Author: Richard Batten LL.B (Hons), Barrister and Solicitor of the Supreme Court of Victoria and Director of Censere Group Co., Ltd
Richard is a Director with the Censere Group and for the past 20 years has been assisting clients in the Asia Pacific Region with Due Diligence investigations in a variety of Mergers and Acquisitions across different industries. His projects have included clients from China, Japan, India, Korea, Australia and the USA.
One of the significant trends in the Asia Pacific region over the last few decades has been the emergence in a number of countries of new or tightened laws on privacy of personal data or “Data Privacy”. This trend has created a particular challenge for forensic practitioners providing integrity due diligence services to clients seeking to mitigate their risk(s) before deciding on significant investments in the region. Not only does a forensic practitioner need to understand where and how to obtain relevant background information on a target company, and key individuals associated with the target, but is also required to have a sound knowledge of all data privacy laws and guidance in the jurisdictions relevant to particular due diligence projects.
This article examines the current position regarding the Hong Kong Personal Data (Privacy) Ordinance and the Office of the Privacy Commissioner for Personal Data (HK) "Guidance on Use of Personal Data Obtained from the Public Domain" issued in accordance with the requirements of the Ordinance. The HK Special Administrative Region (SAR) has enacted a strict Ordinance to protect personal data. It specifically applies to data obtained from the public domain which practitioners previously assumed was able to be used without restriction as such information had already been disclosed to the public.
This assumption has now been legislatively overturned and the ordinance contains significant restrictions on Personal Data use, even where it is either disclosed publicly or available to the public to access relatively easily. The Guidance specifically states the limitation on wide use of personal data in the public domain:
“It is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without regulation. The protection afforded by the Ordinance does apply to such personal data and there is no general exemption from compliance with the requirements under the Ordinance.”
The key limiting Data Privacy Principle in the Guidance to the Ordinance relevant to due diligence practitioners is extracted below:
“DPP3 specifies that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose. The term, “new purpose” in relation to the use of personal data, means in essence any purpose other than the one for which the personal data was originally collected or a directly related purpose. “Prescribed consent” means consent that is expressly and voluntarily given and has not been withdrawn by the data subject in writing. The term “use” in relation to personal data includes the disclosure and transfer of the data.”
The consequence of this principle means for example that personal data collected by a government registry for its purpose (such as business registration) may not then be used for an unrelated purpose like “integrity due diligence investigations”. The Guidance specific refers to the potential misuse of personal data by “integrity checking services” and the Commissioner has therefore made it clear that such services may breach the Ordinance.
So what does this mean for organizations wishing to check on the integrity of key persons (officers of a target company) for a proposed merger or acquisition? In our experience many clients have been reticent to disclose to targets the full extent of the due diligence, particularly regarding integrity investigations, they will undertake before signing off a Heads of Agreement or proceeding with the particular deal. Should the organization wish to continue with such an approach then they would need to be able to satisfy one of the exemptions to the application of DPP3 specified in the Ordinance.
However the specific exemptions under the Guidance do not cover the undertaking of due diligence investigations, as it relates to the integrity of key individuals. The key exemptions include:
- Section 52 for domestic purposes
- Section 58 for the purpose of prevention or detection of crime remedying of unlawful or serious improper conduct or dishonesty or malpractice
- Section 59 for health purposes
- Section 60B for legal proceedings authorized by Hong Kong law or in connection with any legal proceedings in Hong Kong
- Section 61 for activity of news business in the public interest
- Section 62 for statistics and research which does not identify the data subjects
- Section 63B for due diligence exercises
- Section 63C for emergency life threatening situations or rescue operations
It should be noted that if an organization relies on one of the specific exemptions above then the onus is on the personal data user (the organization) to prove, if challenged, that the exemption applies and that they were not bound under the Ordinance to follow its' requirements. In this context an examination of the definition in the Ordinance 63B seems to make it clear integrity checking of individuals is not included, i.e. due diligence exercise is defined only as:
“In relation to a proposed business transaction, means the examination of the subject matter of the transaction to enable a party to decide whether to proceed with the transaction.”
In the author’s view no specific exemption applies to the use of personal data by an organization undertaking integrity due diligence on persons, therefore it is incumbent on the organization to obtain the proper authority under the Ordinance to use personal data it wishes to collect either itself or through its agents.
This can be achieved by ensuring that the consent of each key individual to be integrity checked provides a written consent to the data user who intends to use personal data obtained from the public domain. In obtaining the written consent of the subject(s) a full explanation should be given on the intention to obtain their personal information from a variety of sources, including the public domain.
Disclaimer: Before undertaking integrity due diligence investigations requiring the use of personal data in HK every organization should seek the legal advice of internal or external counsel to ensure proper consent is obtained or a particular exemption applies. The information contained in this article is not provided as legal advice and should not be relied on without seeking independent legal advice.