New Inspection Regime for Hong Kong Companies
In recent years, there have been rising concerns over whether personal data contained in public registers are adequately safeguarded, especially in light of increased reported cases of doxing and personal data misuse. To tackle this problem, the Government of HKSAR including the Constitutional and Mainland Affairs Bureau is committed to combating doxing acts that are intrusive to data privacy.
In light of the above developments, since 23 August 2021, a new inspection regime is being implemented under the Hong Kong Companies Ordinance (Cap. 622) (“CO”), correspondence addresses instead of usual residential addresses (“URAs”) of directors and partial identification numbers (“IDNs”) instead of full IDNs of directors, company secretaries and other relevant persons would be made available on the Companies Register for public inspection.
The new inspection regime is implemented in three phases. The full operation involves substantial system and operation modifications of the Integrated Companies Registry Information System (“ICRIS”). A phased commencement of the regime is necessary to tie in with the revamp project for upgrading the ICRIS with targeted completion at end of 2023. At this stage, we are facing Phase 2 of the new inspection regime which will come into effect on 24 October 2022.
- Timeline for Implementation
Phase 1
From 23 August 2021, companies may replace URAs of directors with their correspondence addresses, and replace full IDNs of directors and company secretaries with their partial IDNs on their registers for public inspection;
Phase 2
From 24 October 2022, Protected Information on the Index of Directors on the Register will be replaced with correspondence addresses and partial IDNs for public inspection. Protected Information contained in documents filed for registration after the commencement of this phase will not be provided for public inspection. “Specified persons” could apply to the Registry for access to Protected Information of directors and other persons; and
Phase 3
From 27 December 2023, data subjects could apply to the Registry for protection from public inspection of their Protected Information contained in documents registered with the Registry (“Withheld Information”), and replace such information with their correspondence addresses and partial IDNs. “Specified persons” could apply to the Registry for access to the Withheld Information of directors and other persons.
- What does Phase 2 cover and What shall the company do
Under Phase 2 of the new inspection regime, usual residential addresses and full identification numbers (“Protected Information”) on the Index of Directors on the Companies Register are replaced with correspondence addresses and partial identification numbers for public inspection. The following specified persons can apply for access to Protected Information on the Companies Registry:
- Data subject
- A person who is authorized in writing by a data subject to obtain the information
- A member of the company
- A liquidator
- A trustee in bankruptcy
- A public officer or public body
- A person specified in the Schedule to the Regulation
- A solicitor or foreign layer who practices law in a law firm
- A certified public accountant (practicing)
- A financial institution or designated non-financial businesses and professions
Companies shall ensure that their register of directors will contain the correspondence address of their natural person director(s). Even with the transitional arrangement provided under section 115A of Schedule 11 to the CO, their register of directors must contain the correspondence address of all the natural person director(s) (including reserve director) before its first annual return date on or after the commencement date of Phase 2 on 24 October 2022.
- Summary upon the full implementation
- Only the correspondence addresses of directors and the partial IDN of directors, company secretaries, and other relevant persons will be shown in the registers maintained by the Companies Registry.
- Only specified persons can apply for access to the URA and full IDN of directors, company secretaries, and other relevant persons, with limited exceptions.
- Companies can withhold from public inspection the URAs and full IDNs (except the first part) on the registers where the information is maintained.
- Data subjects can apply to the Companies Registry to withhold from public inspection their Protected Information that is contained in documents registered with the Registry.
The relevant provisions of Hong Kong’s new inspection regime will strike a balance between public access to the necessary information to ascertain the identities of companies’ officers and protecting data privacy. Going forward, companies should ensure they are in compliance with the latest regulatory requirements, and more importantly, be equipped to tackle potential risks such as fraud and doxing arising from unauthorized access to personal data.
Should you have any questions, please feel free to contact us.