Under proposed changes to the Securities and Futures Ordinance ("SFO"), SFC-licensed corporations must disclose information which may assist overseas regulators if requested by the SFC, or risk being in breach of the SFO. The proposals increase the SFC's existing powers to effectively supervise SFC-licensed corporations operating in multiple jurisdictions.
Disclosing client personal data to the SFC in compliance with such an SFC supervisory request will, in the SFC’s view, be consistent with the PDPO, as confirmed the SFC in its paper released on 5 June 2015 entitled "Consultation Conclusions on Proposed Amendments to the SFO Providing Assistance to Overseas Regulators in Certain Situations". The consultation conclusions follow the SFC's consultation paper on proposed changes to provisions regarding supervisory powers and assistance of overseas regulators (section 180 and 186) of the SFO, issued in December 2014.
In particular, the proposals give the SFC discretion to obtain information for the purposes of assisting an overseas regulator in non-enforcement related matters where a licensed corporation (or its group company) is also regulated by that overseas regulator. The SFC’s powers in relation to enforcement matters are not affected. SFC-licensed corporations may, therefore, be required to disclose personal data in response to such a SFC supervisory assistance request.
In response to concerns raised in the December consultations over the legality of disclosing personal data in response to a supervisory assistance request, the SFC noted the legal exemption in section 60B would apply to the SFC’s powers. Notably, section 60B provides that despite the requirements of Data Protection Principle ("DPP") 3 which requires consent for using personal data for a “new” purpose, personal data required or authorised under any enactment or rule of law in Hong Kong does not require the consent of the individual concerned. Under the section 60B exemption, the SFC considers that disclosing client information to the SFC when complying with an SFC request under the proposed changes would not breach the PDPO.
Although the Privacy Commissioner's approval is not required for reliance on section 60B, it's worthwhile to note he is yet to comment on the scope of the proposed changes or the SFC's comments on the application of the PDPO.