OLN

OLN Marketing

Personal Data Protection Comes to China

by

China’s long-awaited new National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (the “Regulations”) came into force on May 1, 2018. The Regulations are arguably China’s most important personal data protection rules, representing new standards for the handling of personal data.

The Regulations supplement rather than abrogate China’s existing patchwork of data protection laws and regulations. Although the Regulations themselves are not legally binding, they dovetail with China’s 2017 Cybersecurity Law and Consumer Protection Law which are binding. Furthermore, over the coming months, regulators will be pressing for compliance with the Regulations, so organisations operating in China are strongly advised to review and update their China data protection policies and practices to reflect the new standards.

Summary of Key Features

Clarification of key data protection conceapts and definitions
Personal data is defined as either “personal information” or “sensitive personal information” with the latter subject to more stringent data protection (eg: all personal information of persons under 14 years of age is categorized as “sensitive personal information”).
Explicit consent is required for collection of sensitive personal information or use of personal information for any new purpose.
Inclusion of certain prescribed information in all privacy notices, including but not limited to (for business use) personal information collection and processing rules such as the collection method and frequency, place of storage, and frequency of collection; if data is shared, disclosed or transferred, the types of data involved, the types of the data recipients, and rights and obligations of each party; data subject rights, and complaint handling; security principles followed, and security measures implemented.
Personal information security impact assessments are required for: (i) outsourcing of data processing; (ii) sharing and transfer of personal information; or (iii) disclosing personal information to public.
All personal information collected/produced in China and transferred to or shared with offshore parties requires a security assessment and all such assessments must be conducted in accordance with yet-to-be-released official standards and procedures.
All requests for access to, correction of, copies and deletion of personal information, and withdrawal of consent must be responded to within 30 days, and there should be no charge for any reasonable request unless repeated requests are made within a certain period of time.
New standards and procedures for effective data protection that organisations need to comply with and include: (i) drafting, implementing and updating privacy policies and corresponding procedures; (ii) privacy training; (iii) security impact assessments and audits.
Organisations must appoint a data protection officer and a dedicated data security team to be directly responsible for the protection of personal information.
Data breach notifications: a specific incident response plan is required together with periodic reviews and rehearsals and organisations must keep a record of incidents detailing the scope of such breaches.
Periodic data protection impact assessments which must be carried out at least annually.
 

OLN Insights

The Regulations do not bring China’s data protection framework as close to GDPR standards as some commentators have predicted but they are an unmistakable sign both that the PRC government takes data protection seriously and is moving towards adopting international best practices in this space. This will be welcomed by international businesses currently undertaking GDPR compliance reviews and who are now turning their attention to their China practices. Nevertheless, clear local distinctions (notably regarding data localisation, the requirement for consent, and restrictions on handling of non-personal data) remain in China and must be specifically addressed.

Over the course of the next year or so, we should see new and updated national standards promulgated to cover key areas such as data anonymisation, handling of big data, overseas data transfers, and diverse aspects of information security. Some of these implementing standards will simply adapt existing ISO standards.

We are continuing to monitor regulatory developments in this space and will report as and when they occur. In the meantime, organisations with data exposure to China need to appreciate that enforcement action in the data protection sphere is already a reality in China and as this regulatory and enforcement framework continues to evolve, they need to take steps now to review and update their compliance programmes to ensure these comply with the Regulations.

Hong Kong Broadband Hack

by

Recent hacks into the customer databases of a telecommunications company and travel agencies have put the spotlight on how companies retain customer data and may lead to a revamp of data protection law in Hong Kong. These developments have far-reaching implications for insurers, who in the course of providing insurance services to the public, collect and process large amounts of personal data relating to existing, prospective and former customers.

HK Broadband Data Breach

Hong Kong Broadband Network, the second largest fixed-line residential broadband provider in Hong Kong, revealed a few weeks ago that an inactive customer database on an active server had been accessed without its authorization. Private information of some 380,000 former and existing customers was potentially compromised in the hack, including their names, ID card numbers, home addresses, telephone numbers and credit card details. The personal information dated back to 2012 and included information of customers who had not been active since 2012. It later came to light that the compromised inactive database was not encrypted, unlike other active databases maintained by the company.

With the fallout from the hack, including extensive media reports and initiation of a compliance review by Hong Kong’s Privacy Commissioner for Personal Data, the company announced that it would purge the data of 900,000 former customers and reduce its information retention period on past customers from seven years to six months. In this regard, Hong Kong Broadband admitted that it had mistakenly applied its 7-year rule for retention of business records to customer information as well. Going forward, the company indicated that it will not only shorten its data retention period for past customers but also change the way existing customer information is stored. In particular, Hong Kong ID card numbers and credit card numbers held in customer databases would have some digits deleted to make the information less attractive to hackers.

Implications for Insurers

Currently, Hong Kong’s Personal Data (Privacy) Ordinance, which has been in force since 1996, does not definitively state how long data users should keep personal data. Data Protection Principle 2(2) merely provides that personal data should not be kept “longer than is necessary for the fulfillment of the purpose (for which the data was to be used)”. However, Privacy Commissioner Stephen Wong has indicated that he is satisfied with the remedial actions to be taken by Hong Kong Broadband. A 2004 case arising from a complaint to the Privacy Commissioner by an unsuccessful insurance applicant regarding retention of his application data by the insurer is also instructive.

In that case, an investigation by the Office of the Privacy Commissioner for Personal Data (“PCPD”) found that the insurer’s practice was to retain personal data of unsuccessful insurance applicants for an indefinite period of time. In support of this practice, the insurer cited legal requirements for keeping books of accounts and the need to maintain a record in case of future applications, inquiries, potential litigation and complaints. The Commissioner at the time found however that those reasons did not justify the indefinite retention of personal data where money transactions (e.g. involving the payment of premiums) were not involved. In such cases, the Commissioner determined that a retention period of 2 years would suffice for the purposes stated. Even where money transactions were involved, the retention period should be limited to 7 years (the period prescribed in applicable ordinances for keeping books of account). The PCPD served an enforcement notice on the insurer requiring it to erase any data which had been kept for longer than the periods prescribed, pursuant to which the insurer erased more than 7000 records.

OLN Insights

Of course, each case has to be considered on its own facts. However, indiscriminate retention of personal data, or blanket retention of personal data for 7 years (or other arbitrary period), will be hard to justify if a complaint is made to the PCPD. Insurers would be well advised to establish a considered policy in relation to their and their agents’ retention and use of data which takes into account the nature of the customer (e.g. existing or former policyholder or unsuccessful applicant) and factors which may justify a longer or shorter retention period.

This is all the more important given that the Privacy Commissioner has indicated that he will review the Personal Data (Privacy) Ordinance to see if it affords enough protection in light of recent data leaks and global trends, including the adoption of a new data protection framework under General Data Protection Regulation (GDPR) in the EU from May 25, 2018. GDPR significantly enhances the data privacy rights of individuals in the EU, including the “right to be forgotten” – or demand erasure of personal data which is “no longer necessary in relation to the purposes for which they were collected”, subject to limited exceptions where retention of the data is required by law or justified in the public interest etc. With the global trend to enhance the data privacy rights of individuals, it will be incumbent on insurers to achieve a deeper understanding of the various purposes for which personal data are kept or processed, since different retention periods may apply according to such purposes. For example, personal data which may not justifiably be retained/used for marketing purposes may nevertheless be retained/used to comply with legal or accounting requirements. Thus, insurers will have to be able to classify data appropriately and have the systems capability to flexibly remove data from certain applications while keeping it for others.

CWS City Challenge 2018

by

Last weekend our staff joined the CWS City Challenge and took part in a race around Hong Kong to raise money for the Child Welfare Scheme. The scavenger hunt was hours of fun and our two teams managed to arrive in 2nd and 3rd place!

OLN takes its CSR role very seriously and we actively encourage all of our staff to participate across a wide range of community projects. We strive to make a real difference in the community we live and work in, whether it be charity work or acting as mentors for underprivileged children.

For more information on the Child Welfare Scheme, please click here.

Stephen Peaker, Recommended Leading Lawyer 2018

by

OLN is delighted to announce that on March, 9 2018 our Partner, Stephen Peaker, was listed as a “Recommended Leading Lawyer” for the Hong Kong Family & Divorce Lawyers category in the Doyle’s Guide for 2018.

“Recommended” lawyers are those who display particular skills or attributes within the specified area. As Doyle’s is one of the most comprehensive guides to some of the world’s best lawyers, law firms and barristers, we are honoured to have Stephen representing OLN in Hong Kong.

The Family Law Department supports OLN’s other practice areas and have advised in connection with Dispute Resolution and Litigation arising from the death of a spouse, family breakdowns or issues affecting non-traditional family units.

For more information on the award, please click here.

To learn more about Doyle’s Guide, please click here.

How would the new law on Significant Controllers Register concern you?

by

The Anti-Money Laundering and Counter-Terrorist Financing (Financial Institution) (Amendment) Ordinance 2018 (the “AML (Amendment) Ordinance”) and the Companies (Amendment) Ordinance 2018 (the “Companies (Amendment) Ordinance”) has come into effect on 1 March 2018.

The SCR regime

The Companies (Amendment) Ordinance imposes a new obligation on HK companies to identify its beneficial ownership and members with significant control and to maintain a Significant Controller Register (“SCR”) which is to be kept together with the company kits and other registers such as the Registers of Members and Directors. If a company fails to comply with any of the requirements under the new SCR regime, the company and each of its responsible persons commit an offence and each will be liable to a fine of HK$25,000 and a further daily fine HK$700 whenever applicable. Please refer to our firm’s article on “The Companies (Amendment) Ordinance 2018” for more details.

There are a few salient points to note in relation to SCR:-

  • SCR requirement is not only applicable to limited companies but also to companies limited by shares, companies limited by guarantee or unlimited companies. Only companies listed on the Hong Kong Stock Exchange (but not listed overseas) are exempted.
  • SCR is not for public inspection. However, the SCR has to be ready for inspection by law enforcement agencies, including but not limited to the Hong Kong Police Force, the Customs and Excise Department and the Inland Revenue Department (the “IRD”).
  • It is not specified in the Companies (Amendment) Ordinance as to whether information contained in the SCR will be surrendered by the law enforcement agencies to tax authorities in other countries. It shall, however, be noted that as part of our tax reform initiatives, Hong Kong has entered into numerous Automatic Exchange of Information agreement (the “AEoI”) with other jurisdiction to exchange information with overseas tax authorities. More AEoIs with others are expected to come. Assuming the UK’s HM Revenue & Customs, which is already an AEoI partner of Hong Kong, requests the IRD to surrender information regarding the ultimate beneficiar(ies) or significant controller(s) of a HK company, IRD may theoretically forward the information gathered from the company’s SCR to the HMRC. To know more about AEoI, please refer to our related article “Is your personal data at stake because of the increased transparency in tax administration through Automatic Exchange of Information (“AEOI”)?
  • The new SCR regime also requests company to have at least one designated representative whose role is to provide assistance to the Companies Registry and the law enforcement agents on SCR related matters. The Companies Registry has made clear that there would be no personal liability associated with acting as a designated representative of an Applicable Company.

AML (Amendment) Ordinance

Apart from imposing the new requirement on Trust or Company Service Providers (the “TCSP”) to obtain a license from the Companies Registry for carrying on their business, the AML (Amendment) Ordinance also extends the obligations to conduct customer due diligence (“CDD”) and to do records-keeping to the legal professional, accounting professional, real estate agents and TCSP licensees.

Since 1 March 2018, enhanced CDD measures shall be implemented by the TCSPs to (1) identify and verify the identity of their customers and their beneficial owners; (2) obtain information on the purpose and the intended nature of the business relationship before establishing business relationship with their customers; and (3) identify and verify the identity of the person purporting to act on behalf of their customers.

Accordingly, companies shall be prepared for more KYC and due diligence from its company secretarial service providers in the future.

What can OLN do for you?

OLN can help by reviewing your companies’ structure and identifying the significant controllers of your companies to ensure compliance with the new SCR regime. Please feel free to contact our Anna Chan at anna.chan@oln-law.com or our Victor Ng at victor.ng@oln-law.com

How to Catch the Candies for Start-ups in Innovation and Technology under the Budget 2018/2019

by

In recent years, the Hong Kong Government has shown a determination to promote the development of start-ups in Hong Kong. One of the notable measures could be seen in the Chief Executive’s 2017 Policy Address (CE 2017 Policy), where the Hong Kong Government proposed a new two-tiered profit tax regime for enterprises. Under the new regime, the profit tax rate for the first $2 million of profits of enterprises will be lowered to 8.25%, which is half of the standard profits tax rate of 16.5%. The said reform is now part of the Inland Revenue (Amendment) (No. 7) Bill 2017 that was gazetted on 29 December 2017 and is pending the Second Reading at the Legislative Council.

In the Budget 2018-2019, the Hong Kong Government further recognized the innovation and technology (I&T) as one of the major driving forces of the global economic development. With a surplus of $138 billion in 2017-2018, the Hong Kong Government made a bold commitment and earmarked more than $50 billion to support I&T development both in Hong Kong and the greater Guangdong-Hong Kong-Macau Bay Area with Hong Kong taking on a central role. Below we will look at some of the upcoming opportunities available for I&T start-ups to kick-start their businesses.

Developing the Hong Kong-Shenzhen Innovation and Technology Park

  • $20 billion will be spent on developing the first phase of the Hong Kong-Shenzhen Innovation and Technology Park (HKSIT Park) in the Lok Ma Chau Loop.
  • The HKSIT Park will be administered by a subsidiary of the Hong Kong Science and Technology Park Corporation (HKSTPC).
  • The HKSIT Park will provide ample office and research and development (R&D) space for I&T enterprises
  • We anticipate that the HKSIT Park will adopt similar funding schemes and incubation programmes currently in place at the Hong Kong Science and Technology Park (Science Park) to attract I&T talents and entrepreneurs.

Illustration of the Lok Ma Chau Loop

Expanding the Innovation and Technology Fund

  • $10 billion will be injected into the Innovation and Technology Fund (ITF), which provides various forms of funding schemes to encourage Hong Kong companies to develop their technological capabilities and introduce business innovations.
  • The ITF offers a wide range of I&T programmes that are available to start-ups, including the following:-
    • the Enterprise Support Scheme, which offers up to $10 million funding support for each approved project with further financial assistance to hire up to 2 additional staff;
    • the Technological Start-up Support Scheme for Universities, which provides funding up to $1.2 million per enterprise per year (up to three years) to universities to support their professors and students in starting technology businesses and commercialising R&D results;
    • the Patent Application Grant which provides funding support (up to $250,000 per application) for local enterprises which do not previously own any patent in any jurisdiction, among others, to apply for patents of their own technological inventions;
    • the University-Industry Collaboration Programme, which provides funding support for R&D studentship at local companies (up to $270,000 over three years per studentship), R&D collaboration projects between universities and private companies (up to 50% of the project costs), and industry-oriented R&D projects in the natural science or engineering fields (up to 50% of the project costs);
    • the Research and Development Cash Rebate Scheme, which provides cash rebate equivalent to 40% of the R&D expenditures to projects under the ITF or projects fully funded by the enterprise and conducted by designated local public research institutions;
    • the Technology Voucher Programme, which provides funding support to local enterprises for up to $200,000 per enterprise for technology consultancy, software purchase and subscription and project auditing needs. The eligibility requirements for this program has recently been relaxed; and
    • the Innovation and Technology Venture Fund, which is used to co-invest with partner venture capital funds in local I&T start-ups incorporated no more than 7 years prior to the application with a total number of employees (including those employed by subsidiaries) being less than 250.

Establishing Technology Research Clusters

  • $10 billion will be set aside to support the establishment of two research clusters on healthcare technologies and on artificial intelligence and robotics technologies.
  • It remains to be seen how the funding will be split between hardware and software development in these fields.

Science Park and Cyberport

  • $10 billion will be allocated to Science Park, with about $3 billion to be used for developing physical infrastructure and facilities while about $7 billion will be spent on strengthening tenant support and enhancing the existing incubation programmes, etc.
  • $200 million will be allocated to Cyberport to enhance support for start-ups and promote digital technology environment development. This will enable Cyberport to launch a new marketing support scheme for start-ups and increase the financial support under its incubation programme by 50 percent.
  • A further $100 million will be allocated to Cyberport to develop the Cyberport Arcade as an e-sports and digital entertainment cluster.

Tax incentives for R&D

  • At present, tax deduction for domestic R&D expenditure is 100 percent under s. 16B of the Inland Revenue Ordinance (Cap 112).
  • In conjunction with the ongoing profit tax reform, the Government is proposing further tax deduction for domestic R&D expenditure (300 percent tax deduction for the first $2 million qualifying R&D expenditure and 200 percent tax deduction for the remainder) incurred by local enterprises. Drafting of the legislation is underway.

Other Industry-specific Support

  • For the construction industry, an initial $1 billion in funding is proposed to be used set up a new Construction Innovation and Technology Fund to encourage enterprises and practitioners in the construction industry to upgrade their technological capabilities, both in terms of knowledge and equipment.
  • An $1 billion increase in funding to the CreateSmart Initiative (CSI) is proposed to encourage development of the creative industries, with one of the focuses being to assist start-ups. The funding is anticipated to help expand CSI’s incubation and business collaboration programs that are currently in place.

Conclusion

With a surge in I&T funding support, FinTech and other I&T start-up enterprises in Hong Kong are well positioned to both contribute to and benefit from Hong Kong’s strife to become a regional and international I&T hub. While the current trend lasts, start-ups are encouraged to grasp the opportunity to bring their business to the next level.

How OLN Can Help

At OLN, we offer one-stop services for fintech and other start-up enterprises. If you require any assistance in corporate and commercial advisory, tax planning, intellectual property protection or regulatory issues, please feel free to contact our partner, Anna Chan.