The new personal data protection regime for the Companies Register is under Phase 1 implementation this month. What does this mean for your business?
On 18 June 2021, the Government of the Hong Kong Special Administrative Regions published updates to the Companies Ordinance regarding public inspection of personal information in the Hong Kong Companies Registry. Having been tabled at the Legislative Council (LegCo), Phase 1 of the new personal data protection regime will be implemented from 23 August 2021.
Under the new personal data protection regime, only “Specified Persons” can access the correspondence addresses of directors and partial identification numbers (IDNs) of directors, company secretaries and other relevant persons. “Specified Persons” are also required to confirm that the personal information obtained would only be used for the performance of their functions.
Concerns were expressed by various professional parties and bodies when the new regime was first introduced as it will both tighten the personal information made available in the Companies Register and limit the individuals who can access such information . Previously, the Usual Residential Addresses (URAs) of directors and full IDN of directors, company secretaries and other relevant persons were available to the public in the Companies Register. The URAs and full IDN are collectively referred to as “Protected Information”.
Who are “Specific Persons”?
The list of “Specified Persons” allowed to access information on company director URAs and full IDNs will be extended to include:
- member of the company;
- a public officer or public body;
- a person/organisation appointed or provided under statute who needs to use Protected Information for execution of statutory functions ;
- a solicitor who practises law in a Hong Kong firm and a foreign lawyer who practices foreign law in a Hong Kong firm or a foreign firm under the Legal Practitioners Ordinance (Cap. 159);
- a certified public accountant (practising) under the Professional Accountants Ordinance (Cap. 50);
- an authorized institution under the Banking Ordinance (Cap. 155); and
- a financial institution (e.g. a securities company, an insurance company, a money service operator, a Stored Value Facility Licensee, etc.) and designated non-financial businesses and professions (including accounting and legal professionals, estate agents, and Trust or Company Service Provider Licensees) regulated under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).
What is the timeline of implementation?
The new personal data protection regime will be implemented in three phases:
- Phase 1 – from 23 August 2021, companies may replace URAs of directors with their correspondence addresses, and replace full IDNs of directors and company secretaries with their partial IDNs for the purpose of public inspection on their own registers;
- Phase 2 – from 24 October 2022, Protected Information on the Index of Directors kept in the Companies Registry will be replaced with correspondence addresses and partial IDNs for the purpose of public inspection. Protected Information available in documents filed after commencement of Phase 2 will not be available for public inspection. “Specified Persons” can apply to the Companies Registry for access to Protected Information of directors and other persons; and
- Phase 3 – from 27 December 2023, data subjects can apply to the Companies Registry for protecting from public inspection their Protected Information contained in documents previously filed to the Companies Registry before commencement of Phase 2, and replace such information with their correspondence addresses and partial IDNs. “Specified Persons” can apply to the Companies Registry for access to Protected Information of directors and other persons.
Why it is relevant to you?
The Protected Information of directors and other persons have regularly been relied upon by investors, financial institutions and professionals in commercial due diligence, litigations and investigations. During the implementation period, businesses are strongly recommended to carry out a comprehensive assessment of the implications of the new personal data protection regime on their existing procedures and practices of carrying out Companies Register searches, in particular on who should carry out the searches and the usage of the Protected Information obtained. Appropriate measures should be taken to adopt to the new regime and manage the potential increased compliance and business risks as less information will be available for review in the future.