OLN

OLN Marketing

OLN Ranked in ALB’s 2018 IP Rankings

by

Asian Legal Business (ALB) has released Intellectual Property Rankings 2018 and we are delighted to announce that OLN has been ranked across all categories in China and Hong Kong.

Maintaining last year’s rankings, OLN is ranked at Tier 2 in Hong Kong for both Patents and Trademark / Copyright, and continues to hold its ranking at Tier 3 for both categories in China.

Our Intellectual Property team provides practical advice and solutions with our understanding of the latest regulations and practices, the frequent updates of local government policies and branding positions in the Chinese-speaking market.

Congratulations to our Intellectual Property team for getting ranked!

Vera Sung

Evelyne Yeung

Eunice Chiu

Angel Luo

Anna Chan

Jonathan Lam

About ALB and the IP Rankings

Thomson Reuters’s Asian Legal Business magazine provides current analysis and information on law-related issues throughout the Asia region. ALB drew information from firm submissions, interviews, editorial resources and market suggestions to identify and rank the top firms for Intellectual Property in Asia. The rankings were based on the firm’s visibility and profile in the region, the volume, complexity and size of work undertaken, key personnel hires and growth of the practice group, key clients and new client wins, and its presence across Asia and in individual jurisdictions.

Personal Data Protection Comes to China

by

China’s long-awaited new National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (the “Regulations”) came into force on May 1, 2018. The Regulations are arguably China’s most important personal data protection rules, representing new standards for the handling of personal data.

The Regulations supplement rather than abrogate China’s existing patchwork of data protection laws and regulations. Although the Regulations themselves are not legally binding, they dovetail with China’s 2017 Cybersecurity Law and Consumer Protection Law which are binding. Furthermore, over the coming months, regulators will be pressing for compliance with the Regulations, so organisations operating in China are strongly advised to review and update their China data protection policies and practices to reflect the new standards.

Summary of Key Features

Clarification of key data protection conceapts and definitions
Personal data is defined as either “personal information” or “sensitive personal information” with the latter subject to more stringent data protection (eg: all personal information of persons under 14 years of age is categorized as “sensitive personal information”).
Explicit consent is required for collection of sensitive personal information or use of personal information for any new purpose.
Inclusion of certain prescribed information in all privacy notices, including but not limited to (for business use) personal information collection and processing rules such as the collection method and frequency, place of storage, and frequency of collection; if data is shared, disclosed or transferred, the types of data involved, the types of the data recipients, and rights and obligations of each party; data subject rights, and complaint handling; security principles followed, and security measures implemented.
Personal information security impact assessments are required for: (i) outsourcing of data processing; (ii) sharing and transfer of personal information; or (iii) disclosing personal information to public.
All personal information collected/produced in China and transferred to or shared with offshore parties requires a security assessment and all such assessments must be conducted in accordance with yet-to-be-released official standards and procedures.
All requests for access to, correction of, copies and deletion of personal information, and withdrawal of consent must be responded to within 30 days, and there should be no charge for any reasonable request unless repeated requests are made within a certain period of time.
New standards and procedures for effective data protection that organisations need to comply with and include: (i) drafting, implementing and updating privacy policies and corresponding procedures; (ii) privacy training; (iii) security impact assessments and audits.
Organisations must appoint a data protection officer and a dedicated data security team to be directly responsible for the protection of personal information.
Data breach notifications: a specific incident response plan is required together with periodic reviews and rehearsals and organisations must keep a record of incidents detailing the scope of such breaches.
Periodic data protection impact assessments which must be carried out at least annually.
 

OLN Insights

The Regulations do not bring China’s data protection framework as close to GDPR standards as some commentators have predicted but they are an unmistakable sign both that the PRC government takes data protection seriously and is moving towards adopting international best practices in this space. This will be welcomed by international businesses currently undertaking GDPR compliance reviews and who are now turning their attention to their China practices. Nevertheless, clear local distinctions (notably regarding data localisation, the requirement for consent, and restrictions on handling of non-personal data) remain in China and must be specifically addressed.

Over the course of the next year or so, we should see new and updated national standards promulgated to cover key areas such as data anonymisation, handling of big data, overseas data transfers, and diverse aspects of information security. Some of these implementing standards will simply adapt existing ISO standards.

We are continuing to monitor regulatory developments in this space and will report as and when they occur. In the meantime, organisations with data exposure to China need to appreciate that enforcement action in the data protection sphere is already a reality in China and as this regulatory and enforcement framework continues to evolve, they need to take steps now to review and update their compliance programmes to ensure these comply with the Regulations.

Hong Kong Broadband Hack

by

Recent hacks into the customer databases of a telecommunications company and travel agencies have put the spotlight on how companies retain customer data and may lead to a revamp of data protection law in Hong Kong. These developments have far-reaching implications for insurers, who in the course of providing insurance services to the public, collect and process large amounts of personal data relating to existing, prospective and former customers.

HK Broadband Data Breach

Hong Kong Broadband Network, the second largest fixed-line residential broadband provider in Hong Kong, revealed a few weeks ago that an inactive customer database on an active server had been accessed without its authorization. Private information of some 380,000 former and existing customers was potentially compromised in the hack, including their names, ID card numbers, home addresses, telephone numbers and credit card details. The personal information dated back to 2012 and included information of customers who had not been active since 2012. It later came to light that the compromised inactive database was not encrypted, unlike other active databases maintained by the company.

With the fallout from the hack, including extensive media reports and initiation of a compliance review by Hong Kong’s Privacy Commissioner for Personal Data, the company announced that it would purge the data of 900,000 former customers and reduce its information retention period on past customers from seven years to six months. In this regard, Hong Kong Broadband admitted that it had mistakenly applied its 7-year rule for retention of business records to customer information as well. Going forward, the company indicated that it will not only shorten its data retention period for past customers but also change the way existing customer information is stored. In particular, Hong Kong ID card numbers and credit card numbers held in customer databases would have some digits deleted to make the information less attractive to hackers.

Implications for Insurers

Currently, Hong Kong’s Personal Data (Privacy) Ordinance, which has been in force since 1996, does not definitively state how long data users should keep personal data. Data Protection Principle 2(2) merely provides that personal data should not be kept “longer than is necessary for the fulfillment of the purpose (for which the data was to be used)”. However, Privacy Commissioner Stephen Wong has indicated that he is satisfied with the remedial actions to be taken by Hong Kong Broadband. A 2004 case arising from a complaint to the Privacy Commissioner by an unsuccessful insurance applicant regarding retention of his application data by the insurer is also instructive.

In that case, an investigation by the Office of the Privacy Commissioner for Personal Data (“PCPD”) found that the insurer’s practice was to retain personal data of unsuccessful insurance applicants for an indefinite period of time. In support of this practice, the insurer cited legal requirements for keeping books of accounts and the need to maintain a record in case of future applications, inquiries, potential litigation and complaints. The Commissioner at the time found however that those reasons did not justify the indefinite retention of personal data where money transactions (e.g. involving the payment of premiums) were not involved. In such cases, the Commissioner determined that a retention period of 2 years would suffice for the purposes stated. Even where money transactions were involved, the retention period should be limited to 7 years (the period prescribed in applicable ordinances for keeping books of account). The PCPD served an enforcement notice on the insurer requiring it to erase any data which had been kept for longer than the periods prescribed, pursuant to which the insurer erased more than 7000 records.

OLN Insights

Of course, each case has to be considered on its own facts. However, indiscriminate retention of personal data, or blanket retention of personal data for 7 years (or other arbitrary period), will be hard to justify if a complaint is made to the PCPD. Insurers would be well advised to establish a considered policy in relation to their and their agents’ retention and use of data which takes into account the nature of the customer (e.g. existing or former policyholder or unsuccessful applicant) and factors which may justify a longer or shorter retention period.

This is all the more important given that the Privacy Commissioner has indicated that he will review the Personal Data (Privacy) Ordinance to see if it affords enough protection in light of recent data leaks and global trends, including the adoption of a new data protection framework under General Data Protection Regulation (GDPR) in the EU from May 25, 2018. GDPR significantly enhances the data privacy rights of individuals in the EU, including the “right to be forgotten” – or demand erasure of personal data which is “no longer necessary in relation to the purposes for which they were collected”, subject to limited exceptions where retention of the data is required by law or justified in the public interest etc. With the global trend to enhance the data privacy rights of individuals, it will be incumbent on insurers to achieve a deeper understanding of the various purposes for which personal data are kept or processed, since different retention periods may apply according to such purposes. For example, personal data which may not justifiably be retained/used for marketing purposes may nevertheless be retained/used to comply with legal or accounting requirements. Thus, insurers will have to be able to classify data appropriately and have the systems capability to flexibly remove data from certain applications while keeping it for others.

CWS City Challenge 2018

by

Last weekend our staff joined the CWS City Challenge and took part in a race around Hong Kong to raise money for the Child Welfare Scheme. The scavenger hunt was hours of fun and our two teams managed to arrive in 2nd and 3rd place!

OLN takes its CSR role very seriously and we actively encourage all of our staff to participate across a wide range of community projects. We strive to make a real difference in the community we live and work in, whether it be charity work or acting as mentors for underprivileged children.

For more information on the Child Welfare Scheme, please click here.

Stephen Peaker, Recommended Leading Lawyer 2018

by

OLN is delighted to announce that on March, 9 2018 our Partner, Stephen Peaker, was listed as a “Recommended Leading Lawyer” for the Hong Kong Family & Divorce Lawyers category in the Doyle’s Guide for 2018.

“Recommended” lawyers are those who display particular skills or attributes within the specified area. As Doyle’s is one of the most comprehensive guides to some of the world’s best lawyers, law firms and barristers, we are honoured to have Stephen representing OLN in Hong Kong.

The Family Law Department supports OLN’s other practice areas and have advised in connection with Dispute Resolution and Litigation arising from the death of a spouse, family breakdowns or issues affecting non-traditional family units.

For more information on the award, please click here.

To learn more about Doyle’s Guide, please click here.

How would the new law on Significant Controllers Register concern you?

by

The Anti-Money Laundering and Counter-Terrorist Financing (Financial Institution) (Amendment) Ordinance 2018 (the “AML (Amendment) Ordinance”) and the Companies (Amendment) Ordinance 2018 (the “Companies (Amendment) Ordinance”) has come into effect on 1 March 2018.

The SCR regime

The Companies (Amendment) Ordinance imposes a new obligation on HK companies to identify its beneficial ownership and members with significant control and to maintain a Significant Controller Register (“SCR”) which is to be kept together with the company kits and other registers such as the Registers of Members and Directors. If a company fails to comply with any of the requirements under the new SCR regime, the company and each of its responsible persons commit an offence and each will be liable to a fine of HK$25,000 and a further daily fine HK$700 whenever applicable. Please refer to our firm’s article on “The Companies (Amendment) Ordinance 2018” for more details.

There are a few salient points to note in relation to SCR:-

  • SCR requirement is not only applicable to limited companies but also to companies limited by shares, companies limited by guarantee or unlimited companies. Only companies listed on the Hong Kong Stock Exchange (but not listed overseas) are exempted.
  • SCR is not for public inspection. However, the SCR has to be ready for inspection by law enforcement agencies, including but not limited to the Hong Kong Police Force, the Customs and Excise Department and the Inland Revenue Department (the “IRD”).
  • It is not specified in the Companies (Amendment) Ordinance as to whether information contained in the SCR will be surrendered by the law enforcement agencies to tax authorities in other countries. It shall, however, be noted that as part of our tax reform initiatives, Hong Kong has entered into numerous Automatic Exchange of Information agreement (the “AEoI”) with other jurisdiction to exchange information with overseas tax authorities. More AEoIs with others are expected to come. Assuming the UK’s HM Revenue & Customs, which is already an AEoI partner of Hong Kong, requests the IRD to surrender information regarding the ultimate beneficiar(ies) or significant controller(s) of a HK company, IRD may theoretically forward the information gathered from the company’s SCR to the HMRC. To know more about AEoI, please refer to our related article “Is your personal data at stake because of the increased transparency in tax administration through Automatic Exchange of Information (“AEOI”)?
  • The new SCR regime also requests company to have at least one designated representative whose role is to provide assistance to the Companies Registry and the law enforcement agents on SCR related matters. The Companies Registry has made clear that there would be no personal liability associated with acting as a designated representative of an Applicable Company.

AML (Amendment) Ordinance

Apart from imposing the new requirement on Trust or Company Service Providers (the “TCSP”) to obtain a license from the Companies Registry for carrying on their business, the AML (Amendment) Ordinance also extends the obligations to conduct customer due diligence (“CDD”) and to do records-keeping to the legal professional, accounting professional, real estate agents and TCSP licensees.

Since 1 March 2018, enhanced CDD measures shall be implemented by the TCSPs to (1) identify and verify the identity of their customers and their beneficial owners; (2) obtain information on the purpose and the intended nature of the business relationship before establishing business relationship with their customers; and (3) identify and verify the identity of the person purporting to act on behalf of their customers.

Accordingly, companies shall be prepared for more KYC and due diligence from its company secretarial service providers in the future.

What can OLN do for you?

OLN can help by reviewing your companies’ structure and identifying the significant controllers of your companies to ensure compliance with the new SCR regime. Please feel free to contact our Anna Chan at anna.chan@oln-law.com or our Victor Ng at victor.ng@oln-law.com