Hong Kong – No hiding: mandatory registration of personal information for pre-paid SIM cards

For context, Government figures report that there are approximately twelve million pre-paid SIM (PPS) cards and nine million SIM service plan (SSP) customers in Hong Kong.

Here is a summary of the key features of the Registration Programme:

• Telecommunications operators must not activate SIM cards unless users have registered their personal data including their full name in English and Chinese (as applicable), HKID number or other identity document number, a copy of their identity document and date of birth.

• A cap will be imposed on the number of PPS cards for which each user can register. After public consultation, the Government has relaxed the cap as follows:
• • For individual users, the cap has been lifted from three PPS cards, as originally proposed, to ten PPS cards for each user.
  • Each corporate user registered under the Business Registration Ordinance can register up to twenty five PPS cards
• The Registration Programme will be implemented in two phases, with the following transitional periods:
• • Phase 1 – with effect from 1 September 2021, telecommunications operators will have around 180 days (extended from 120 days as originally proposed) to put in place the registration system. After this period, all new PPS and SSP cards must be registered before activation.
  • Phase 2 - existing PPS card users will have 360 days (extended from 240 days as originally proposed) after 1 March 2022 to complete real-name registration with telecommunications operators. Any unregistered PPS cards after this period will be deactivated or suspended. With regards to existing SSP customers, there is no need to “re-register” as relevant personal data has already been collected and retained by operators.
• Telecommunications operators are required to check and verify the information provided by subscribers and to deregister SIM cards when necessary. After deregistration of SIM cards, the information collected should be kept and stored for 12 months.
• Law enforcement agencies (LEAs) can request telecommunications operators to provide SIM cards registration records with a warrant.  However, warrantless access is provided for if there is reasonable cause to suspect that a serious offence has been, is being, or is about to be committed or if it is necessary to access the data for the purpose of preventing loss of life or serious bodily harm to any person, in each case, if the delay involved in seeking a warrant would defeat the purpose of the access.

The Regulation was gazetted on 4 June and will be tabled at Legislative Council on 9 June for commencement on 1 September.

Key data protection implications

The new measures will apply to all mobile service operators/licensees providing SIM card services, including the larger mobile network operators and mobile virtual network operator and smaller operators under the Class Licence for Offer of Telecommunications Services.

While service operators will need to continue to comply with the requirements of the Personal Data (Privacy) Ordinance (Cap 486) (PDPO), under the Registration Programme, operators will be responsible for the collection and safekeeping of additional personal data of its users. This would possibly involve the setting up of additional infrastructure and back-end systems for registering and storing personal data of users, implementing procedures to address requests for access by LEAs and providing relevant staff with training.

Collection of copies of identity documents

While the PDPO does not expressly include any concept of “sensitive personal data” that is subject to stricter controls, the PDPO’s Data Protection Principle 4 does require data users to consider the kinds of data they process and the harm that could result if there were any unauthorized access to it when they determine appropriate security controls.  Copies of identity documents and identity card details are required to be handled in accordance with the Code of Practice on the Identity Card Number and other Personal Identifiers.

During the public consultation on the Registration Programme, the Office of the Privacy Commissioner for Personal Data (PCPD) proposed that SIM card users be given the choice to submit copies of their identity documents to service operators, depending on the mode of registration. For instance, the PCPD proposed that users that are registering online would have to provide a copy of the identity document for verification purposes, whereas users registering in person in physical stores could simply produce the original identity document for verification, without having to deposit a copy of the same.

Having considered the submissions received, the Government retained the requirement  to submit a copy of the subscriber’s identity document, regardless of the mode of registration.

Retention of personal data

The Registration Programme requires users’ personal data to be kept for 12 months after the SIM cards are deregistered. Beyond this period, this general requirement under the PDPO still applies, i.e. personal data shall not be kept for a period longer than is necessary for the fulfilment of the purposes for which the data is to be used. Service operators may need to review and amend their current data privacy practices and policies.

Disclosure of personal data to LEAs

As mentioned, one of the features of the Registration Programme is that LEAs can request service operators to disclose SIM card registration records without a court warrant for dealing with urgent or emergency situations for the purpose of investigation or prevention of crimes. While the PDPO and other legislation already have similar provisions, the introduction of this new measure has led to personal privacy concerns, in particular whether the grounds for warrantless search are sufficiently clear. It remains to be seen whether the Communications Authority would issue further guidelines on this topic or whether one would need to wait for judicial cases to cast light on the scope.

Further guidelines

To facilitate the implementation, the Communications Authority is currently working on guidelines to explain and illustrate the requirements of the Registration Programme.

Our team at Hogan Lovells are following the changes closely. Watch this space for further updates.

Authored by Eugene Low, Mark Parsons, and Catharine Lau