US tech groups resist Hong Kong data-sharing proposal

Google, Amazon Web Services and Microsoft have refused to agree to a proposal that would give Hong Kong regulators access to customer banking records, putting the companies on a collision course with city authorities.

The technology groups have been locked in negotiations since last year with the Securities and Futures Commission, the Hong Kong regulator, over providing access to financial data held on their cloud platforms.

But the dispute has intensified after Beijing imposed a national security law on the Chinese territory last month, according to multiple people with direct knowledge of the discussions.

The law had made signing up to the scheme “politically impossible”, one of the people said.

“Even if there was a minute chance one would sign, that’s impossible now,” the person added, saying the companies feared potential sanctions from US lawmakers who are increasingly circumspect of American companies’ dealings with China.

“My understanding is none of the big US players are on board,” said a lawyer with direct knowledge of the negotiations, which are due to continue until the end of the year when the regulations are due to come into force.

Google, AWS and Microsoft all declined to comment.

The SFC regulations are separate to the security law and were intended to enable faster access to corporate records during raids by regulators. They would force the cloud services providers to grant access without notifying their customers, a practice the tech groups worry could compromise their privacy obligations to clients.

“Cloud providers are not comfortable with that,” said Carolyn Bigg, a Hong Kong-based technology lawyer at DLA Piper.

The SFC said it was not aiming to regulate cloud providers and was “actively engaging and working” with providers to find a common resolution.

Under the national security law, tech company executives could face fines and jail terms if they do not comply with orders to co-operate with data requests.

“The SFC undertaking presents a unique set of contractual challenges to private companies, and the national security law would add to these,” said Lim May-Ann, executive director of the Asia Cloud Computing Association, an industry body that represents cloud providers in the region.

The combination of regulations means “the timing couldn’t be worse”, said a person with knowledge of the SFC’s thinking.

The new law was imposed in response to months of pro-democracy protests last year and marks the first time a Chinese law carrying criminal penalties has been introduced into Hong Kong’s legal code.

Google and Microsoft said they would temporarily stop acceding to requests for user data after the law was introduced last month.

Banks that rely on US cloud services are already scrambling to navigate both potential sanctions against Chinese officials and the national security law, which forbids compliance with measures targeting Beijing. US President Donald Trump on Tuesday signed legislation clearing the way for sanctions.

They also worry that US cloud providers could exit the city or move out infrastructure such as data centres, according to one person familiar with their thinking. This could force banks to switch to local providers or transfer their records to servers on their premises, raising concerns about cyber security and increased costs.