Insight: SVF and Data Protection
Updated: Aug 3, 2019
Despite the ease of making payment, the rise of mobile payment systems and stored value facilities (“SVF”) have its own risk, particularly in respect of cybersecurity, data security and confidentiality. There is also concern about the use of personal data of the users collected through these systems. One SVF operator was reported to have the right to decide for how long individual user data is stored in their database on a case-by-case basis,1 while others have been reported to have collected credit consumer data without user’s express consent and shared with their business partners. This brief summary explores the connection between privacy regulations and SVF in Hong Kong.
Under Payment Systems and Stored Value Facilities Ordinance (Cap. 584) (“the PSSVFO”), any entities who wish to be issuers of SVF must acquire the license as a SVF issuer from the Hong Kong Monetary Authority (HKMA), failing which such entity will be convicted for a criminal offence with fine for issuing SVF without license. To date, there are thirteen (15) SVF licensees and three (3) licensed banks (which have been regarded as SVF licensees) in Hong Kong.
The criteria in determining whether a SVF licence will be granted, inter alia, is that an applicant must show that it has in place a sound ‘prudential and risk management’ system in their business operation and such risk management system must correspond with the scale and complexity of the scheme including adequate security and internal control to ensure the safety and integrity of data, personal data and records (Para. 5 of Part 2 of Schedule 3 of the PSSVFO).
Alongside with the licensing requirement under PSSVFO, the SVF issuers must also comply with the applicable laws and regulations in respect of personal data of its users in Hong Kong such as the Personal Data (Privacy) Ordinance (Cap. 486) (“the PDPO”).
Data security and confidentiality of personal information should be a priority for SVF issuers. On 25 August 2016, the Privacy Commissioner for Personal Data, Hong Kong (PCPD) issued a media statement on tips and advice as to how SVF issuers should deal with personal data under the PDPO regulatory regime.
According to the statement, SVF issuers should explain to the data subject the purpose(s) in a simple, succinct and user-friendly way when SVF issuers are collecting personal data. DPP (3) states that a data user, when collecting personal data directly from a data subject, must make all reasonably practicable steps to ensure that the data subject is explicitly informed before any collection of his or her personal data.
The PCPD’s statement also touches on the point that if the SVF issuer intends to use the personal data collected from the data subjects for a purpose not directly related to payment, the SVF issuer should seek express consent of the person given voluntarily. Similar provision can be found under DPP (3), where it states that personal data shall not be used for a ‘new purpose’, i.e. any purpose other than the purpose for which the data was collected or directly related purpose, unless ‘prescribed consent’ from the data subject is obtained. Under the PDPO, prescribed consent means ‘express consent of the person given voluntarily and which has not been withdrawn in writing (s.2(3) of the PDPO).
Apart from the above, the PCPD’s statement also made several references to the following matters:
• The importance of data access and correction requests as promulgated under DPP (6) of the PDPO, which states that a data subject must be given access to his or her personal data and allowed to make corrections if it is inaccurate.
• The importance of ‘notification’ and ‘consent’ for the use of personal data for direct marketing which has been covered under DPP (1) of the PDPO, where it states that only necessary, adequate but not excessive personal data is to be collected by a data user for a lawful purpose directly related to its function or activity; and
• The need to observe the obligations of data users when dealing with outsourcing agents as DPP (2) states that if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the SVF issuer’s behalf, the SVF issuer must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing the data.
As Hong Kong is moving toward cashless society and embracing the 4th industrial revolution, more SVF issuers are expected to enter into Hong Kong market. With this, the concern of personal data protection in relation to SVF and e-Wallet will continue to be a relevant topic in the Hong Kong payment industry and it is crucial for the SVF issuers to continuously invest on ensuring financial affairs of its users are kept secure and private as well as remain vigilant on keeping the stability and reliability of their system.
1. Chen, C., ‘Here’s what happens with your data when you use a Chinese messaging app’, SCMP (dated 4th January 2018)
2. Reuters, ‘China scolds Alipay over breach of users’ privacy’, SCMP (dated 25th January 2018)
3. Dai, S. and Soo, Z. ‘Chinese tech giants struggle with data privacy as they seek to crack US market’, SCMP (dated 5th January 2018)
4. HKMA, Register of Stored Value Facility Licensees
5. PCPD, ‘e-Wallet - Privacy Commissioner Provides Practical Tips and Advice on
Controlling Personal Data’, dated 25th August 2016