New Inspection Regime: Combating Misuse of Directors' Personal Data

The Companies Registry (CR) in Hong Kong has introduced a new arrangement for searching private data within the Companies Register maintained by the CR, effectively balancing the imperative of information accessibility with the crucial aspect of privacy protection. The implementation of the New Inspection Regime is divided into three phases, with phases 1 and 2 already successfully implemented. Phase 3, set to commence on the December 27, 2023, represents the final stage in this transformative journey.

The New Inspection Regime

With the commencement of Phase 2 on October 24, 2022, specific adjustments have been made to the information available for public inspection in documents. The following details will now be displayed with a focus on privacy protection:

1. Directors: only correspondence addresses and partial identification numbers (IDNs) are visible.
2. Company secretaries: only partial IDNs are visible.
3. Other individuals (including liquidators and provisional liquidators): only partial IDNs are visible.

Companies must secure personal details, prevent unauthorized access, and avoid the misuse of private information. They should prioritize cooperation with regulators, keep updated on evolving standards, and proactively prepare for risks such as fraud and "doxing." These measures enhance business resilience and protect individuals' privacy in today’s dynamic digital environment.

Case studies

Case 1
Former company director convicted for disclosing personal data of 3 business partners

A 41-year-old former company director has been convicted of "disclosing personal data without consent" under the Personal Data (Privacy) Ordinance. The conviction stems from his alleged disclosure of personal data belonging to three business partners without their consent in late 2021.

The defendant revealed sensitive details, including names, residential addresses, company names, job titles, company telephone numbers, and mobile phone numbers of X, Y, and Z. The act was carried out with the intention of causing harm to the data subjects and their families or with a disregard for their safety and the potential harm resulting from the non-consensual disclosure of personal information.

It was revealed that X, along with two others and the defendant, held shares in the two companies, and X served as a director in one of them. Concerns arose in December 2019 regarding the defendant's handling of the lease, leading to the decision to dismiss the defendant as company director effective January 2021. Subsequently, it was discovered that the defendant had disclosed personal information of these individuals, including their full Chinese names, nicknames, mobile phone numbers, and company positions, within various Facebook group chats.

Case 2
Company director falls victim to RMB 1.1 million scam

A director of a surveying company received a call from a scammer claiming to be from the Department of Health. The scammer possessed the director's name, residential address, and full identification number, falsely alleging that the director's personal information had been leaked. The scammer then transferred the call to another scammer posing as a "Mainland Official."

The "Mainland Official" wrongfully accused the director of involvement in a money laundering scheme and presented a fabricated document, the "Hong Kong Independent Commission Against Corruption (HKICAC) Fund Regulation Enforcement Order," containing the director's name and details. To protect the director's innocence, the scammer demanded a transfer of RMB 1.1 million to a newly provided bank account with online banking access. The victim complied with the instructions, and within two weeks, the money was fraudulently obtained.

Case 3
Private equity fund chairman duped out of RMB 10 million in telecommunication fraud

According to reports, Mr. Niu, the Chairman and general manager of AXA Private Equity Fund, received a call on November 7, 2022, from someone named "Miss Fang" claiming to be from the Wanchai Prevention and Control Centre of the Department of Health in Hong Kong. "Miss Fang" informed him that his mainland mobile phone number showed a close contact record on November 6, 2022, and advised him to contact the Department of Health.

Mr. Niu clarified that he did not own the mentioned mobile phone number and suspected that his identity information had been leaked and stolen by criminals and requested to report the case. "Miss Fang," who claimed to be from the Hong Kong Department of Health, offered to assist Mr. Niu by contacting the Pudong Branch of the Shanghai Public Security Bureau. After verifying Mr. Niu's identity, an "officer" informed him that he might be connected to a highly confidential case being investigated by the police and advised him to inform his superiors immediately.

To prove his innocence without jeopardizing the company's business and reputation, Mr. Niu applied for release on bail pending further investigation, seeking an amount of RMB 10 million. He promptly gathered the RMB 10 million and contacted the "designated account" of the Hong Kong ICAC.

Subsequently, the "High Prosecutor" informed Mr. Niu that his application for bail pending trial had been approved, stating that he was not involved in the case, hehad been cleared of the identity of the suspect, and the RMB 10 million could be returned to him. However, a person claiming to be "Director Liang of the Financial Bureau of the Procuratorate" informed Mr. Niu that due to the country's latest anti-money laundering regulations, it would take six months to return the funds. Nonetheless, an expedited return method was available, requiring an additional 30% mortgage deposit of approximately HKD 3 million. This procedure could be completed within 2 to 48 hours, and all previous deposits would be swiftly refunded. As a result, Mr. Niu borrowed HKD 3 million from the company to cover the mentioned "mortgage deposit."

The growing threat of "doxing" and data misuse

It is worth mentioning that due to the rapidly increasing cases of "doxing" and the rising trend of using personal data for cybercrimes and telephone scams, the implementation of the New Inspection Regime has become crucial.

Over the past two years, the Hong Kong Privacy Commissioner for Personal Data has dealt with more than 5,800 complaints and cases related to "doxing." Among these cases, 945 were attributed to the inappropriate disclosure of victims' IDNs/URAs.

From the aforementioned cases, it is evident that the Companies Registry's New Inspection Regime plays a vital role in protecting personal information. It is mandatory for all Hong Kong companies to adopt the new arrangement to safeguard personal privacy from public inspections.

Although the implementation of the third phase of the New Inspection Regime is not obligatory, failure to heed and implement this new phase will leave personal privacy vulnerable, particularly that of rirectors and company secretaries.

How Tricor can help

As a leading provider of corporate services, Tricor offers a range of solutions to help directors and company secretaries of companies listed in Hong Kong and companies registered in Hong Kong to protect their personal information, including the application for withholding of personal information from public inspections and provision of a correspondence address.

Tricor understands the importance of data privacy and is committed to delivering customized solutions that meet the unique needs of our clients. Our services are designed to be accurate and efficient, ensuring that our clients' personal data is well-protected and secure.

By partnering with Tricor, clients can focus on their business objectives, knowing that their privacy needs are in good hands. Schedule your free consultation today: https://www.tricorglobal.com/new-inspection-regime.

Contact Us

For more information, please contact us at TricorInside@hk.tricorglobal.com.