LCQ22: Privacy protection for consumer credit data

Keeping your credit data safe: understanding privacy protections for consumers

Following is a question by the Hon Carmen Kan and a written reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui, in the Legislative Council today (April 24):

Question:

Regarding privacy protection for consumer credit data, will the Government inform this Council:

(1) whether it knows the number of cases in the past six years in which the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) issued enforcement notices to credit reference agencies (CRAs) for breaching the Personal Data (Privacy) Ordinance (Cap. 486), as well as the organisations involved in such cases, the number of people affected, compliance with the enforcement notices, and the number of organisations which have been prosecuted for contravention of enforcement notices (set out in a table);

(2) given that Cap. 486 does not provide for a mandatory data breach notification mechanism, and that the Privacy Commissioner for Personal Data indicated at the meeting of the Panel on Constitutional Affairs of this Council on February 19 this year that PCPD and the Government were jointly examining the proposed legislative amendments to establish such mechanism, of the progress of the relevant work;

(3) as it has been reported that the website of TransUnion Limited, a CRA, which provided access to personal credit reports, had information security loopholes as revealed in 2018, whether the authorities have continuously monitored the level of its information security and compliance thereafter; if so, of the details; if not, the reasons for that;

(4) given that the Hong Kong Monetary Authority (HKMA) has been working with industry associations to introduce more than one consumer CRA in Hong Kong through the Credit Reference Platform, and has supported the development of the relevant platform, "Credit Data Smart" (CDS), by industry associations, but it is learnt that the platform, which was originally scheduled to be launched in December last year, has not yet been launched, of the latest progress of such platform;

(5) as it is learnt that industry associations have established the Code of Practice for the Multiple Credit Reference Agencies Model setting out the standards and requirements for Selected CRAs and Subscribed Members of CDS to comply on various aspects including the use and protection of personal data, what measures the authorities have put in place to monitor CRAs' compliance with the Code of Practice on Consumer Credit Data and Cap. 486 when CDS has not yet been launched; and

(6) given that the People's Bank of China and the HKMA have agreed to enter into a memorandum of understanding on the pilot programme of interconnection business for cross-boundary credit referencing, what regulatory measures the authorities have put in place to ensure that cross-boundary credit referencing data will only circulate within the Guangdong-Hong Kong-Macao Greater Bay Area in a safe and orderly manner, as well as when the authorities will proceed to launch the pilot tests and implementation work?

Reply:

President,

Having consulted the Constitutional and Mainland Affairs Bureau and the Hong Kong Monetary Authority (HKMA), the consolidated reply is as follows:

(1) Regarding the incidents of unauthorised access to personal data held by credit reference agencies in recent years, the Office of the Privacy Commissioner for Personal Data (PCPD) issued enforcement notices to TransUnion Limited (TransUnion) and Softmedia Technology Company Limited (Softmedia) in 2019 and 2023 respectively. The enforcement notices directed the relevant organisations to rectify the vulnerabilities in the security of their credit databases, which included directing TransUnion to devise clear procedures on identity authentication, and directing Softmedia to change the password settings to safeguard the security of its information system that contained personal data, etc. The consumer credit data held by these two organisations involved around 5.4 million and 180 000 individuals respectively. TransUnion and Softmedia had implemented the relevant security measures according to the above enforcement notices to protect personal data privacy.

(2) At present, the PCPD is comprehensively reviewing the Personal Data (Privacy) Ordinance (Ordinance) and formulating concrete proposals for legislative amendments, which include establishing a mandatory personal data breach notification mechanism, requiring data users to formulate policies on personal data retention period, empowering the Privacy Commissioner to impose administrative fines, direct regulation of data processors, and clarifying the definition of personal data, etc. The PCPD is studying in detail relevant laws and experience of other jurisdictions, while taking account of the actual situation in Hong Kong so as to put forward practicable legislative amendment proposals to align with international developments in privacy protection and strengthen the protection of personal data privacy. In regard to the mandatory personal data breach notification mechanism, the definition of personal data breach incident, the threshold and timeframe for notification, etc need to be considered. Such relevant work is being proactively taken forward at the moment. Once specific legislative amendment proposals are firmed up, the PCPD will consult the Government and the Legislative Council, after which a legislative amendment timetable will be drawn up having regard to actual circumstances.

(3) In an effort to continuously monitor the personal data security standards and compliance situation of TransUnion, the PCPD took the initiative to carry out an inspection of the personal data system of TransUnion in 2021, and subsequently published an investigation report. Inspection results revealed that TransUnion had complied with the requirements of the Ordinance with regard to the security of personal data held, such as adopting appropriate system access control measures through contractual means with credit providers.

In addition, in June 2023, the PCPD also proactively commenced compliance checks of credit reference agencies in Hong Kong, including the three credit reference agencies selected under the "Credit Data Smart" Model (namely TransUnion, Nova Credit and PingAn OneConnect), to ascertain whether the security measures and retention periods adopted by the relevant organisations regarding the consumer credit data of borrowers comply with the requirements of the Ordinance. The PCPD found no contravention of the requirements of the Ordinance in the compliance check of the relevant organisations.

(4) The HKMA has been working closely with Hong Kong Association of Banks, the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies, and the Hong Kong S.A.R. Licensed Money Lenders Association Limited (collectively "the Industry Associations") to introduce more than one consumer credit reference agency (CRA) in Hong Kong through the Credit Reference Platform (this model referred to as "Credit Data Smart"), with a view to enhancing the service quality of consumer CRAs in Hong Kong and reducing the operational risk of having only one commercially run service provider in the market, particularly the risk of single point of failure.

"Credit Data Smart" has been progressing in an orderly manner as planned. The Industry Associations launched the "Credit Data Smart" pilot programme on November 20, 2023, with the expectation that the selected CRAs would officially offer to the public secure and reliable consumer credit reference services upon successful completion of the pilot programme. According to the information provided by the Industry Associations, over 1 000 employees from nearly 20 institutions including banks, licensed money lenders, platform operator, the Industry Associations and governmental institutions participated in the pilot programme since its launch. The results indicated that the data accuracy of the credit reports and overall service performance of the three CRAs met the requirements set by the Industry Associations.

Accordingly, the Industry Associations announced on April 18 this year the commencement of service of "Credit Data Smart" with effect from April 26.

(5) According to the information provided by the Industry Associations, the three CRAs are required to comply with the industry's rigorous requirements on information security, system and data management, etc as set out in the "Code of Practice for the Multiple Credit Reference Agencies Model" since their selection in November 2022. These CRAs are also required to submit regularly their compliance assessment reports on personal data protection, information and network security etc to the Industry Associations, in order to ensure their compliance with the Personal Data (Privacy) Ordinance, "Code of Practice on Consumer Credit Data" and "Code of Practice for the Multiple Credit Reference Agencies Model". The Industry Associations will continue to review the operations of the three CRAs after the commencement of service of "Credit Data Smart".

(6) Ensuring the security of customer information is the top priority, and the primary consideration of the HKMA underlying any data connectivity initiative is to ensure that any information involved in the process will be processed in a safe and efficient manner and that any information transfer is in compliance with relevant legal and regulatory requirements. In terms of supervision, the HKMA has put in place strict regulatory requirements and guidelines in respect of protection of information security for banks to follow, to ensure the security, confidentiality and integrity of information of businesses and to prevent such information from being accessed or used without proper authorisation. In this regard, the HKMA is planning to issue regulatory circulars to remind the Hong Kong banking industry to comply with all relevant legal and regulatory requirements when handling cross-boundary transfers of credit information, so as to ensure information security and effective risk management.

The People's Bank of China (PBoC) and the HKMA announced on January 24 this year the "three measures on connectivity" and "three measures on facilitation" to deepen the financial co-operation between Hong Kong and the Mainland, and signed a Memorandum of Understanding on Cross-Boundary Credit Referencing (CBCR) pilots. This is to establish co-operative arrangements to, starting out from the Greater Bay Area, jointly promote the co-operation on CBCR pilots, foster cross-boundary transfer of credit information between Hong Kong and the Mainland, and facilitate cross-boundary financing for Shenzhen and Hong Kong enterprises. Under the CBCR pilot scheme, a number of Hong Kong banks and CRAs have expressed interest in participating in the pilots. At the same time, some CBCR pilots have already entered the processes of the relevant Mainland authorities. Relevant institutions will continue to work closely with each other, and facilitate the implementation of the pilots and the conduct of relevant tests in a step by step manner.

Source: AI-generated images

Empowering innovation: a recap of sj's inspiring speech at the 26th icca congress

Following is the speech by the Secretary for Justice, Mr Paul Lam, SC, at the 26th ICCA Congress Opening Ceremony today (May 5):

Dr Alexandrov (President of the International Council for Commercial Arbitration (ICCA), Dr Stanimir Alexandrov), Justin (Co-Chair of the ICCA 2024 Hong Kong Host Committee Mr Justin D'Agostino), Neil (Co-Chair of the ICCA 2024 Hong Kong Host Committee Mr Neil Kaplan), Rimsky (Co-Chairperson of Hong Kong International Arbitration Centre (HKIAC) Mr Rimsky Yuen, SC), David (Co-Chairperson of HKIAC Mr David Rivkin), Joanne (Secretary-General of HKIAC, Ms Joanne Lau), distinguished guests, ladies and gentlemen,

Let me begin by expressing my gratitude to ICCA for agreeing to host the Congress in Hong Kong, which is a very strong vote of confidence in Hong Kong as an international arbitration centre. I must also congratulate the HKIAC on its successful organisation of the Congress. The Department of Justice is indeed very pleased to be one of the supporting organisations by providing financial and other supports.

I can now understand why the ICCA Congress is hailed as the Olympics of the international arbitration community. The Olympics is renowned for the great diversity and high standard of the participants. This ICCA Congress has attracted over 1 300 leading experts in international arbitrations from more than 70 jurisdictions. This is a new record, which I believe will be extremely difficult to break.

With so many friends from other parts of the world and the Mainland, as the Secretary for Justice of Hong Kong, I feel duty bound to seize the opportunity to impress on you that Hong Kong is and will remain to be a leading international arbitration centre. I am going to recast the four letters "ICCA" as an acronym to illustrate the unique strengths and qualities possessed by Hong Kong that make it stand out as one of the best venues for international commercial arbitration.

"I" - Institutional support

"I" stands for "institutional support". Hong Kong is home to many world-class and internationally renowned arbitral institutions. As our home-grown dispute resolution institution, HKIAC has always been ranked as one of the most-preferred arbitral institutions in the world. It is very encouraging to see that HKIAC received a total of 281 arbitration filings in 2023. I think Joanne mentioned some other relevant figures. They continued to be predominantly international arbitration featuring parties from 45 jurisdictions. The total amount in dispute in all arbitration cases was HK$92.8 billion, which is equivalent to about US$12.5 billion, representing a record high for HKIAC.

Among sponsors of the ICCA Congress are other reputable arbitral institutions with offices based in Hong Kong, such as the China International Economic and Trade Arbitration Commission (CIETAC), and the South China International Arbitration Center (Hong Kong) (SCIA(HK)).

"C" - Comprehensive legal framework

The first "C" stands for our "comprehensive legal framework" in arbitration. The Arbitration Ordinance in Hong Kong forms the backbone of our arbitration framework. Coming into effect in 2011, the Ordinance is largely based on the Model Law on International Commercial Arbitration of the United Nations Commission on International Trade Law, which is familiar to practitioners from both civil law and common law jurisdictions, as well as the international business community.

Taking note of arbitration users' needs for flexible funding options, we have refined our arbitration law to specifically provide for third party funding of arbitration in February 2019. In addition, the Outcome Related Fee Structures for Arbitration (ORFSA) was fully implemented in Hong Kong in December 2022. As at March 2024, based on statistics provided by our arbitral institutions, 88 arbitration cases were disclosed to be conducted with third party funding and five cases were conducted with ORFSA.

As to enforcement, arbitral awards made in Hong Kong are enforceable in Hong Kong, and over 170 contracting parties to the New York Convention. But more importantly, Hong Kong enjoys a unique strength that is not shared by other jurisdictions. Under the principle of "one country, two systems", Hong Kong has entered into three mutual legal assistance arrangements with the Mainland on not only mutual enforcement of arbitral awards, but also mutual assistance in interim measures which allow parties to arbitral proceedings administered by the designated arbitral institutions to apply to the Mainland courts for interim measures for preservation of asset, evidence and conduct, before an arbitral award is made. As at March 2024, Hong Kong's arbitral institutions had processed 118 applications for interim measures made to the Mainland courts, and court orders in respect of over RMB16.3 billion worth of assets had been issued.

"C" - Court's pro-arbitration approach

The second "C" stands for "the Court's pro-arbitration approach". The Hong Kong judiciary has long been adopting a very pro-arbitration approach. And such an approach is confirmed by a number of recent court judgments.

Last year, a landmark judgment C v D was handed down by the Hong Kong Court of Final Appeal. The judgment recognised the distinction between admissibility and jurisdiction, and held that there is a presumption that the issue of non-compliance with a precondition to arbitration is a question of admissibility to be decided by the arbitral tribunal, thereby limiting the scope of court intervention in the arbitral process. In a more recent case of CNG v G, the Court of First Instance reaffirmed the fundamental principles that arbitration is a voluntary and consensual process of final dispute resolution; and it was stressed that the Court must not only respect the autonomy of the tribunal, but also leave the tribunal free to decide the dispute with the proper exercise of its case-management powers, when the tribunal is clearly in the best position to manage its own proceedings and procedure. Lastly, in two very recent judgments handed down around two weeks ago, Re Simplicity & Vogue Retailing (HK) Co Ltd, and Re Shandong Chenming Paper Holdings Ltd, the Hong Kong Court of Appeal noted and ruled that, save in wholly exceptional circumstances, the court should decline to entertain a petition for winding up or bankruptcy when there is an arbitration agreement concerning the debt in question.

"A" - Accessibility to the international legal community

Lastly, the letter "A". Letter "A" stands for the accessibility to the international legal community. I wish to emphasise that the international arbitrations in Hong Kong are accessible to the international legal community. There is no doubt that Hong Kong itself has a very strong tool of legal talents specialised in international arbitrations. This is demonstrated by the large number of sponsors and organisers of not just official events but side events, many of which are leading law firms and barristers' chambers in Hong Kong.

But the point that I really wish to make is that Hong Kong welcomes friends from the Mainland and other parts of the world to take part in international arbitrations conducted here. As an example, to enhance immigration convenience, last year, the Government has expanded the Pilot Scheme on Facilitation for Persons Participating in Arbitral Proceedings in Hong Kong for all visitors to participate in arbitral proceedings here as arbitrators, expert and factual witnesses, counsel in the arbitration, and parties to the arbitration, without the need to obtain any employment visa. From March 2023 to March 2024, 96 persons were allowed to participate in Hong Kong arbitral proceedings without the need to obtain any employment visa under the scheme.

I truly and firmly believe that Hong Kong's reputation as a leading international arbitration centre is well deserved. However, to enable Hong Kong to maintain and enhance such a status, we need your trust and support, in particular, those of you from overseas. Seeing is believing. I hope that, apart from taking part in the official and side events of this ICCA Congress, you will have the chance to experience the Hong Kong life including our delicious food, unique culture and beautiful scenery. I am sure you will be convinced that Hong Kong remains to be a very open, friendly and diversified international society with a solid foundation based on the rule of law.

On this note, I wish to say thank you again, and I wish you all a pleasant evening in celebrating the commencement of the ICCA Congress, and of course, a very fruitful, constructive and pleasant stay in Hong Kong. Thank you very much.

Speech by SJ at 26th ICCA Congress Opening Ceremony Source: HKSAR Government Press Releases