reuters the amended rules comply with the Basic Law and its human rights provisions, and “will not affect the lives of the general public or the normal operation of institutions and organisations.”

Researcher Urania Chiu, speaking to the Reuters story, called the new enforcement tools “grossly disproportionate” to legitimate aims, arguing they interfere with privacy and fair-trial expectations in a way that is hard to square with light-touch use only.

Practical takeaways for remote workers and travelers

Separate work data from travel risk. If Hong Kong is a stopover, client meeting, or holiday segment, use your employer’s or your own clean-travel device policy where you can: minimal accounts on the phone you carry, no local copies of the most sensitive client material, and remote access only over systems your company approves. See our digital nomad gear guide for how we think about road kit.

Revisit how you use Greater China as a base. If you are comparing hubs, our overview of places in China for remote workers is a starting point for what life on the ground actually looks like, but entry and device rules are their own track from cost-of-living questions.

Stay reachable if you are a US citizen. The consular alert recommends enrolling in STEP and keeping consulate contact details handy in case you are detained or arrested. Other nationalities should read their own government travel advice; the pattern is the same: know the embassy number before you land.

Connectivity only fixes part of the problem. A good travel eSIM for China and Hong Kong helps you stay online; it does not replace legal or infosec planning for what sits on the device itself.

Bottom line for nomads in 2026: treat the March 2026 update as a reason to run a fast audit of what is on your laptop and phone before you enter or transit Hong Kong, and to align with your client and employer rules on cross-border work. If that audit says “this country segment is not worth the exposure,” that is a valid answer too.

Want more digital nomad news?

Sign up for our free newsletter and get upcoming articles straight to your inbox.