This final part of the CGj review of the Institute’s 23rd Annual Corporate and Regulatory Update (ACRU), highlights the key takeaways from the afternoon session, featuring speakers from the Companies Registry (CR), the Office of the Privacy Commissioner for Personal Data and the Hong Kong Business Ethics Development Centre of the Independent Commission Against Corruption.

The first two parts of this review focus on the latest trends in listed company regulation, but ACRU is not solely dedicated to the listed company sector. Governance and compliance is just as relevant, of course, to other sectors of the economy and governance professionals work for a wide range of organisations, including private companies, NGOs, social enterprises and public sector entities. This final part of the CGj ACRU review focuses on three topical issues in governance and compliance –  the new inspection regime of Hong Kong’s Companies Register, personal data privacy and anti-corruption.

The Companies Register’s new inspection regime

In 2021, the HKSAR Government set out seven pieces of subsidiary legislation to implement the Companies Register’s new inspection regime. The first afternoon session of the ACRU webinar, chaired by Wendy Ho FCG HKFCG(PE), Institute Council Member and Vice-Chairman of the Professional Development Committee, featured two speakers from the Companies Registry (CR) who clarified the major changes brought in by the new regime.

The compliance implications 

Agnes Wong, Deputy Registry Manager, Registration Division, CR, started with an overview of the new inspection regime, which is designed to restrict public access to the personal data of directors, company secretaries and other parties contained in company registers and on the company’s register held by the CR. This personal data comprises the usual residential addresses (URAs) and full identification numbers (IDNs) of directors, and the full IDNs of company secretaries and some other individuals (such as liquidators and provisional liquidators). Access to this data (Protected Information), will be progressively restricted in three phases.

Phase 1 (commenced 23 August 2021) – companies may withhold the Protected Information contained in their own registers from public inspection.

Phase 2 (commencing 24 October 2022)– In respect of new filings, the CR will withhold the Protected Information from public inspection.

Phase 3 (commencing 27 December 2023) – the individuals concerned may apply to the CR to withhold from public inspection their Protected Information registered with the CR  prior to 24 October 2022.

Ms Wong focused her presentation on the implications of phase 2. In particular, she highlighted a number of compliance obligations companies and governance professionals should be aware of. When phase 2 commences, for example, if a director’s correspondence address was contained in the company’s register of directors, and such address was not the address of the company’s registered office, the company will need to inform the CR of that director’s correspondence address within 15 days after the commencement of phase 2. The relevant form for this will be made available before the October commencement date. The form, along with 25 other specified forms revised to facilitate the implementation of the new inspection regime, will be available for download from the New Inspection Regime section of the CR’s website.

Ms Wong warned that there will be no transitional arrangement regarding delivery of specified forms to the CR for registration. In other words, from 24 October 2022, the CR will only accept the revised specified forms for registration. Forms that are currently in use will no longer be acceptable and will be returned to the document presenters.

The implications for public search services 

The second CR speaker, Fanny Lam, Deputy Registry Manager (Public Search), CR, highlighted the implications of the changes outlined above for public searches of the Companies Register after 24 October 2022. Such searches will no longer have access to the URAs of directors (these will be replaced with correspondence addresses) or the full IDNs of directors, company secretaries and other individuals (these will be replaced with partial IDNs). For groups with the same director name and same partial IDNs, but different full IDNs, Ms Lam explained that in such cases one extra digit of the IDN will be displayed. If one extra digit does not differentiate the records, two extra digits will be displayed at any positions.

Personal data privacy

The second session of the afternoon, chaired by Natalia Seng FCG HKFCG, Institute Past President and Council Member, addressed an issue that has been climbing the agenda for governance professionals for some time – personal data privacy. Two speakers from the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) updated ACRU participants on handling data breaches and Hong Kong’s new doxxing offences.

Handling data breaches

Data breaches have been on the rise for a number of years, whether as a result of malicious cyber attacks on computer systems or the negligent leaks of data by insiders. Such data breaches generally result in reputational harm to the organisation involved, but Clemence Wong, Legal Counsel (Acting), PCPD, reminded ACRU participants that they may also constitute a contravention of the Personal Data (Privacy) Ordinance (PDPO) in Hong Kong. Among the six Data Protection Principles (DPPs) set out in the PDPO, DPP4 requires data users to take all practicable steps to ensure that any personal data held by them would be protected against unauthorised or accidental access, processing, erasure, loss or use. What should companies do, however, if they experience a data breach? The PCPD recommends organisations should endeavour to collate all relevant information related to the breach including, in particular:

  • the kinds of personal data being compromised
  • the impact on the individuals concerned
  • the potential cause of the leakage, as well as any possible containment measures to be adopted, and
  • contact the stakeholders (for example, service providers, management and affected data subjects) swiftly.

Ms Wong added that, although it is not currently required by the PDPO, those ‘stakeholders’ should include the PCPD. ‘The PCPD has always encouraged data users to give data breach notifications to the PCPD, in addition to the affected individuals, as we are providing all necessary assistance and the enforcement of the relevant regulatory requirements to minimise the potential damage which might be caused to organisations,’ she said. 

She then highlighted some useful lessons to learn from recent investigations carried out by the PCPD. A recent investigation looked into the handling of a hacker’s intrusion into the email system of Nikkei China (Hong Kong) Ltd. After obtaining the password of one of Nikkei’s email accounts, the hacker gained access to the personal data (including names, email addresses, company names, telephone numbers and credit card data) of over 1,600 Nikkei customers.  

The company sent a data breach notification to the PCPD, but a subsequent investigation by the PCPD found a number of deficiencies in the company’s data security system, including:

  • weak password management
  • retention of obsolete email accounts
  • lack of security controls for remote access, and
  • inadequate security controls on the company’s information system.

Nikkei had failed to take all practicable steps to protect the security of its customers’ personal data in accordance with the requirements of DPP4 and the PCPD issued an enforcement notice to direct it to take the following steps:

  • revise its information security policy
  • devise effective measures to ensure the staff’s compliance with the revised policy
  • engage an independent data security expert to conduct regular reviews and audits
  • develop up-to-date training and education for staff members on information security, and
  • provide documentary proof within two months to show the completion of the items above.

A guide to Hong Kong’s new doxxing offences 

Under a recently enacted amendment to the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject:

  • with an intent to cause any specified harm to the data subject or any family member of the data subject, or
  • being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject (new section 64(3A) of the PDPO).

This new doxxing offence has two tiers differentiated by whether actual harm has been caused to the data subjects or their family members (new section 64(3C) of the PDPO). The first-tier offence attracts a maximum penalty of HK$100,000 and imprisonment for two years, whilst the second-tier offence attracts a maximum penalty of HK$1,000,000 and imprisonment for five years.  

In addition, the revised law also confers on the PCPD certain powers to facilitate investigation of these new doxxing offences, as well as to demand the removal of the doxxing messages. The second PCPD speaker at this year’s ACRU, Dennis Ng, Assistant Privacy Commissioner for Personal Data (Acting) (Legal, Global Affairs & Research), first explained the PCPD is now empowered to:

  • issue written notices to request any person to provide relevant materials, or to answer relevant questions to facilitate investigation (new section 66D of the PDPO) 
  • apply for a warrant to enter and search premises or to access electronic devices (new section 66G of the PDPO)
  • stop, search and arrest any person who is reasonably suspected of having committed a doxxing-related offence (new section 66H of the PDPO), and
  • prosecute a doxxing-related offence triable summarily in the Magistrates’ Court (new section 64C of the PDPO).

In order to swiftly curb the dissemination of unlawful doxxing messages, the PCPD may also issue cessation notices to demand for the removal of a doxxing message, whether it is a written message or an electronic message, involving an individual who is a Hong Kong resident or is present in Hong Kong when the disclosure is made, as long as these elements are satisfied:

  • there is a disclosure of personal data of a data subject without consent, regardless of whether the disclosure is made in Hong Kong or not, and
  • the discloser has an intent or is being reckless as to the causing of any specified harm to the data subject or any family member of the data subject.

Given that the cyberworld has no borders, the new provision contains an extraterritorial element such that a cessation notice may be served on a person in Hong Kong, including an individual in Hong Kong or an internet service provider having a place of business in Hong Kong or, in relation to an electronic message, a service provider outside Hong Kong, which covers the operator of an overseas social media platform, who the PCPD has reasonable grounds to believe is able to take down the subject message (that is, to take a cessation action) (new sections 66K and 66M of the PDPO).  

Mr Ng emphasised that failure to comply with a cessation notice issued by the PCPD is an offence, whereby offenders are liable, on first conviction, to imprisonment for two years and a fine of HK$50,000, and subsequent offenders to imprisonment for two years and a fine of HK$100,000. In case of a continuing offence, a further fine of HK$1,000 (or HK$2,000 for repeated offenders) applies for every day during which the offence continues (new section 66O of the PDPO). 

He added that the PCPD takes doxxing offences very seriously, and had already laid charges on the first doxxing case concerning a contravention of section 64(3A) of the PDPO in May this year, with a number of other ongoing investigation cases. 

Anti-corruption and ethical governance 

This year’s ACRU was fortunate to have a speaker from the Independent Commission Against Corruption (ICAC) to give an update on the latest developments relating to anti-corruption in Hong Kong. Daniel Chui, Executive Director (Acting), Hong Kong Business Ethics Development Centre, ICAC, speaking at the final session of the webinar – chaired by Ernest Lee FCG HKFCG(PE), Institute President – reminded ACRU participants that the reputation of Hong Kong as an international financial centre is closely tied to the concerted effort of the business community in upholding business ethics and its high vigilance  against corruption.  

He also highlighted the valuable role governance professionals can play in ensuring an ethical culture in the organisations they serve. To do this, they need to recognise their dual role – as both advisers and guardians. On the one hand, as employees they are expected to serve the interests of their organisations, but they also have a responsibility to safeguard the interests of the various stakeholders by acting as an internal ‘check and balance’. 

‘In the face of the recent economic downturn, I think it’s even more important for governance professionals to enhance their vigilance and equip themselves to cope with the risks and challenges ahead,’ Mr Chui said.  

He added that anti-corruption measures are increasingly a standard part of companies’ ESG obligations and therefore a core concern for governance professionals in their regulatory compliance function. Under the ESG Guide of the Listing Rules, for example, listed companies are required to disclose their compliance with relevant laws and regulations that have significant impact on the issuer relating to bribery, extortion, fraud and money laundering. They are also required to disclose their policies on these issues. Furthermore, Mr Chui drew participants’ attention to the most recent amendments to Hong Kong’s Corporate Governance Code, which outlines the core elements of a whistleblowing and anti-corruption policy that should be adopted by listed companies. 

Handling conflicts of interest

One of the key defences against corrupt practices is to build an effective internal control system for handling conflicts of interest (COIs). A company should set out clear guidelines for staff to handle such situations so as to safeguard the company’s interest and protect staff from falling into corruption traps. Mr Chui further added that COIs are not only an issue for the private sector. For public servants, serious COIs may even lead to the common law offence of Misconduct in Public Office (MIPO). He alerted ACRU participants that apart from the involved public servant, individuals or business entities connected with the misconduct might also be liable for offences such as conspiracy to MIPO. ‘It is therefore important for individuals who have dealings with public servants to have an understanding of this common law offence,’ he said.

Corruption prevention services of the ICAC

Finally, Mr Chui urged ACRU participants to make use of the many resources made available on the website of the Hong Kong Business Ethics Development Centre of the ICAC. This not only includes a wide range of publications addressing all aspects of anti-corruption and ethical governance, but also the Corruption Prevention Advisory Service of the ICAC. This service can help to review a company’s internal control mechanism and provide consultancy advice to companies on how they can improve.  

‘Our ultimate goal is for companies to build up their own ethical organisational culture, which will form the most robust protection against malpractice and corruption,’ Mr Chui said.

More information is available on the websites of the Companies Registry (www.cr.gov.hk), the Office of the Privacy Commissioner for Personal Data, Hong Kong (www.pcpd.org.hk) and the Hong Kong Business Ethics Development Centre, ICAC (https://hkbedc.icac.hk).