The handling of personal data raises major issues relating to legal and compliance requirements. If handling of personal data is carried out in Hong Kong, the requirements of the Personal Data Privacy Ordinance (PDPO) become relevant.
The PDPO imposes a number of major principles to ensure that the personal data collected by institutions is properly stored, kept no longer than necessary, and used only for the purpose for which it is collected. Data users are also required to take practical steps to safeguard this personal data from unauthorized use, and to make their personal data policies and practices known to the public.
Below you can find the 6 Data Protection Principles that are put forward by the Privacy Commissioner for Personal Data, Hong Kong:
DPP1 - Data Collection Principle
DPP2- Accuracy & Retention Principle
Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfill the purpose for which it is used.
Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
A data user needs to take practicable steps to safeguard personal data from unauthorized or accidental access, processing , erasure, loss or use.
A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
Given the decentralized and distributed nature of Distributed Ledger Technology(DLT), customers involved should be made fully aware that their personal data is being shared among all the participating parties of the DLT platform. A proper governance structure should be set up among the participating parties, delivering proper notification to customers through an agreed mechanism. The DLT platform may also be required to come up with a set of agreed rules and policies to be followed by all participating parties and made known to customers.
Even if personal data is permitted to be shared among the participating parties of the DLT platform, proper governance should be in place that defines and agrees the purpose of the collected data, and ensures that this data is only used for well-defined purposes. In cases where the participating parties wish to use the collected personal data for a new purpose, consent should be obtained from customers, and such consents properly indicated according to the ledger record access policy incorporated in the DLT platform.
Another interference with privacy rights stems from the fact that data once stored on the ledger cannot be erased. The immutability feature of DLT is at odds with the ‘right to be forgotten’ granted in some jurisdictions, so victims will turn to damages instead. More significantly, this is directly at odds with the requirements of law that in some circumstances transactions are void, and title must be rectified to reflect this, for instance in the context of fraudulent transfers.
For detailed information, please see ‘Personal Data (Privacy) Ordinance’
As digital tokens involved in ICOs are transacted or held on an anonymous basis, by their nature they pose inherent and significant money laundering and terrorist financing risks. The SFC reminded licensed corporations and associated entities in its 16 Jan 2014 circular to take all reasonable measures to ensure that proper safeguards exist to mitigate these risks.
Virtual currency/commodity such as Bitcoin, cryptocurrencies, digital tokens, which are transacted or held on an anonymous basis, by their nature pose inherent and significant ML/TF risks.
The SFC issued advisory circulars on 16 January and 21 March 2014 to remind LCs:
to exercise caution in assessing relevant ML/TF risks when establishing or maintaining business relationships with potential or existing customers who are operators of schemes or business related to virtual commodities;
to take additional CDD measures and perform enhanced ongoing monitoring of activities for the account of any such customer to detect suspicious transactions;
to make a report to the JFIU if CDD and ongoing monitoring reveal any suspicious activity related to ML/TF on a customer account.
Such additional measures, as provided in paragraph 4.11.1 of the Guideline on AML/CFT, may include:
obtaining additional information on the customer and updating more regularly the customer profile including the identification data;
obtaining additional information on the intended nature of the business relationship, the source of wealth and source of funds;
obtaining the approval of senior management to commence or continue the relationship;
conducting enhanced monitoring of the business relationship, by increasing the number and timing of the controls applied and selecting patterns of transactions that need further examination.