The winner of the HKICS Prize 2020, Privacy Commissioner for Personal Data, Ada Chung Lai-ling FCG FCS, highlights some key regulatory and governance issues practitioners need to pay close attention to now and in the years ahead.

Thanks for giving us this interview. You have been working with Chartered Secretaries and Chartered Governance Professionals (CS/CGPs) for many years – particularly as Registrar of Companies – what are your feelings on receiving the HKICS Prize?

‘I am indeed very honoured to have received the prize. I have been working with members of the profession for 13 years and I have always been very impressed by their professionalism, dedication and competence. The prize is a good recognition of my efforts over the years and also of the efforts of my former colleagues in the Companies Registry. I have shared the prize with them and it is in the Companies Registry’s office now.’

Do you have any advice for new recruits to the profession on the importance of the role of CS/CGPs in the emerging business landscape?

‘As the Registrar of Companies, I fully appreciated and treasured the importance of the work of company secretaries. They are the gatekeepers of corporate governance and that was why, when we rewrote the Companies Ordinance six years ago, unlike a number of other jurisdictions, we kept the requirement for every company to have a company secretary. That was in recognition of the work of the profession.

The business landscape is becoming increasingly complex. There are rising public expectations of good corporate governance and corporate social responsibilities. That was one of the reasons for the rewrite of the Companies Ordinance, and I believe that the new Ordinance has helped to achieve good corporate governance and also better regulation of companies. About three years ago, we introduced a new licensing regime for Trust and Company Service Providers (TCSPs), and this has been a good benchmark for the profession because practitioners have to meet certain criteria before they can be licensed as a TCSP.

My advice for new recruits to the profession is that they need to understand the huge responsibilities they are taking on as gatekeepers of good corporate governance. This does not only mean ensuring that the company complies with all the regulatory requirements – if anything goes wrong, they have to raise that with top management and the board.’

Do you think the requirement for every company to have a company secretary is likely to be retained in the years ahead?

‘I believe that the requirement for every company to have a company secretary is an essential requirement to uphold good corporate governance and I will advocate for that if there is any proposal to amend the law in this particular respect.’

What is your view of the transition we have seen in the CS/CGP profession over the last decade to wider roles and responsibilities in the area of governance?

‘I think the transition is inevitable and a healthy development for the profession as a whole. This has been a global trend and it is a good recognition of the role of practitioners in upholding good corporate governance, as well as their role in company administration.’

What trends should practitioners be looking out for in terms of the way the regulatory regime in Hong Kong, as well as stakeholder expectations, will change in the years ahead?

‘Hong Kong is in a unique situation as part of China. In the years to come, there will be rapid economic and professional development in the Greater Bay Area, including Hong Kong. Moreover, there will be an increase in the movement of professionals across the border, including Chartered Governance Professionals. I envisage that the regulatory regime will change to facilitate this movement of companies and professionals across the border, and to ensure better coordination between Hong Kong and the other cities of the Greater Bay Area.

Another trend I would like to highlight is the rapid development of the cyber world and the regulation of this area. It is essential for company secretaries to understand these developments because most companies process huge amounts of data and many companies play key roles in the provision of online services and portals.

Internationally, I believe that there will also be tightened rules to combat money laundering and terrorist financing. As you may recall, Hong Kong underwent a mutual evaluation by The Financial Action Task Force (FATF) back in 2019. The next round of mutual evaluation will be in 2024, so between now and 2024 the government will have to look at the recommendations made by FATF in the last evaluation and consider whether to put in place legislative amendments or more regulations.

We will have to demonstrate to the international assessors that Hong Kong has a robust regime for the regulation of TCSPs in particular and one area of focus might be the regulation of trustees. Currently, anyone can manage a trust established by a close friend or a relative – they do not need to get a licence because they are not carrying on a business as such. FATF is concerned about this and the fact that Hong Kong does not have a formal register of trustees.’

One trend of great relevance both to your work as Registrar of Companies and your new role as Privacy Commissioner for Personal Data is digitalisation – would you like to share your thoughts on that?

‘Digitalisation is an inevitable and irreversible trend, particularly during the pandemic, but it is a double-edged sword and brings with it risks – especially with regard to personal data privacy.

On the positive side, one example is the e-Registry introduced by the Companies Registry during my time as the Registrar of Companies. It is a 24-hour, full-scale electronic filing service that allows for electronic submission of more than 80 forms and documents, facilitating more efficient corporate administration work. With the e-Registry, the time required for the registration of a new company is shortened from four days to one hour. Primarily because of this, Hong Kong ranked fifth in “starting a business” according to the World Bank’s Doing Business 2020 Report.

On the other hand, with digitalisation, increasing amounts of data are being stored, whether in a database or on a cloud-based server, and that increases the risk of data breaches. In the old days, a data breach would usually have affected a small number of people, but nowadays data breaches can affect millions of people. An incident in 2018 involving an airline company in Hong Kong involved 9.4 million passengers. That is why we, and data protection authorities around the world, have been working extra hard to safeguard against data breaches. That is also why I call upon organisations to take all reasonable and practicable steps to safeguard the personal data in their possession when they embark on their digitalisation journey.’

What roles would you like to see CS/CGPs playing in ensuring good data privacy practices?

‘Company secretaries play an important role in ensuring that the board, which they serve, takes into account the risks relating to data governance and personal data privacy. Over the years, my office has been promoting the adoption of a privacy management programme. Organisations have a responsibility to ensure that there’s a proper system in place to safeguard any data which comes into their hands. As part of this privacy management programme, we also advocate the appointment of a data protection officer and the development of internal policies on the protection of personal data. There should also be an internal reporting mechanism to report all privacy risks to top management.

I would like to call on members of the Chartered Secretary and Chartered Governance profession to get actively involved in reviewing the personal data privacy risks of their organisations and escalate any problems to top management for their attention. At the same time, I would ask for their support to incorporate a privacy management programme as part of their organisation’s culture and policy. That is crucial for the sustainability of organisations in the long run.’

Can we discuss the proposed amendments to the Personal Data (Privacy) Ordinance (PDPO)?

‘Firstly, legislative amendments will be introduced to more effectively tackle the problem of doxing. The government’s plan is to introduce these amendments to The Legislative Council of the HKSAR before July this year. A second phase of amendments will include issues such as the introduction of administrative fines for breaches of the PDPO, a mandatory data breach notification regime and the strengthening of the regulations on data retention.

Another major area is the regulation of data processors. At the moment, the PDPO focuses on regulating data users, but, given rapid technological developments, we often see organisations contracting out relevant work to data processors. We believe therefore that direct regulation of data processors is essential so that we can implement the provisions of the PDPO more effectively and directly.’

Do you think the PDPO needs a major overhaul?

‘Yes and no. The General Data Protection Regulation (GDPR), implemented in the European Union in 2018, has become the gold standard for data protection authorities worldwide. If we wanted to adhere to this standard then yes, that would mean a complete overhaul of the PDPO. However, whether we are really going that far will depend on the public’s view. We have to take into account the local situation – in particular what people think and what people need.

It is not difficult to transplant laws from other jurisdictions if you intend to just copy and paste, but as the Privacy Commissioner, I think my duty is to provide the proper advice to the government on people’s views of privacy issues. In some areas, we may need to strike a reasonable balance. The use of artificial intelligence (AI) technology is a good example – advanced technologies such as AI are useful, but what are the costs in terms of compromising people’s rights to privacy? We first need to look at how society views these issues and then consider what kind of regulations are needed.’

Your office conducted a study on attitudes to privacy in Hong Kong – can we discuss the findings?

‘The findings indicate that people are becoming increasingly aware of the importance of personal data privacy issues. Of the 77% of respondents who have a social media account, for example, 80% were aware of the privacy settings. The study also shows that the vast majority of people know how to navigate online in order to protect their data and are very cautious when it comes to sharing data, such as photos, with other people.’

Do you think organisations are becoming more aware of personal data privacy issues – in particular the compliance risks in this area?

‘Mindsets are changing and they are changing rather rapidly – organisations are putting more effort and resources into the protection of personal data privacy. This is a good trend and essential for the sustainability and growth of organisations in the long run – to survive and grow in the long term organisations have to earn the trust of their customers. According to the 2020 Edelman Trust Barometer, public perception of the trustworthiness of a company is not only driven by how well the company is able to conduct its businesses, but also the manner in which it conducts its business.’

How do you see the privacy landscape, both locally and globally, evolving in the future – particularly in terms of privacy legislation?

‘I believe that issues relating to the protection of personal data will be omnipresent in the years ahead. To stay ahead of rapid technological developments – including big data, AI, the use of biometric data, and the widespread use of social media and other new technologies – data protection authorities worldwide will be keen to bring in new laws. This will be particularly important in sensitive areas such as the regulation of data collection online and the holding, processing and use of biometric data. The GDPR regards biometric data as sensitive personal data and the Mainland is considering doing the same in its draft Personal Information Protection Law. Here in Hong Kong, the legislation provides for a basic framework as it does not distinguish between sensitive and non-sensitive personal data.

In the next few years, I believe that these will become hot issues and there will be a need to build accountability frameworks for the development of new technology. An obvious example is the need to have human oversight of AI systems and adding the protection of “privacy by design” – embedding privacy into the design of new technology systems. Privacy by design may become a legal requirement for the development of new technology. The GDPR touches on that, but many jurisdictions worldwide still do not have legislative requirements in this area.

Another important area is children’s privacy. Since last year, there has been an upward trend in cybercrime involving children. This is an important area, not only for Hong Kong but internationally. The UK is going to implement a code on children’s privacy later this year. Locally, my office is working on issuing some guidelines to protect children’s privacy.’