Asia Pacific Trade & Commerce Client Conference 27 August 2015 Baker & McKenzie, Hutchison House, Hong Kong

Transcription

1 Asia Pacific Trade & Commerce Client Conference 27 August 2015 Baker & McKenzie, Hutchison House, Hong Kong Commerce Hong Kong For further information please contact Paolo Sbuttoni Tel: E-commerce Hong Kong laws support use of e-commerce. The Electronic Transactions Ordinance facilitates electronic contracting. Recent developments of relevance to contracting / e- commerce are: Third Party Contract Rights Starting from 1 January 2016, third parties to a contract may, in certain circumstances, benefit from a contract or enforce its terms under the new Contracts (Rights of Third Parties) Ordinance (Cap 623) ( the Ordinance ) amending the common law position of "privity of contract:. The Ordinance will only apply to contracts entered into after 1 January 2016 and will not have a retrospective effect. The Ordinance will apply to B2B contracts (e.g. supplier contracts) and B2C contracts (e.g. sales of goods and services to consumers). Under the Ordinance, a third party may enforce a term in a contract in either of the following circumstances: (a) where the contract expressly provides that the third party may do so; or (b) the term purports to confer a benefit on the third party. The term "benefit" is not defined, therefore the contract should clearly and expressly address whether any term is to benefit or be enforced by a third party. Importantly, the third party must be expressly identified in the contract by name, as a member of a class or answering a particular description. Clients should: identify potentially relevant third parties whose rights should be preserved or for whom enforcement rights should be given (e.g. group companies); update standard contracts to ensure that the Ordinance is taken into account by either excluding the

2 application of the Ordinance or using it where intended. 2 Baker & McKenzie Asia Pacific Trade & Commerce Client Conference 27 August 2015 draft any third party beneficiary clauses meticulously to ensure coverage by the Ordinance. where third parties are to be given enforceable rights, ensure that these rights are clearly expressed in the contract. Reform of Stored Value Facilities / Retail Payment Systems regime Hong Kong's present regulatory regime is set out in the Banking Ordinance ( BO ) and has narrow application and applies to Stored Value Facilities (SVFs). The BO provisions (which date from 1997) impose approval requirements on issuers and facilitators of certain stored value cards (so-called multi-purpose cards or MPC). However, the MPC rules apply only to physical "devicebased" products on which prepaid monetary value is stored directly (e.g. on a chip embedded in a physical card). More recent "non-device-based" SVF (including virtual SVF) are not caught because prepaid value is typically stored elsewhere (e.g. in a computer-based account). So long as they do not engage in activities which are otherwise regulated, Retail Payment Systems (RPS) operators (including the major international payment card schemes operating in Hong Kong) are currently not subject to statutory regulation in Hong Kong because the Clearing and Settlement Systems Ordinance (CSSO), Hong Kong's existing payment systems statute, does not currently apply to RPS generally. Following earlier industry and public consultations ( ), the Government has now begun the legislative process and tabled the Clearing and Settlement Systems (Amendment) Bill 2015 (Bill) in the Legislative Council (Legco). The Bill is now undergoing detailed scrutiny by legislators -- a special bills committee first met in early March At the end of the last meeting the Government indicated that they hope to reintroduce the Bill into Legco to resume the second reading after the summer recess (in October 2015). Once in place, the new regime will subject a substantial number of so far unregulated products, services and systems to formal supervision by the Hong Kong Monetary Authority (HKMA). The principal changes are as follows: Single payment systems statute: The new SVF and RPS regimes will be set out mainly in a single statute, the amended CSSO (which the Bill proposes to

3 rename as Payment Systems and Stored Value Facilities Ordinance). For SVF, this means repealing the MPC provisions in the BO and replacing them with the new and broader SVF licensing provisions in the amended CSSO. As for RPS, the HKMA's powers under the CSSO to designate large-value clearing and settlement systems and their operators and/or settlement institutions for supervision will essentially be expanded to allow the HKMA to designate RPS for supervision. Implementation: The RPS-related provisions are expected to take effect immediately upon enactment of the amendment Ordinance. By contrast, the SVF regime would be implemented in two phases over a one-year period following enactment of the amendment Ordinance. In practical terms, pre-existing SVF operators who do not currently need a licence but will need one when the new SVF licensing regime takes full effect (i.e. one year after enactment of the amendment Ordinance) will need to either exit the industry or obtain an SVF licence (or an exemption) during the one-year transition period. SVFs: The new regime will be broader than the existing MPC rules (which cover "physical" MPCs). It will also impose licensing conditions that are more extensive then the existing MPC rules. In particular, licensees will generally need to have a physical presence in Hong Kong (which means local incorporation) and have as their principal business the issuing of the relevant SVF. In addition to meeting minimum paid-up share capital requirements (not less than HK$25 million or equivalent), licensees will be subject to an extensive list of other licensing conditions (some of which may need to be discussed with the HKMA on a case-by-case basis). RPS: The new regime for RPS enables the HKMA to designate a RPS for supervision. Based on Government comments made during and after the public consultation period, the new RPS designation regime is intended to cover, in particular, the larger credit and debit card schemes, merchant acquirers, payment gateways and mobile infrastructure (e.g. the infrastructure of the trusted service manager (TSM) of NFC mobile payment services). Designation by the HKMA would make the systems operator and/or settlement institution of the RPS responsible to the HKMA on regulatory issues. 3 Baker & McKenzie Asia Pacific Trade & Commerce Client Conference 27 August 2015

4 2. Cybersecurity The Personal Data (Privacy) Ordinance contains data security safeguards. Data Protection Principle (DPP) 4 of the Personal Data (Privacy) Ordinance provides that All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use. The steps required to protect personal data will depend on the kind of data held and the harm that could result from a data breach. In the 2010 Guidance on DPPs from the Privacy Commissioner s perspective data users must satisfy the harm test by ensuring that security measures taken are proportionate to the degree of sensitivity of the data and harm that will result from accidental or unauthorized access. In the event of a cybersecurity breach, the data user should follow the principles in the Guidance on Data Breach Handling and Giving of Breach Notifications ( Data Breach Guidance ) to assess whether a notification to data subjects and/or the Privacy Commissioner is required. The Privacy Commissioner has also issued a number of Information Leaflets and Guidance Notes on specific issues which stress the importance of adequate security e.g: - Information Leaflets on outsourcing, cloud computing; - Guidance on use of portable storage devices; and - Guidance on Collection/Use of personal data through the Internet. 3. Data Privacy 4 Baker & McKenzie Asia Pacific Trade & Commerce Client Conference 27 August 2015 The Personal Data (Privacy) Ordinance regulates the use and collection of personal data in Hong Kong. Recent developments include: Cross border data transfer Section 33 of the Personal Data (Privacy) Ordinance ("PDPO") prohibits cross border data transfer except in certain circumstances (e.g. with consent of data subjects). However, this provision is not yet in force. In December 2014, the Privacy Commissioner urged for a renewed focus on implementing section 33, and published Guidance on Personal Data Protection in Cross-border Data Transfer to assist data users (e.g. traders, suppliers, buyers, sellers, service providers) to

5 5 Baker & McKenzie Asia Pacific Trade & Commerce Client Conference 27 August 2015 prepare for the implementation of section 33. The guidance is for voluntary compliance and there is no firm date for the implementation of section 33 as yet. Other areas of focus in 2015 In 2015, the Privacy Commissioner has focused on data protection issues relating to: (a) Mobile Apps It is very common nowadays for companies to use mobile apps as a sales/marketing channel. The Privacy Commissioner conducted a survey of 60 local mobile apps and found that their transparency in terms of privacy policy was generally inadequate. These findings prompted the Privacy Commissioner to publish the Best Practice Guide for Mobile App Development to assist mobile app developers in building privacy-friendly apps. In December 2014, the Privacy Commissioner took action against 2 mobile app operators for collecting excessive personal data and failing to take adequate to protect personal data. (b) Big data The Privacy Commissioner has recently turned its attention to the issue of big data after 250 privacy regulators, policy makers, leaders, professionals and academics from across the globe met at the International Conference on Big Data from a Privacy Perspective on 10 June Whilst the Privacy Commissioner welcome the economic and social benefits of the use of big data (e.g. powerful analytic capabilities, generate new insights for optimising customer relationship, targeted behavioural advertising, combatting criminal activities, improving health care), he also emphasized that consumer privacy and data protection must remain a priority and that appropriate safeguards should be adopted to address the downsides of exploiting big data s potential (e.g. inaccurate correlation, misleading analysis, lack of transparency, privacy intrusiveness, the risk of re-identification). (c) Biometric data On 20 July 2015, the Privacy Commissioner issued comprehensive guidance on the collection and use of biometric data, such as DNA, fingerprint and facial recognition data (e.g. palm shape, facial image, iris, retina), in response to the increasing use of such data by organizations in Hong Kong. The Privacy Commissioner took action against a data user for excessive collection of employees fingerprint data. The Privacy Commissioner stressed that data users should

6 6 Baker & McKenzie Asia Pacific Trade & Commerce Client Conference 27 August 2015 only use biometric data where it is absolutely necessary. In the context of sales of goods and services, it is unlikely that the use of biometric data can be justified and companies should carefully consider all readily available alternatives before deciding to collect biometric data.