Financial Affairs Panel to Discuss Protection of Personal Information Provisions
On 9 April 2021, the Legislative Council’s Panel on Financial Affairs will discuss the proposed implementation of provisions to protect directors’ personal information from public inspection which are contained in the Companies Ordinance (Cap. 622). The proposals set out in LC Paper No. CB(1)737/20-21(07)1 envisage that subsidiary legislation implementing a phased introduction of the new inspection regime will be introduced to the Legislative Council for negative vetting in May 2021.
The Companies Register currently contains personal information which is made available for public inspection, such as directors’ usual residential addresses and full identification numbers and the full identification numbers of company secretaries and other individuals including (among others) liquidators and provisional liquidators. The personal information of directors is also open for public inspection on the registers kept by companies themselves. Division 7 of Part II of the Companies Ordinance sets out protections (not yet in operation) which would see only correspondence addresses and partial identification numbers available in the Companies Register for public inspection.
If implemented, the new regime will take effect in three phases:
Phase 1 – with immediate effect, companies will be able to withhold from public inspection in their own registers the usual residential addresses and full identification numbers (the Protected Information) of directors and company secretaries;
Phase 2 – with effect from October 2022, the Companies Registry will be able to protect from public inspection the Protected Information contained in all documents thereafter filed for registration; and
Phase 3 – with effect from December 2023, individuals will be able to apply to the Companies Registry for protection from public inspection of their Protected Information contained in documents already registered with the Companies Registry before October 2022.
Overview of Timeline
In the early 2010s, a rewriting of the Companies Ordinance, previously Cap. 32, commenced. The bill was passed by the Legislative Council in July 2012 and gazetted in August 2012, with the new Companies Ordinance coming into effect in 2014. Views were sought through a number of consultations as follows:
First Phase Consultation, December 20092 – it was stated that there were occasional complaints to the Companies Registry regarding the disclosure of personal information of directors and company secretaries in the Companies Register but that there were no major problems concerning the misuse of personal data.
In the 2009 Consultation, it was stated that the FSTB were inclined to retain the current disclosure regime (i.e. directors disclosing their usual residential address), and arguments were put forward including that it was in the public interest to be able to contact directors easily through their residential address, given that directors are personally subject to legislation relating to disqualification, fraudulent trading and other enforcement and regulatory actions. The challenges of adopting a discretionary approach to publishing personal information were also outlined.
Consultation Conclusions, August 20103 – a majority of respondents (46) were of the view that directors’ residential addresses should not be disclosed publicly in the Companies Register, stating that a service address would be sufficient and in the case of non-Hong Kong directors, a foreign residential address does not serve any meaningful purpose. Around 20 respondents and some trade unions opted to maintain the current disclosure regime on the basis of there being no strong grounds for changing the regime and legitimate reasons for accessing the information. Of the 53 submissions regarding publicly displaying directors and company secretaries’ full ID numbers, 43 stated that certain digits should be masked to give better protection to personal privacy. Meanwhile, labour/trade unions, professional/business bodies and some accountancy / law firms objected to the proposal on the grounds that the information provided a unique and effective identifier for individuals and that there had been no major problems of abuse.
Despite initially being inclined to retain the current disclosure regime, the FSTB concluded that access to directors’ residential addresses should be restricted and certain digits of ID numbers should be masked, considering this sufficient to identify individual persons.
In January 2011, the Bill was then introduced to the Legislative Council and was passed in July 2012 and gazetted in August 2012. In March 2013, a brief4 was then published on the proposed way forward in relation to the inspection of personal information provisions. The paper acknowledged the concerns of some stakeholders regarding increased risks of money laundering activities and the impact on investigative reporting. Stakeholders also emphasised that the existing regime worked well and suggested that the status quo should be maintained. Others suggested maintaining the existing regime and incorporating new safeguards instead, for example a registration system for those carrying out searches. The paper however noted that collecting information from all individuals conducting searches may be considered “excessive” under the Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO). Some stakeholders were in support of the new regime on the basis that it protects directors’ right to privacy of personal information and the Legislative Council stated that it was not aware of the unavailability of directors’ residential addresses and full ID numbers on company registries causing major problems. Some stakeholders in support of the new regime did however suggest that the scope of specified persons who can access the full personal information should be expanded to include the media. The paper addressed this suggestion, stating that providing access to those engaged in “news activities” has the potential for abuse and further that discretionary access on a “public interest” basis would be time consuming given the volume of searches.
Ultimately, the paper concluded that the relevant provisions would not be included in the commencement notice for commencing the new Companies Ordinance and pending further deliberations, the information would still be available on the Companies Register.
Overview of Companies Ordinance Provisions for the Protection of Personal Information
Under section 45 of the Companies Ordinance, the Registrar must make the Companies Register available for public inspection to enable members of the public to ascertain whether they are dealing with a company, its directors or officers or certain other related persons or to ascertain the particulars of a company. The information made available to the public includes usual residential addresses and full identification numbers of individuals.
If implemented, the provisions of Division 7 would expressly provide for the withholding of the usual residential address of directors and of the full identification numbers of directors, company secretaries and other relevant individuals. Instead, directors’ and company secretaries’ correspondence addresses and partial ID numbers of directors, company secretaries and other relevant individuals will be shown on the Companies Register. In the event that communication at the correspondence address is not effective, the Registrar may make the protected address (the usual residential address) available for public inspection, however the Registrar must first notify the director and company and consider any representations made.
Access to the usual residential address and full ID number will be restricted to the data subject, persons authorised by the data subject, members of a company, public officers, public bodies, liquidators, trustees in bankruptcy and other specified persons. Creditors of the company and any other persons with sufficient interest may apply for a court order for disclosure of the protected information where certain conditions are satisfied.
The protections also apply to protected information contained in documents registered with the Companies Registry (initially only documents submitted following the commencement date and subsequently, all documents already registered).