To enhance the protection of sensitive personal data that appear on the Companies Register, a new inspection regime for the Companies Register has recently come into operation. The regime will be implemented in three phases.
Starting from 23 August 2021, companies may withhold from public inspection the usual residential addresses (URA) of directors and full identification numbers (IDN) of directors and company secretaries that are contained in registers kept by them.
From 24 October 2022 onwards, the Companies Registry (CR) will withhold from public inspection the URA and full IDN of directors, company secretaries and liquidators, etc. that are contained in all the documents filed for registration.
Starting from 27 December 2023, the individuals concerned may apply to the CR for withholding their respective URA and full IDN that are contained in the documents already registered with the CR prior to 24 October 2022 from public inspection.
The significance of the new inspection regime lies primarily in the removal of the unrestrained public access to obtain the URA and full IDN of individual company officers contained in the Companies Register, thus providing enhanced protection to sensitive personal data.
“The recent rampant doxxing activities have tested the limits of morality and the law, and should be stopped.”
PCPD in support of the new regime
From the perspective of protecting privacy in relation to personal data, I welcome, and have no hesitation to support, the new inspection regime, which reflects the recommendations made by my office, the Office of the Privacy Commissioner for Personal Data (PCPD), in our report on the Survey of Public Registers Maintained by Government and Public Bodies, published in 2015.
The move is of particular importance in the present situation of Hong Kong as there have been a significant increase in the number of doxxing cases since mid-2019, coupled with a worsening trend of cybercrimes and telephone scams that involved the unlawful use of personal data unveiled for the past two years.
It is worth noting that if the personal data available in the public domain has been disclosed without appropriate safeguards, or used without regard to the original purpose of collecting the data, it could pose significant risks to privacy, thus jeopardizing the interests of the data subjects.
In this regard, I have grave concern that personal data has been weaponized by some in Hong Kong and utilized in ways to intimidate, silence or harm others for whatever reasons.
The recent rampant doxxing activities have tested the limits of morality and the law, and should be stopped. Between June 2019 and August 2021, my office has handled over 6,000 doxxing-related complaints and cases discovered proactively by us through our online investigations. Among these cases, over 1,000 of them involved wrongful disclosure of the victims’ identification numbers and/or residential addresses. The figures cry for immediate and effective actions to call the matter to a halt.
In the words of the Honourable Mr Justice Jeremy Poon, the Chief Judge of the High Court, “doxxing should not and cannot be tolerated in Hong Kong if we still take pride in our city as a civilized society where the rule of law reigns… The damage of widespread doxxing goes well beyond the victims. It seriously endangers our society as a whole… If doxxing practices are not curtailed, the fire of distrust, fear and hatred ignited by them will soon consume the public confidence in the law and order of the community, leading to disintegration of our society.”
While the Personal Data (Privacy) (Amendment) Bill 2021 was introduced by the government in the legislature in July this year to create a new offence for doxxing and broaden my enforcement powers under the Personal Data (Privacy) Ordinance to deal with doxxing cases more effectively, I believe that strengthening the protection of the personal data contained in public registers will assist in addressing the problem at root.
Implications for accounting professionals
While advocating the importance of the protection of privacy in relation to personal data, I recognize the importance of allowing access to the Companies Register for legitimate purposes of the register, which are set out in section 45 of the Companies Ordinance. The new inspection regime, as refined prior to its finalization, has already taken into account the need for accounting professionals to conduct company searches, in particular in due diligence checking, in their daily work. Hence, accounting professionals will continue to enjoy unrestricted access to the personal data on the Companies Register upon application made to the CR. Notwithstanding this, accounting professionals should be mindful that the use of the data obtained from the register is confined to the very purposes of the setting up of the register, as reflected in section 45 of the Companies Ordinance.