ArchiveOODA Original

What The C-Suite Needs To Know About The USG Advisory on Risks and Considerations for Businesses Operating in Hong Kong

The US Government released a statement jointly produced by the Department of State, Department of Treasury, Department of Commerce and Department of Homeland Security on the topic of business risks associated with operating in Hong Kong.

If any single agency released a memo on a topic like this it would be important. With all four teaming to produce this it is a clear signal that this advisory should be read and understood by any company doing business in or with Hong Kong.

OODA has long been advising our clients and network members on the nature of the changes underway in Hong Kong and for most of our readers here the changes are probably not a surprise. But this joint advisory provides a good opportunity to pause and review the situation and assess whether or not your strategy is in the right place. We provide a list of recommendations for the C-Suite at the end of this overview.

Overview of the Advisory:

  • Hong Kong laws are changing. These changes make operating in the Special Administrative Region of Hong Kong essentially the same as operating in the People’s Republic of China (PRC).
  • Any business, individual or other organization, including academia, investors, media that operate in Hong Kong should be aware of what these changing laws are.
  • The new legal landscape includes a law titled the “Law of the People’s Republic of China on Safeguarding National Security in Hong Kong”. This one in particular poses significant risks.

The risks fall into four categories:

  • Risk for business
  • Data privacy risks
  • Risks regarding transparency and access to critical business information
  • Risks for businesses with exposure to sanctioned Hong Kong or PRC entities or individuals

Business Risks:

  • Hong Kong continues to enjoy some distinctions from mainland China on topics like free trade and property ownership and continues to exercise some freedom in implementation of commercial agreements. Monetary policy is different from the PRC.
  • However, the imposition of the NSL in June 2020 has led to major structural changes that reduced Hong Kong’s autonomy. Business and rule of law risks that were formerly limited to mainland China are now increasingly a concern in Hong Kong.
  • Businesses operating in Hong Kong, as well as individuals and businesses conducting business on their behalf, are subject to the laws of Hong Kong, including the National Security Law. Foreign nationals, including one U.S. citizen, have been arrested under the NSL.
  • Offenses established by the NSL include secession, subversion, terrorist activities, and collusion with a foreign country or external elements to endanger national security.
  • Individuals in Hong Kong have been arrested under the NSL for publishing newspaper articles, participating in routine democratic processes, expressing an opinion regarding the government or the Chinese Communist Party, and attending public gatherings.
  • Penalties for offenses under the NSL can include criminal fines and imprisonment, including life imprisonment in certain circumstances. In addition, the NSL states, inter alia, that “an incorporated or unincorporated body, such as a company or organization which commits an offense” under the NSL, may be subject to a criminal fine and to having its operations suspended or its license or business application revoked “if the body has been punished for committing an offense” under the NSL.
  • Certain provisions may also apply to offenses “committed from outside the Region by a person who is not a permanent resident of the Region,” and the NSL states that it also applies to “an incorporated or unincorporated body such as a company or an organization which is set up in the Region if the person or the body commits an offence under this Law outside the Region.”
  • Hong Kong authorities can place exit bans on individuals seeking to depart the country, including non-residents.

Data Privacy Risks

  • Businesses face risks associated with electronic surveillance without warrants and the surrender of data to authorities.
  • The NSL introduced a heightened risk of PRC and Hong Kong authorities using expanded legal authorities to collect data from businesses and individuals in Hong Kong.
  • Hong Kong authorities have, to date, used the new law to prosecute individuals and businesses participating in primary elections, calling for political steps specifically protected by the Basic Law, posting opinions on social media, and meeting with members of the diplomatic community.
  • Prosecutions to date may not fully reflect the extent to which “national security” may be used by local authorities in the future as a legal pretext to penalize any behavior or speech deemed to oppose Hong Kong or PRC authority.
  • While Hong Kong maintains a separate regulatory framework from the PRC for how businesses, individuals, and government authorities collect, handle, and use data in Hong Kong, and while Hong Kong authorities have traditionally respected data privacy, the rule of law, and limits on government authority, the NSL grants Hong Kong law enforcement broad authorities to conduct wiretaps or electronic surveillance on approval of the chief executive, rather than the courts, in national security-related cases.
  • The NSL empowers Hong Kong law enforcement to conduct searches, including of electronic devices, for evidence in national security cases, and the NSL permits Hong Kong law enforcement to require Internet service providers to provide or delete data and other information relevant to national security cases, both without judicial oversight.
  • Furthermore, businesses and individuals should be aware that the NSL authorizes the Office for Safeguarding National Security, which is staffed by PRC security services, to collect data in Hong Kong.
  • Beijing is developing a broad data policy regime through its Cybersecurity Law, draft Data Security Law, and draft Personal Information Protection Law and related regulations. These bills, as drafted, do not extend the PRC’s regulatory jurisdiction to Hong Kong, but U.S. companies should be aware that legislation supported by Beijing could be quickly imposed on or passed in Hong Kong. Businesses and individuals operating in Hong Kong should be aware that Hong Kong’s own data privacy laws can require businesses and individuals to localize data in the territory; however, that aspect of the law has not been implemented since the Personal Data (Privacy) Ordinance was legislated in 1995.

Heightened Risk Regarding Transparency and Access to Information

  • Businesses that rely on free and open press may face restricted access to information.
    Since the imposition of the NSL, Hong Kong authorities have increased pressure on freedom of expression, notably freedom of the press. In March, Hong Kong and Macau Affairs Office Director Xia Baolong stated that the principle of “patriots governing Hong Kong” also extends to the media.
  • Hong Kong has blocked websites and other online presence because of the new law (see: Hong Kong Internet Firm Blocked Website Over Security Law).
  • Hong Kong Chief Executive Carrie Lam has vowed to stamp out “fake news.” Describing “fake news” as a matter of national security, Hong Kong Police Commissioner Chris Tang affirmed in April that the police would enforce the law and prosecute journalists should evidence of violations be found. On June 11, the Hong Kong government, under the NSL, announced changes to the Film Censorship Ordinance to enable the Film Censorship Authority to ban any movies “deemed to be supporting or glorifying acts that could endanger national security.”
  • In June, the National Security Department of the Hong Kong Police searched pro-democracy newspaper Apple Daily offices to gather evidence for a case of suspected contravention of the NSL, after the police arrested five senior executives, including the editor-in-chief and the CEO of Apple Daily’s parent company Next Media on suspicion of “colluding with a foreign country or with external elements to endanger national security.”
    In a press conference, the police said that the five arrestees are accused of conspiring with foreign institutions to seek sanctions against China and Hong Kong by publishing dozens of articles in the newspaper, undermining previous assurances that the NSL would not be applied retroactively. Police also froze $2.3 million in assets belonging to Apple Daily and two affiliated companies, leading the Hong Kong stock exchange to suspend trading of Next Media shares. With funds frozen without legal recourse and corporate leadership under arrest, Apple Daily issued its final edition on June 24.

Sanctions Risks

  • The United States has several sanctions authorities targeting certain conduct related to the situation with respect to Hong Kong. U.S. individuals and entities, including businesses, are prohibited from engaging in certain transactions with blocked persons absent a general or specific license from the Department of the Treasury’s Office of Foreign Assets Control (OFAC) or other exemption.
  • A failure to comply with U.S. sanctions can result in civil and criminal penalties under U.S. law. OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities, including foreign financial institutions, that conduct business in or with the United States or U.S. persons, or deal in U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program.
  • In addition to OFAC sanctions, on December 23, 2020, pursuant to the President’s Executive Order 13936, the Department of Commerce’s Bureau of Industry and Security (BIS), removed Hong Kong as a separate destination under the Export Administration Regulations (EAR). Subsequently, all items subject to the EAR that are destined for export, reexport or transfer (in-country) to or from Hong Kong will be treated as exports, reexports or transfers (in-country) to or from the PRC. Exporters should be aware that such restrictions that apply for military end-use or military end-users, including military intelligence, now apply to Hong Kong, since it is now treated as part of the PRC. In addition, Hong Kong government entities were placed on the BIS military end-user restricted list, further affirming that Hong Kong is treated in the same way as the PRC.


  • The political and legislative environment in Hong Kong has changed. The risks to doing business there have changed as well.
  • The risks to business, privacy and risk of sanctions are significant, but the risk to the safety and wellbeing of employees in Hong Kong are as well and should give pause to any company with employees in the region.
  • Businesses operating in Hong Kong face heightened risks and uncertainty related to PRC retaliation against companies that comply with sanctions imposed by the United States and other countries, including through enforcement of the Countering Foreign Sanctions Law.

What does all these mean for you and your business?

Business leaders, strategists, financial planners and policy makers should evaluate what the current situation in Hong Kong and China means and how it impacts your organization. As an aid in your planning process, here is a list of recommendations for you to evaluate:

  1. Perhaps the greatest, most important recommendation we have for your business is that you should continue to make yourself aware of the strategic importance of the situation in China and Hong Kong, as well as the most relevant aspects of the ongoing trade and tech tensions. Be sure that you, and all members of your team, are on distribution for the free OODA Daily Pulse. OODA Loop members also have access to several strategic reports written to provide insight on China and these can help level set your entire team (start with our special report on The China Threat).
  2. This topic of geopolitical risk, including this specific topic of Hong Kong and China, is a frequent topic of OODA network monthly meetings. These sessions are only for OODA expert level members. Sign up here to participate directly in discussion of these topics with your peers.
  3. Continuously consider your cybersecurity preparedness and resilience.  Cyberattacks will almost certainly continue to shift. Some adversaries may decide to make direct attacks against U.S. organizations to degrade and disrupt production. So stay agile in defense. Ensure your team is following Cybersecurity Best Practices. Red Team your defenses. Leverage deception in your defenses. Protect the communications of your executive team.
  4. Analyze your technology dependencies. Do any of your corporate communications depend on Hong Kong as a hub? What about those of your suppliers?
  5. Review your current intensions regarding M&A or divestiture. Do any transactions impact business with Hong Kong or PRC based companies?

As an OODA member we also ask that you keep us in the loop on how the OODA Network can best serve your interests. Reply to any of our newsletters or contact us here. 


Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.


Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast


Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes and Bob is the author of the book The Cyber Threat. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.