Introduction

The age of COVID-19 saw an unprecedented level of technology adaptation into the everyday lives of humanity across the entire globe. As more and more of our lives begins its transformation into the digital realm, issues of data privacy (e.g. doxing, data breaches, unintended/unauthorized use of personal information) has been brought to the forefront.

Recently, the Government has begun its review as to whether personal data contained in the Companies Register (the “Register”) such as information pertaining to addresses of directors should be maintained with the Register. In response, the Financial Services and the Treasury Bureau (the “Bureau”) along with the Companies Registry (the “CR”) submitted a paper to the Legislative Council on 29 March 2021 (the “Proposal”), which proposed to bring into operation a new inspection regime (the “Regime”) that has been included the Companies Ordinance (“CO”) when the legislation was made in 2012.

Rationale of public inspection

It is a fundamental concept in law that a director’s personal liability is limited by the principle of “separate legal personality”. In return for this protection, there exists the doctrine of “piercing the corporate veil” to prevent persons from obtaining an advantage by committing fraud using a limited company entity.

The existence of a framework for public inspection becomes important, as it provides key information about the directors (e.g. residential address, ID card numbers) behind the shady corporate dealings. The maintenance of public information also provides those who have dealings with the company and those who may be adversely affected by the abuse of “separate legal personality” with proper legal recourses.

Public inspection under the CO and its significance in the commercial and legal industry

Section 45 of the CO sets out the purposes in which documents may be made available for public inspection, for example, to ascertain the particulars of a company’s directors or other officers. The personal information made available for public inspection in the Register includes the usual residential addresses (“URA”) and the full identification numbers (“IDN”) of directors of registered companies. These personal information obtained from the Register has been utilized by legal practitioners and law enforcement in many ways, for example to perform commercial due diligence, commence legal claim and most importantly, litigate against cyber scammers.

Performing commercial due diligence

Law firms, as with many other organizations, often undertake to perform due diligence investigations for clients. In commercial deals, comprehensive legal due diligence investigations and reports are most likely required to be done prior to such corporation transactions to consult the CR database for conducting background checks against related parties and to research and verify the history and identities of executives and directors of the subject companies. Information on the database is also commonly used for tracing cross-party and cross-company ownership structures. Similarly, for accounting firms, banks and financial institutions, the same is relied on when performing know-your-customer checks or work related to compliance and anti-money-laundering.

Commencing legal claims

As in other litigious processes such as lodging claims against internet scammers and in debt recovery cases, lawyers look for the addresses of individuals and businesses to effect service of originating process and subsequent legal documents, and this often involves the use of documents like the Annual Return filed with and obtained from the Register. In the case of minority shareholders and labour disputes, the CR database is used for properly identifying the correct parties to lodge and pursue their claims against.  

The New inspection regime

The Regime (as reflected under Division 7 to Part 2 of the CO) has the effect of restricting public access to information about directors of companies and limiting public inspection to those strictly necessary for the legal purposes of the Register. Has the Regime been fully implemented, the following protection can be rendered in stages:

1. Only correspondence address of directors and company secretaries and partial IDN of directors and company secretaries will be shown in the Register for public inspection.
2. The URA and full IDN of the individuals (“Protected Information”) will be made accessible to specified person (i.e. the data subject, a person authorized by the data subject, a member of a company, a public officer or public body, etc.) (“Specified Persons”) upon application. The court may make an order for disclosure if it is necessary or expedient to do so.
   
3. Individuals whose Protected Information is contained in the documents filed to CR before the commented of the Regime can apply to the CR to withhold such information from public inspection.
   
4. A company may withhold Protected Information from public inspection.
   

How does Hong Kong compare to other jurisdictions?

The Regime proposed is comparable to that adopted by the Companies House in the United Kingdom (“UK”).  In the UK, only the correspondence address (i.e. also known as the service addresses) are made available to the public. A separate register with restricted access is present which contains information on directors’ URA. Other personal information including the IDN could not be inspected on the UK companies register.

Regarding the directors’ URA in particular, it is also the case for both Australia and Singapore that directors could instead provide alternate addresses as opposed to their URA in the public records for public inspection.

Impacts on the legal industry

Directors’ full IDN and URA are currently accessible to the general public on the CR database. As mentioned, the Regime only allows partial IDN and correspondence addresses filed by directors to be shown in the Register for public inspection. With the Regime being in force, grave barriers would be created for in-house lawyers, lawyers, and law enforcement when they are in the course of performing their duties

In-house lawyers and lawyers

As the full IDN of directors has been withheld from public inspection, directors with similar names could be wrongly identified. Further, although correspondence addresses filed by directors may be used for service of documents, in the event where service of documents to a director by way of the correspondence address is not possible, the CR will only disclose the residential address of a director if the court orders to do so. As such, in-house lawyers and/or lawyers may have a hard time identifying the right person when performing commercial due diligence and filing law suits.

In order to obtain the Protected Information required, claimants via their lawyers may have to take extra steps and incur extra costs in getting disclosure court orders such as Bankers Trust order (Norwich Pharmacal order) or even the Anton Piller Order (3^rd party disclosure orders) via lodging court applications for the discovery and disclosure of such information. The applicant also bears the burden of proof in obtaining these court orders. The extra costs and court time involved may result in an unreasonably high bill to clients, which in turn may frustrate the course of justice.

Law enforcement

The Regime may also hinder law enforcement’s investigation on financial crimes, such as internet scammer, money laundering, debt evasion, etc., as it would become more difficult to identify the locality of suspects. Without the personal particulars accessible from the CR, it is of serious concern that the Proposal will instead facilitate corruption, fraud and other crimes, and make it easier for directors to hide from creditors.

When conducting investigation, law enforcement e.g. police has to apply to the court with the relevant law for a search warrant authorizing, inter alia, the search of business record including computer record. Although a public officer is one of the Specified Persons in the Regime, it is doubtful whether such warrant is still required. Nonetheless, the whole process of investigation inevitably involves disclosure application that could impede the officers’ efficiency and efficacy in performing their duties and could also lead to unscrupulous individuals getting away with illegal activities.

Recommendations

In view of better facilitating lawyers and other persons working in financial institutions to continue with performing their day-to-day duties for legitimate purposes, a tiered inspection regime could be put in place with the following refinements recommended to be made to the current Proposal:

1. Maintaining a separate register with restricted access for Specified Persons only: Similar to the practice in the UK, a separate register could be created and maintained by the CR with restricted access which contains information on directors’ URA and the full IDN (i.e. the Protected Information). 
2. Expanding the scope of Specified Persons: the scope of Specified Persons with full access to the separate register should be expanded to include solicitors and foreign lawyers, certified public accountants (practicing) and trust or company service provider licensees such that they could gain full access of the Protected Information without having to obtain prior approval from the CR or an order from the Court. 
   
3. As for the public database:-
   1. The directors’ addresses (the URA): the requirement for directors to provide their correspondence addresses should be maintained to preserve the transparency of public records. 
   2. The IDN: more digits of the IDN should be disclosed to minimize, if not remove, the confusion over the search results and the risk of incorrect identification.
      

In light of the aforesaid, there needs to be a right balance stroke between the protection of privacy and personal safety, and the “protection” of personal information of the persons named on the Register who could be shielded from committing fraud or other more serious illegal activities under the Regime.