Google admitted that it handed over user data to the Hong Kong government in response to three requests between July and December.
The data transfer came after Hong Kong implemented aggressive security laws written by Beijing policymakers. At the time, Google joined Facebook, Zoom, LinkedIn, Apple, Twitter, and others in saying they would not provide user data.
The company said it would not respond to any data requests unless they were made through the bilateral Mutual Legal Assistance Treaty (MLAT) with the US Justice Department. But Google told the Hong Kong Free Press it decided to provide data three times, out of 43 requests, because of credible threats to life.
The new National Security Law grants significant powers to Chinese authorities to help them combat vague national security threats, including criminalizing seeking to “split” Hong Kong from China, or “colluding” with or “external forces” to spy on China. Such crimes could lead to life imprisonment - possibly in labor camps. National security suspects can be detained for six months before they are charged, and trials can happen behind closed doors.
Beijing has the power to interpret the law, rather than Hong Kong officials.
In particular, the law states (translated) that "when the Hong Kong Special Administrative Region Police Service maintains the national security department to handle crimes against the national security, it may take various measures...[including] Search premises, vehicles, ships, aircraft and other relevant places and electronic equipment where criminal evidence may be stored... Request the information publisher or the relevant service provider to remove the information or provide assistance... With the approval of the Chief Executive, conduct interception of communications and covert surveillance of persons who have reasonable grounds to suspect involvement in crimes against national security."
Google said that one of the instances it handed over data was an emergency disclosure request involving a credible threat to life. The other two were related to human trafficking, and unrelated to national security. Google did not hand over users' content data, it said. Metadata it provided could have included subscriber information including name, associated emails & phone numbers, IP addresses, billing information, timestamps, and email headers.
Facebook rejected an emergency disclosure request from Hong Kong last year, along with 201 other requests. Twitter did not respond to one request. Apple and Microsoft have not published their transparency reports for the period after the law came into force.
Google opened a cloud data center in Hong Kong in 2018, and was soon followed by Amazon Web Services. Major US data center companies like Equinix and Digital Realty also operate data centers in Hong Kong, leasing space to local businesses and US firms.