Protection of Personal Data on the Companies Register: The New Inspection Regime
Ms Ada CHUNG Lai-ling is a Barrister and Privacy Commissioner for Personal Data, Hong Kong. She is also Hon Fellow of HKIoD
The New Inspection Regime for the Companies Register
To enhance the protection of sensitive personal data which appear on the Companies Register, a new inspection regime for the Companies Register has recently come into operation.
Starting from 23 August 2021, companies may withhold from public inspection the usual residential addresses (URA) of directors and full identification numbers (IDN) of directors and company secretaries that are contained in registers kept by the companies.
From 24 October 2022 onwards, the Companies Registry (CR) will withhold from public inspection the URA and full IDN of directors, company secretaries and liquidators, etc, which are contained in all the documents filed for registration.
Starting from 27 December 2023, the individuals concerned may apply to the CR for withholding their respective URA and full IDN contained in the documents already registered with the CR prior to 24 October 2022 from public inspection.
The significance of the new inspection regime lies primarily in the removal of the unrestrained public access to obtain the URA and full IDN of individual company officers contained in the Companies Register, thus providing enhanced protection to sensitive personal data.
PCPD In Support of the New Regime
From the perspective of protecting privacy in relation to personal data, I welcome, and have no hesitation to support, the new inspection regime which, undoubtedly, will strengthen the protection of the personal data contained in the Companies Register.
The move is of particular importance in the present situation of Hong Kong as there have been a significant increase in the number of doxxing cases since mid-2019, coupled with a worsening trend of cybercrimes and telephone scams that involved the unlawful use of personal data unveiled for the past two years.
This situation is exacerbated by the rapid development of digitalisation and the ease of collecting different kinds of personal data from the public domain nowadays, whether from online platforms, internet searches, public registers, or the like. It is worth noting that if the personal data available in the public domain are disclosed without appropriate safeguards, or used without regard to the original purpose of collecting the data, it could pose significant risks to privacy, thus jeopardising the interests of the data subjects. This is so especially in the case of sensitive personal data such as full IDN and URA, which practically anyone may obtain from most public registers with relative ease nowadays.
In this regard, I have grave concern that personal data has been weaponised by some in Hong Kong and utilised in ways to intimidate, silence or harm others for whatever reasons.
The wave of doxxing that has swelled in Hong Kong since mid-2019 has tested the limits of morality and the law, and should be stopped. For the past two years, my Office has handled over 5,800 doxxing-related complaints and cases discovered proactively by us through our online patrols. Among these cases, 945 of them involved wrongful disclosure of the victims’ identification numbers and/or residential addresses. The figures cry for immediate and effective actions to call the matter to a halt.
In the words of the Honourable Mr Justice Jeremy Poon, the Chief Judge of the High Court, “doxxing should not and cannot be tolerated in Hong Kong if we still take pride in our city as a civilized society where the rule of law reigns … The damage of widespread doxxing goes well beyond the victims. It seriously endangers our society as a whole … If doxxing practices are not curtailed, the fire of distrust, fear and hatred ignited by them will soon consume the public confidence in the law and order of the community, leading to disintegration of our society.”
While the Personal Data (Privacy) (Amendment) Bill 2021 was introduced by the Government in the legislature on 21 July 2021 to introduce a new offence for doxxing and broaden my enforcement powers under the Personal Data (Privacy) Ordinance to deal with doxxing cases more effectively, I believe that strengthening the protection of the personal data contained in public registers will assist in addressing the problem at root.
Similar Arrangements in Overseas Jurisdictions
In this regard, Hong Kong is not alone in taking measures to accord more protection to sensitive personal data that appear on the Companies Register. In the United Kingdom, for example, company officers’ personal identification numbers are not made available by the Companies House for public inspection on the companies register. For over a decade only their correspondence addresses (better known as service addresses) are made available to the public. Information on directors’ residential addresses is kept on a separate register with restricted access.
Thus, it is not unorthodox for measures to be taken by regulatory authorities to strengthen the protection given to sensitive personal data in a public register if circumstances warrant.