Tighter device‑access laws abroad
Hong Kong authorities can now demand phone passwords under national security rules—and withholding them is punishable—while recent data‑protection updates across jurisdictions are shifting expectations about access and compliance. Those international moves signal a broader trend toward faster, more invasive access demands that institutions should watch for legal and policy impacts. (bbc.com) (scmp.com) (lexology.com)
The Hong Kong government gazetted and immediately implemented revised implementation rules under Article 43 of the National Security Law on 23 March 2026, explicitly empowering police to require suspects to provide “any password or other decryption method” for electronic devices. (thestandard.com.hk) Refusal to surrender passwords is now criminalised with penalties of up to one year’s imprisonment and a fine of HK$100,000, while knowingly providing false or misleading information attracts penalties of up to three years’ imprisonment. (straitstimes.com) The amendments also allow police, with Secretary for Security approval, to order removal of electronic messages deemed likely to constitute or incite national‑security offences and expand customs powers to seize material judged seditious; the changes were published in the government gazette without passage through the Legislative Council. (scmp.com) Lexology’s weekly compliance roundup published 23 March 2026 grouped the Hong Kong rule changes with a new CJEU decision and national updates in Denmark under “Data protection: key compliance updates (16–20 Mar).” (lexology.com) On 19 March 2026 the Court of Justice of the European Union (Case C‑526/24, Brillen Rottler) ruled that a data subject’s first access request can be declared abusive and refused where a controller proves the request was made solely to trigger a compensation claim. (infocuria.curia.europa.eu) Denmark’s Data Protection Authority (Datatilsynet) published updated guidance on 17 March 2026 linking national election‑campaign rules to the EU Regulation on Transparency and Targeting of Political Advertising and emphasising consent and transparency for targeted online voter advertising. (dataguidance.com) Legal analysts and international law‑firm trackers described the 16–23 March 2026 cluster of rulings and guidance as evidence of a multi‑jurisdictional shift combining faster compelled‑access powers with new limits on subject access remedies, noting businesses must navigate both coercive investigatory powers and tighter compliance risk. (freshfields.com)
