Skip to main content
Sujets à suivre
Featured Insights
Voir tout
Voir tout
À propos de notre cabinet d’avocats
  • Accueil
  • Insights
  • Traveling Abroad? Your Phone May Be The First Checkpoint: The Expanding Reach of Electronic Device Searches
avril 17 2026

Traveling Abroad? Your Phone May Be The First Checkpoint: The Expanding Reach of Electronic Device Searches

Auteurs:
Télécharger le PDF
Share

Introduction

Electronic devices such as mobile phones, tablets, and laptops routinely store years of sensitive company and personal information, including emails, confidential communications, financial records, and personal details ranging from health data to family photographs. That concentration of data has made the legal authority of border officials to request or require access to electronic devices one of the most pressing compliance issues for multinational organizations and their employees.

Several jurisdictions have expanded—or more actively exercised—their border inspection and enforcement powers in recent years, driven by evolving national security priorities and advances in digital surveillance capabilities. While the specific legal frameworks vary, the overall trend is clear: governments are asserting broader authority to access and review the contents of electronic devices carried by travelers.

Recent developments in Hong Kong and the United States illustrate the range of approaches and the compliance challenges they create.

Hong Kong: Scope of the Recent Amendments

On March 23, 2026, the Hong Kong Special Administrative Region (HKSAR) government published amendments to the Implementation Rules for Article 43 of the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region. The amendments expand the powers of law enforcement officers in matters involving suspected national security offenses.

Under the amended rules, police officers may require any person suspected of endangering national security to provide passwords, decryption keys, or other information necessary to access electronic devices. The Hong Kong government has clarified that officers generally need a court warrant issued by a magistrate, although a warrantless search may be conducted in certain circumstances. The amendments also empower officers to seize items deemed to have “seditious intention” (i.e., intent to incite civil disorder or dissent) even where there has been no arrest in connection with those items.

The penalties for noncompliance are significant. Refusing to provide a password or decryption assistance is now a criminal offense punishable by up to one year of imprisonment and a fine of up to HK$100,000 (approximately US$12,800). Providing false or misleading information carries a more severe penalty of up to three years of imprisonment and a fine of up to HK$500,000 (approximately US$64,000).

These obligations apply to all individuals in Hong Kong, including residents, visitors, and those transiting through Hong Kong‘s airport. The law further extends to anyone an officer believes to know a relevant password, potentially encompassing administrative assistants or family members who may have access to a device.

The amendments fall within the broader framework of the National Security Law (NSL), which was imposed by mainland China in 2020 and punishes acts including secession, terrorism, subversion, and collusion with foreign forces with penalties up to life imprisonment.

United States: Border Search Authority

In contrast, the United States illustrates how a different legal system addresses the same fundamental tension between border security and digital privacy. While both governments permit the inspection of electronic devices at the border, the legal frameworks, procedural safeguards, and consequences for noncompliance differ significantly.

US Customs and Border Protection (CBP) may conduct “basic” manual searches of electronic devices without a warrant or individualized suspicion, and “advanced” forensic searches (e.g., connecting equipment to copy and/or analyze stored data) generally require reasonable suspicion or a national security justification.

CBP emphasizes that it uses border searches of electronic devices to identify illicit activities and evaluate statements regarding travelers’ intentions upon entry or exit. The consequences for refusing to unlock a device at a US border or airport depend on the traveler’s citizenship or immigration status: US citizens cannot be denied entry for refusing; noncitizens may be refused admission. In both instances, the device may be detained for further examination.

Beyond the legal framework itself, a key development is the marked shift in enforcement posture. Over the last few years, as part of an enhanced vetting and admissibility review process, searches of electronic devices have grown significantly. Increasingly, border searches focus not only on what travelers are physically carrying, but also on their digital footprint as a means of assessing intent and risk profile.

In a Privacy Impact Assessment (PIA), the Department of Homeland Security observed that, in the past, a traveler might have carried a briefcase containing pictures, work materials, personal notes, or journals, but with the availability of electronic storage, both locally on devices and in the cloud, the amount of personal and business information carried across the border by a single individual has “increased exponentially.” According to the PIA, smartphones and tablets are now used for communications and sharing personal thoughts in ways a physical briefcase never was, making “a search of their electronic device more invasive due to the amount of information potentially available on and now accessible by electronic devices.”

Recently, there has been an increase in requests to unlock devices or provide passwords. Although travelers are not always legally compelled to comply, the practical consequences of refusal are significant and include device seizure, processing delays, or denial of entry for non-US citizens. Once access is granted, forensic capabilities allow for more sophisticated analysis of device data, although CBP policy prohibits officers from using a device to access information that is solely stored remotely, and devices must be placed in airplane mode during inspection.

These developments do not reflect a change in the underlying legal authority. Rather, the Department of Homeland Security is using longstanding authorities more actively, supplemented by clarifying guidance. Most recently, CBP issued a directive in January 2026 that builds on prior policies by clarifying the scope of permissible searches at the US border.

Comparing the Two Frameworks

Feature Hong Kong (March 2026 Amendments) United States (CBP)
Legal Basis National Security Law implementing rules enacted by executive order bypassing the legislature Border search exception to the Fourth Amendment, supported by statutory authority under Titles 6, 8, and 19 of the US Code; CBP Directive No. 3340-049B, updated on January 12, 2026; (circuits are split on whether Fourth Amendment requires a warrant)
Warrant Requirement Magistrate‘s warrant generally required; warrantless search permitted in certain circumstances Basic searches require no suspicion; advanced searches (using forensic tools) require reasonable suspicion and senior manager approval under CBP policy
Criminal Penalty for Refusal Up to one year imprisonment and HK$100,000 fine No criminal prosecution for refusal; however, device may be detained, and noncitizens may face adverse admissibility consequences
Scope of Application All persons in Hong Kong, including transit passengers at the airport All persons at US ports of entry, including airports, land borders, and seaports
Cloud Data Access Amendments do not explicitly restrict scope to data stored on the device CBP policy prohibits officers from accessing information stored solely in the cloud; devices must be placed in airplane mode
Prevalence of Searches Not yet publicly reported

CBP reported more than 55,000 electronic device searches at US borders in FY 2025; recent historic annual totals are:

FY 2018: 33,296

FY 2019: 40,913

FY 2020: 32,038

FY 2021: 37,450

FY 2022: 45,499

FY 2023: 41,767

FY 2024: 47,047

FY 2025: 55,318

Global Implications for Organizations and Travelers

The developments in Hong Kong and the United States reflect a broader global shift in how governments approach device inspections at borders. Organizations accustomed to routine business travel may assume that if their travel patterns have not changed, their risk profile has not changed either. That assumption is increasingly unreliable. Expanded inspection powers and/or enforcement postures do not just affect individual travelers; they also expose the organizations that employ them, and the compliance challenges they present increasingly span multiple jurisdictions.

Legal protections applicable in one jurisdiction, such as attorney-client privilege, may not be recognized by officials enforcing the national security or border laws of another. Any data accessible on or through a device, including privileged communications, client work product, email correspondence, text messages, photographs, financial applications, and stored credentials, may fall within the scope of compelled disclosure. Where inspection protocols do not clearly distinguish between locally stored data and information accessible through the device, a traveler who is logged into cloud-based email, document management, or collaboration platforms at the time of examination could inadvertently expose far more than what is physically stored on the device. Hong Kong’s amended rules contain no limitation on cloud-based access; the United States, by contrast, has an explicit policy against accessing cloud-stored content. This distinction underscores the importance of understanding the specific rules in each jurisdiction through which employees travel.

At the same time, organizations subject to foreign data protection regimes (e.g., the European Union’s General Data Protection Regulation (GDPR); mainland China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law; and similar frameworks in other locations) may face conflicting legal obligations. For example, a duty to protect personal data under the laws of one jurisdiction may clash with a legal obligation to disclose that same data under the laws of another. Compelled disclosure at any border could trigger notification obligations, contractual breaches, or regulatory exposure.

Technical safeguards such as encryption and strong password protections remain important security practices, but they do not change the legal calculus in jurisdictions that criminalize a refusal to decrypt. Where the law explicitly requires travelers to provide access credentials, technical protections cannot be relied upon to prevent disclosure.

Further, where authorities have the power to seize and retain devices, travelers may lose access to critical business tools for an indeterminate period, with consequences that extend well beyond the individual to the organization‘s operational continuity. For example, when a senior executive‘s device is seized, the disruption may ripple across the business, affecting deal timelines and client relationships.

Key Takeaways

The issues raised by Hong Kong’s and the United States’ respective border inspection laws and practices are not limited to those jurisdictions. The organizations best positioned to manage expanding border inspection authority are those that treat the issue as a cross functional planning matter rather than an isolated legal question tied to any single destination. As with heightened scrutiny at US borders, the travelers and companies that fare best are those that have prepared in advance. The following steps are designed to be practical, globally applicable, and implementable.

For Travelers
  • Know the law in every jurisdiction you enter or transit. Inspection powers vary widely. Understand the specific authorities that border officials may exercise in each country through which you travel, including transit stops.
  • Travel with the appropriate device. Review the data stored on the device to determine whether you are comfortable with it being subject to inspection. Consider using a dedicated travel device that is configured only with the applications and limited data necessary for your trip. The contents of any device you carry should be proportionate to the purpose of your travel. For example, if you are attending a conference, there is generally no need to have access to your full client file archive. Taking this approach not only minimizes exposure in the event of inspection, but also mitigates practical concerns associated with international travel, such as loss, theft, or unauthorized access.
  • Manage your digital footprint. Before departure, log out of all cloud-based email, document management systems, messaging platforms, and collaboration tools on the device you intend to carry. This step is particularly important when traveling through jurisdictions that do not clearly restrict inspections to locally stored data.
  • Anticipate questions at the border. If you are asked to explain your travel or device contents during inspection, stay composed and respond clearly and concisely. You should be able to describe the purpose of your trip in one or two sentences. Know your rights under local law and the limits of those rights. Attorneys should be prepared to assert privilege as appropriate.
  • Follow company protocols and have key contacts accessible. Adhere to your organization‘s travel and security protocols, and ensure you have a designated company or legal point of contact readily available. Store the contact information and your home country‘s consulate details in a format accessible even if your device is seized. US citizens may also enroll in the State Department‘s Smart Traveler Enrollment Program.
For Organizations
  • Update travel and data governance policies. Evaluate whether the existing frameworks address the risk of compelled disclosure at borders and whether they account for potential conflicts with data and privacy obligations under the GDPR, mainland China‘s data protection laws, and other applicable frameworks. Policies should be jurisdiction-specific and regularly updated as new inspection laws and directives take effect.
  • Provide pre-travel briefings. Employees traveling to or through jurisdictions with expanded border inspection authority should receive clear, practical guidance not just on the law, but on how to prepare devices, what data to carry, what to leave behind, how to respond to inspection requests, and what to expect at the border. Advance preparation is far more effective than attempting to assert privilege or manage a crisis at the border reactively. Mayer Brown can deliver jurisdiction-specific briefings tailored to your organization‘s risk profile and travel patterns.
  • Establish travel protocols. Consider implementing a process for employees to request dedicated travel devices. This is not intended to evade inspection; rather, it is a recognized approach to limiting the volume of sensitive data that could be exposed during any border interaction or loss or theft of a device during travel.
  • Coordinate across functions. Effective management of these risks requires coordination across legal, compliance, privacy, Information Technology, human resources, and the business teams that authorize travel. Organizations should monitor which employees travel to or through high-risk jurisdictions and how frequently. They should also ensure that critical data and workflows are not dependent on a single device.
  • Monitor legal and regulatory developments. Border inspection practices and governing frameworks are evolving rapidly across multiple jurisdictions. Organizations should monitor enforcement actions and policy changes that may affect border inspection authority in every jurisdiction relevant to their operations.

Conclusion

The expanding scope of governmental authority to inspect electronic devices at borders is a global trend with significant implications for multinational organizations and international travelers.

These developments require immediate attention to travel protocols, data governance frameworks, and the sensitive information stored on or accessible through electronic devices. With thoughtful planning and cross-functional coordination, these risks can be mitigated.

Mayer Brown will continue to monitor developments across jurisdictions and provide timely updates. We are available to support proactive planning, pre-travel briefings, compliance assessments, and risk management solutions tailored to your organization‘s needs.

Auteurs

Compétences et Secteurs liés

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2026 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.