Computer and Telecommunications Law Review has published Gabriela Kennedy’s article on a statement issued by the Hong Kong Privacy Commissioner (PC) setting out advice on the collection of personal data by Stored Value Facilities (SVF) operators, as the first five stored value facility licenses were granted by the Hong Kong Monetary Authority (HKMA) under the Payment Systems and SVF Ordinance (Cap. 58) (PSSVFO) on 25 August 2016.
Gabriela addressed the risks of being in breach of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) and of cyber attacks, as SVF operators collect more personal data from consumers. SVF operators should carry out a privacy due diligence exercise to ensure their internal procedures comply with the PDPO and that their security measures are sufficient. The new regulatory regime for SVFs and retail payment systems (RPS) came into operation under the PSSVFO on 13 November 2015, requiring issuers of SVF or new market operators to apply for SVF licences from the HKMA. In order to obtain the required licence, SVF operators were provided a one-year grace period, which came to an end on 13 November 2016 – it is now a criminal offence to issue or operate any non-exempt SVFs without a licence from the HKMA.
Gabriela is the Asia editor of Computer and Telecommunications Law Review.