Hong Kong is considering softening new data storage rules, amid concerns of conflict with confidentiality laws elsewhere as authorities globally look to balance regulatory requirements, companies’ needs and privacy concerns, two people said.
The rules, published in an October circular and effective from June 2020, require banks and other regulated groups to store data locally or ensure their cloud provider guarantees to hand over information on request to Hong Kong’s Securities and Futures Commission (SFC) without notifying their client.
But handing over data to the SFC could mean breaching other governments’ confidentiality requirements, such as the European Union that has strict data protection rules, global cloud providers say. Local storage also means international players must separate Hong Kong-specific data, which is difficult.
It is unclear what specific steps the SFC will take to ease the rules, the people with knowledge of the matter said.
But industry bodies are working with SFC on some frequently asked questions to clarify the rules – to make compliance easier without limiting the regulator’s ability to obtain data during investigations, one of the people added.
The regulator has in recent years taken a more aggressive stance against market misconduct after a series of wild price swings in Hong Kong’s markets. It has used search warrants 14 times between April and December 2019, according to law firm Freshfields’ calculations.
Neither sources wanted to be named as the negotiations are private. An SFC spokesman declined to comment.
“The practical consequences of the circular are that it will be difficult, and much more expensive, for Hong Kong entities licensed by the SFC to store data with third party cloud providers,” said Carolyn Bigg, a partner at law firm DLA Piper.
“In effect this is data localisation by the back door.”
Industry bodies negotiating with the SFC to soften the rules include the Asia Securities Industry and Financial Markets Association (ASIFMA), whose members include the world’s largest financial firms, and the Hong Kong Securities Association (HKSA), representing local brokers, one source said.
The outcome could include guidance on global institutions in Hong Kong using group-wide data centres, the person said, or making stored records unalterable, the other source said.
“The issue is the SFC’s desire to gain access to records of licensed entities for enforcement … when many of them store data with overseas groups or external cloud providers,” Eugenie Shen, head of ASIFMA’s Asset Management Group, said by email.
HKSA did not respond to requests for comment.
The circular marks the first time that Hong Kong has stipulated how banks should store information. Mainland China and India already have strict rules about storing data onshore.
Singapore and the United States said in a joint statement last month that they “oppose generally applicable data localisation requirements as long as financial regulators have access to data needed for regulatory and supervisory purposes”.
(Via Reuters; Reporting by Alun John; Editing by Jennifer Hughes and Himani Sarkar)