Hong Kong is a resilient and resourceful place and, despite all the present media attention, business forges on – as does innovation and the regulation that tends to follow. Much has happened over the last quarter and in this edition of our Letter from Hong Kong we focus on an array of new regulation and headlines around Telecoms & Internet, Data Protection & Cybersecurity, Blockchain & Crypto and FinTech Innovation.
Legal and Market Insights
Data Protection & Cybersecurity
Cyberspace Administration of China invites public comments on draft Measures on Security Assessment of the Cross-border Transfer of Personal Information
On 13 June 2019, CAC invited a new round of public comments on the draft Measures following earlier invitations. The Measures were promulgated in light of the controversial data localisation requirement introduced by China's Cybersecurity Law which came into effect on 1 June 2017. The Measures, if enacted, would reinforce the requirement by requiring all "network operators" in China, broadly defined as network owners, managers and service providers, to apply to local authorities for security assessment and seek their approval prior to any cross-border transfer of personal information. Local authorities would be given powers to ban any transfer which may endanger national security or public interest or which ineffectively safeguards personal information. The wide application of the Measures and their intricate criteria of security assessment may significantly impact cross-border flows of personal information from China.
CAC announces implementation of the Regulation on Children's Personal Information and Online Protection in October 2019
On 22 August 2019, CAC announced that the Regulation will come into force on 1 October 2019. The Regulation would require network operators in China to comply with specific requirements on personal information collection, retention, use, disclosure and transfer when processing personal information of children under the age of 14. Operators should process information in compliance with principles of legitimacy and necessity, consent, purpose specification, security protection and lawful use. Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486), in comparison, does not carve out a separate regulatory regime for children. The Regulation also imposes certain obligations on network operators which are not present in the Ordinance, including reporting breach incidents to supervisory authorities and affected data subjects, adhering to information deletion requests, and conducting security assessment prior to transferring information to third parties.
Takeaways from Hong Kong Privacy Commissioner's keynote speech in Singapore 2019 Asia Privacy Forum of the IAPP
On 15 July 2019, Hong Kong Privacy Commissioner Mr. Stephen Kai-yi WONG gave an opening keynote speech at the Singapore 2019 Asia Privacy Forum of the International Association of Privacy Professionals (full text here). The Commissioner noted that given the legislative fragmentation in global data protection and rapid ICT developments, meeting regulatory requirements alone would not be effective enough for businesses to adequately protect personal data privacy and meet individuals’ expectations. Instead, businesses should engineer accountability and data ethics into their operations and strengthen their corporate governance to protect privacy. The Commissioner also remarked on how Hong Kong's comprehensive data protection law has transformed Hong Kong into China's regional data hub and an innovation centre.
Hong Kong Privacy Commissioner publishes the investigation report on Cathay's data breach incident
On 6 June 2019, Hong Kong Privacy Commissioner Mr. Stephen Kai-yi WONG published an investigation report on the data breach incident involving the personal data of approximately 9.4 million passengers of Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited. The companies were found to have breached their obligations on retention and security under Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486), as well has being found to have a lax attitude towards data governance which fell well short of community and regulator expectation, and were directed to take remedial actions as specified in the Commissioner's enforcement notice. Notably, despite there being no statutory requirement on data breach notification currently in Hong Kong, the Commissioner remarked that the companies could have had given earlier notification to affected passengers to meet their legitimate expectations. It has been reported that several class action lawyers in the US and Europe have been preparing class action claims against Cathay Pacific since the data breach was announced, moves that will only be encouraged by the Commissioner’s findings.
Telecoms & Internet
Hong Kong authorities have recently issued three separate announcements of spectrum bands that will be made available to telecoms providers, ranging from auctions of new 5G spectrum to the availability of spectrum vacated by the switch off of analogue TV and non-exclusive, geographically shared spectrum.
New spectrum assignments for Hong Kong's TV licensees following release of existing spectrums for mobile telecommunications services
Hong Kong Communications Authority has announced plans, in light of the government's policy initiatives, to vacate a total of 160MHz spectrum in the 614 – 806 MHz band for deployment of mobile telecommunications services (including 5G mobile services) to benefit the Hong Kong community by the end of 2021, subsequent to analogue switch-off for TV services in November 2020. The band is currently assigned to two TV licensees: Television Broadcasts Limited (TVB) and HK Television Entertainment Company Limited (HKTVE) for broadcasts of TV programmes. CA would assign new TV frequency channel at 598 – 606 MHz band to the licensees in February 2021.
Hong Kong Office of the Communications Authority begins auctions of 5G spectrum
On 19 July 2019, OFCA announced upcoming auctions of a total of 380 MHz of 5G spectrum in the 3.3 GHz, 3.5 GHz and 4.9 GHz bands. The first auction will be for the 3.5 GHz band to be held on 14 October 2019 with applications accepted on either 12 or 13 September 2019, followed by auctions for the 4.9 GHz band and 3.3 GHz band. The government has set the auction reserve prices for the 3.3 GHz, 3.5 GHz and 4.9 GHz bands to be HK $2 million per MHz, HK $4 million per MHz and HK $3 million per MHz respectively. Subsequently, on 23 August 2019, CA provided Q&A documents on the auction of the 3.3 GHz, 3.5 GHz and 4.9 GHz bands, which include information relating to auction arrangements and logistics and licensing matters. On 26 August 2019, OFCA released a “5G Thematic Website” aimed to educate the public on how 5G mobile technology will change the means of communication and enable the development of many innovative applications.
Hong Kong Office of the Communications Authority invites applications for assignment of shared spectrum in 26 GHz and 28 GHz bands
On 15 July 2019, OFCA invited applications for assignment of a total of 400 MHz of spectrum in the 26 GHz band (24.25 – 27.5 GHz) and 28 GHz band (27.5 – 28.35 GHz), for provision of innovative wireless broadband services based on 5G or other advanced mobile technologies on a non-exclusive, geographically sharing basis. Successful applicants will be given a Localised Wireless Broadband Service License valid for five years, during which they can deploy the shared spectrum for use in specified locations in Hong Kong, subject to a total network coverage limit of 50 km2. Mobile network operators already awarded spectrum in these bands for provision of conventional large-scale 5G mobile services by OFCA earlier will not be eligible to apply.
Revamped licensing regime for the Class License for Offer of Telecommunications Services
CA has revamped the existing Class License for Offer of Telecommunications Services regime under the Telecommunications Ordinance (Cap.106) which will come into effect on 26 October 2019. The CLOTS regime deems any person who offers telecommunications services without operating any telecommunications means in Hong Kong to be a licensee subject to licensing conditions for regulatory oversight. CLOTS licensees are mainly resellers of telecommunications services operated by licensed operators, offering products such as "Wi-Fi Eggs", local mobile voice and/or data services, local fixed voice and/or broadband services, prepaid IDD services and prepaid international voice/data roaming services. The revamped regime introduces a new registration requirement for licensees with a customer base of 10,000 subscriptions or more, requiring them to register with CA and provide prescribed company and services information. To facilitate a smooth transition for the new registration requirement, a three-month grace period after the effective date is allowed. Coupled with requirements for licensees to provide prescribed information to consumers and submit annual updates to CA, this revamped regime reflects CA's efforts to strengthen compliance monitoring over CLOTS licensees and safeguard consumer interests. CA has released guidelines to assist service providers to comply with the revamped CLOTS regime.
Anti-extradition bill protests in Hong Kong may trigger the Government's deployment of emergency laws which may restrict Internet access
Following the unrests in Hong Kong over the now withdrawn extradition bill, it has been reported that the Hong Kong Chief Executive Carrie Lam may invoke the Emergency Regulations Ordinance once used during Hong Kong's 1967 riots, to control and suppress publications and communications in Hong Kong. The Chief Executive may potentially order private telecommunications companies and internet service providers to block Internet applications and websites used by protesters. In response, the Hong Kong Internet Service Providers Association (HKISPA) issued an urgent statement warning that this may spell "the end of the open Internet of Hong Kong" and deter businesses' investments. HKISPA also warned that this may negatively impact the mainland China, since Hong Kong helps transit more than 80% of China's internet traffic, as well as local and international companies operating more than 100 data centres in Hong Kong.
Blockchain and Cryptocurrency
Cyberspace Administration of China issues guidance on security assessment requirement in Regulation for Managing Blockchain Information Services
On 9 August 2019, CAC issued a notice to elaborate on the security assessment clause (clause 9) in the Regulation implemented in February 2019. Amongst other obligations imposed on blockchain information service providers such as establishing a user registration system, conducting information verification and keeping records, the Regulation requires providers to conduct security assessment whenever they offer new products, applications or functions. CAC's guidance explains that for such security assessment, the providers may either conduct self-security assessment or may request accreditation agencies approved by the CAC to conduct security assessment.
FinTech and Innovation
Hong Kong Monetary Authority announces implementation progress of Open Application Programming Interface Framework for the Hong Kong Banking Sector
On 31 July 2019, HKMA announced the implementation progress of the Hong Kong Banking Sector Framework, one year after its deployment. The Framework, introduced to encourage innovation within the banking sector and the provision of innovative products and services to upgrade customer experience, outlines a four-phase implementation approach to regulate deployment standards and ensure security. The launch of Phase I (Product Information) in January 2019 witnessed the offering of over 500 Open APIs by 20 retail banks – giving access to information of banking products and services, enabling new market entrants to provide services such as foreign exchange rate information, deposit rate and loan product comparison. Following the success of Phase I, HKMA will launch Phase II (Customer Acquisition) by the end of October 2019 to make available banks' customer acquisition process information relating to applications of credit cards, loans or other bank products. Looking ahead to the launch of Phase III (Account Information) and Phase IV (Transactions), as these involve sensitive customer and transaction data, HKMA will work with the industry on API standardisation and release technical standards in 2020.
Fintech collaboration between Hong Kong and France
On 5 July 2019, Hong Kong Monetary Authority and the French Autorité de Contrôle Prudentiel et de Résolution entered into a Memorandum of Understanding to strengthen collaboration between the two authorities in Fintech innovation through information exchange, experience sharing, joint projects and expertise sharing. The Memorandum of Understanding signifies HKMA's mission to forge cross-border Fintech collaboration with France, a fast-growing Fintech hub in Europe, and its commitment to develop Hong Kong as Asia's most vibrant Fintech hub.
HKMA amends guidelines to encourage greater use of innovative technology tools for credit risk management/loans, encouraging FinTech development in Hong Kong
On 29 August 2019, HKMA amended its guidelines issued to authorised institutions, such as banks, on Credit Risk Management for Personal Lending Business (which was first issued in May 2018), to facilitate adoption of innovative technology, such as data analytics, in assessing and approving credit applications. The amended guidelines removes a 10% limit of an authorised institution’s capital base for such institution’s online finance portfolio, but instead allows authorised institutions to develop their own limit commensurate with their risk appetite and risk management capability. As part of the HKMA’s “Banking Made Easy Initiative’, this is generally seen as encouraging adoption of innovative online technology in credit risk management and to minimize frictions in greater adoption of digital banking and encouragement of the FinTech sector.
Publication of "GFiN - One Year On" Report by Global Financial Innovation Network
On 25 June 2019, the Global Financial Innovation Network reported on its achievements since its inception in August 2019, and laid out its future commitments. GFiN has now grown to comprise 35 member regulators and 7 observers from 21 jurisdictions, and has established itself as a global dialogue and collaboration platform. Currently, representatives in Hong Kong include Hong Kong Monetary Authority, Hong Kong Securities and Futures Commission and Hong Kong Insurance Authority. In the past year, GFiN has launched a cross-border pilot project to help firms simultaneously trial new technologies in multiple jurisdictions. GFiN has also created a RegTech joint work group to share resources and knowledge in this emerging area. Going forward, GFiN will hold meetings with members and stakeholders to formulate work plans and identify new initiatives and projects.
Securing privacy concerns in FinTech in Hong Kong
Hong Kong has built a strong environment for fostering innovation and financial technology or FinTech. With its large financial sector and its strategic role with Mainland China and gateway to the rest of Asia and the world, Hong Kong has the potential to take on an important role in being a leader in FinTech.
As FinTech development gathers pace and emerging technologies become a greater part of our lives, so will there be greater collection and use of an increasing amount of personal data in relation to customers. At the same time, the threat of fraudulent activity, such as fake identities using fake accounts, is also rising. In this article, we explore the current risks and regulation around privacy and data security in Fintech in HK.