Limiting Disclosure of Personal Data in the Companies Register Will Help Curb Doxxing

COMPANIES REGISTER'S NEW INSPECTION REGIME

The proposal of the Government to bring Companies Register’s new inspection regime into operation by phases from this year to 2023 has been broadly discussed and publicised since March. Back in 2012, the relevant provisions of the Companies Ordinance (Cap. 622) (“CO”), namely, inter alia, sections 47, 49 to 59 thereof, have already provided for the new inspection regime when the re-written company law was enacted. Nonetheless, on account of the diverse views expressed by relevant stakeholders at the time, these provisions were not brought into operation in 2014.

According to the proposed schedule of the Government, and subject to the enactment of the relevant subsidiary legislation, the new inspection regime will be implemented as follows by phases:

(i) Starting from 23 August 2021, companies may withhold the usual residential addresses (“URA”) of directors and full identification numbers (“IDN”) of directors and company secretaries that are contained in their own registers from public inspection;

(ii) From 24 October 2022 onwards, the Companies Registry (“CR”) will withhold from public inspection the URA and full IDN of directors, company secretaries and liquidators, etc. which are contained in all the documents filed for registration; and

(iii) Starting from 27 December 2023, the individuals concerned may apply to the CR for withholding their respective URA and full IDN contained in the documents already registered with the CR prior to 24 October 2022 from public inspection.

The significance of the new inspection regime lies primarily in the removal of the unrestrained public access to obtain the URA and full IDN of individual company officers contained in the Companies Register. Under the new regime, for all the documents which are newly registered, only (i) the correspondence addresses of directors and (ii) the partial IDN of directors, company secretaries and other relevant individuals will be made available for public inspection. Upon application made to the CR, the URA and full IDN of those individuals will only be made accessible to different groups of authorities or persons as specified in the subsidiary legislation (“specified persons”), except for certain circumstances where such disclosure by the CR is permissible with an order of the Court or under the CO.

THE LEGISLATIVE HISTORY

The proposed new inspection regime can be traced back to 2009 when, as part of the rewrite exercise, the Government consulted the public on the draft clauses of the Companies Bill. In December 2009, public views were sought in the “First Phase Consultation of the draft Companies Bill” as to whether company officers’ URA and full IDN on the Companies Register should continue to be made available for public inspection.

The proposed changes were indeed discussed and considered by the relevant Advisory Group formed for the rewrite exercise and the Standing Committee on Company Law Reform in 2007/08 and then in 2012/13, with substantial positive feedback from their members.

Consequently, provisions that reflected the new inspection regime were included in the Companies Bill for the scrutiny by the legislature, and the new CO, which contained the aforesaid provisions, was enacted in July 2012.

Nevertheless, given the lack of consensus by relevant stakeholders at the time, after the enactment of the primary legislation, the draft Companies (Residential Addresses and Identification Numbers) Regulation was not introduced into the legislature in 2013.

Aiming to elevating its efforts to strengthen the protection of the personal data contained in the Companies Register, the Government revived the proposals earlier this year.

PCPD IN SUPPORT OF THE NEW REGIME

From the perspective of protecting privacy in relation to personal data, I welcome, and have no hesitation to support, the proposed new inspection regime which, undoubtedly, will strengthen the protection of the personal data contained in the Companies Register.

As a matter of fact, the current proposal reflects the recommendations made by my Office, the Office of the Privacy Commissioner for Personal Data (“PCPD”), in our report on the “Survey of Public Registers Maintained by Government and Public Bodies” published in July 2015.

Among others, we recommended operators of public registers to explore, when providing personal data of a sensitive nature (such as identification document numbers and residential addresses) for public access, less privacy-intrusive means of disclosing the same. For example, by providing partial instead of full identification document numbers, and by providing correspondence addresses instead of full residential addresses.

I am pleased to see that the above-mentioned recommendations have been taken into account in the proposed new regime.

Quite contrary to the views expressed in some quarters, in my view the move is of particular importance in the present situation of Hong Kong as there have been a significant increase in the number of doxxing cases since mid-2019, coupled with a worsening trend of cybercrimes and telephone scams that involved the unlawful use of personal data unveiled for the past two years. This situation is exacerbated by the rapid development of digitalisation and the ease of collecting different kinds of personal data from the public domain nowadays, whether from online platforms, internet searches, public registers, or the like. It is worth noting that if the personal data available in the public domain are disclosed without appropriate safeguards, or used without regard to the original purpose of collecting the data, it could pose significant risks to privacy, thus jeopardising the interests of the data subjects. This is so especially in the case of sensitive personal data such as full IDN and URA, which practically anyone may obtain from any public register with relative ease nowadays.

In this regard, I have grave concern that personal data has been weaponised by some in Hong Kong, and utilised in ways to intimidate, silence or harm others for whatever reasons.

The wave of doxxing that has swelled in Hong Kong since mid-2019 has tested the limits of morality and the law, and should be stopped. Between June 2019 and May 2021, my Office has handled over 5,700 doxxing-related complaints and cases discovered proactively by us through our online patrols. Among these cases, 905 of them involved wrongful disclosure of the victims’ identification numbers and/or residential addresses. The figures cry for immediate and effective actions to call the matter to a halt.

In the words of the Honourable Mr Justice Jeremy Poon, the Chief Judge of the High Court, “doxxing should not and cannot be tolerated in Hong Kong if we still take pride in our city as a civilized society where the rule of law reigns… The damage of widespread doxxing goes well beyond the victims. It seriously endangers our society as a whole… If doxxing practices are not curtailed, the fire of distrust, fear and hatred ignited by them will soon consume the public confidence in the law and order of the community, leading to disintegration of our society.”

While legislative amendments to the Personal Data (Privacy) Ordinance (“the PDPO”, Cap. 486) will be proposed by the Government shortly to introduce a new offence for doxxing and broaden my enforcement powers under the PDPO to deal with doxxing cases more effectively, I do believe that strengthening the protection of the personal data contained in public registers will assist in addressing the root of the problem, and Hong Kong is not alone in taking measures to accord more protection to sensitive personal data that appear on the Companies Register.

SIMILAR ARRANGEMENTS IN OVERSEAS JURISDICTIONS

Making reference to similar arrangements in other jurisdictions would be helpful for us when we deliberate about the new inspection regime, for example, those adopted by the Companies House in the United Kingdom (“UK”), which is comparable to the new regime proposed by the Government in Hong Kong. While company officers’ personal identification numbers are not made available for public inspection on the companies register in the UK, for over a decade only their correspondence addresses (or better known as service addresses) are made available to the public. Information on directors’ residential addresses is kept on a separate register with restricted access.

Similarly, in Singapore, an alternate address instead of the URA may be provided for disclosure on the companies register by company officers, though the full numbers of their Singpass are disclosed. On the other hand, in Australia, while identification document numbers are not on the register, under specified circumstances, alternate addresses may be included, for example, when the Australian Securities and Investments Commission considers that the inclusion of the URA in public records would put the personal safety of the relevant officer and/or his/her family members at risk.

Thus, it is not unorthodox for measures to be taken by regulatory authorities to strengthen the protection given to sensitive personal data in a public register if circumstances warrant.

EQUAL LEGAL PROTECTION FOR PERSONAL DATA AVAILABLE IN THE PUBLIC DOMAIN

It is of paramount importance for us to realise that personal data that is available in public domain is still subject to the same protection under the PDPO as personal data obtained from any other source. Notwithstanding that some personal data can be accessed and obtained from a public register, the use of the data is still confined to the very purpose of allowing access to and inspection of the relevant register.

Data Protection Principle (“DPP”) 3 (the limitation of use principle) under Schedule 1 of the PDPO provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose. It follows that any subsequent use of the personal data obtained from a public register, which is not the same as or directly related to the original purpose(s) of making available the data for public access, will contravene DPP3 without the data subject’s prescribed consent (or, exceptionally, when an exemption applies under the PDPO).

Under the PDPO, personal data obtained from a public register should not be used for illegal purposes, including doxxing.

STRIKING A REASONABLE BALANCE

While advocating the importance of the protection of privacy in relation to personal data, I reckon the importance of allowing access to the Companies Register for legitimate purposes of the Register, which are fully set out under section 45 of the CO.

Not surprisingly, various stakeholders have raised different concerns on the proposed new inspection regime. Most of the concerns, as I see it, are related to the possible confusion, however slight, that may arise when the full IDN and URA are not available to readily identify the individual concerned, whether for forensic investigation, due diligence checks or other legitimate purposes.

At the time of writing, some refinements to the original proposal have been proposed by the Government in response. These include, for example, expanding the scope of specified persons to cover solicitors and foreign lawyers, certified public accountants (practising), trust or company service provider licensees, etc.; providing particulars of cross-directorships and introducing administrative measures (such as providing more digits in the IDN) to remove confusion when the disclosure of partial IDN leads to confusing search results.

Undoubtedly, the Government proposed the refinements or additional measures to address the concerns over the possible confusion that might arise from the new inspection regime, and I believe that they are genuine attempts to strike a reasonable balance between protecting personal data privacy on the one hand and allowing access to the Companies Register for the legitimate purposes of the Register on the other. I would, however, caution against any further broadening of the scope of unrestricted access, as that may likely defeat the very purpose of strengthening the protection of the personal data contained in the Register. 

Jurisdictions

Barrister, Privacy Commissioner for Personal Data Hong Kong