香港的金融牌照制度 | Financial License Authorites in Hong Kong

香港是一个金融之都。金融牌照发放主体很复杂。在这里列一下:

  1. 香港金融管理局(HKMA,以下简称金管局)

1.1 认可机构

  • 银 行 
  • 有 限 制 牌 照 银 行 ;及 
  • 接 受 存 款 公 司 

根 据 《 银 行 业 条 例 》 , 认可机构包括银行、有限制牌照银行及接受存款公司 ,形成三级发牌制度。 有限制牌照银行及接受存款公司在接受存款的金额及存款期上都受限制 ,同时只有银行才可经营支票及 储蓄户口的业务 。至于可以从事的 贷款或投资业务种类方面 ,各级认 可机构之间并没有分别 。

1.2. 認可機構證券業務員工

这是对个人发放的牌照。認可機構證券業務員工紀錄冊載有現任及前任有關人士的資料,即在香港從事證券業務及/或《證券及期貨條例》所界定的其他受規管活動的認可機構現任及前任僱員。

1.3. 儲值支付工具持牌人

儲值支付工具牌照是发给类似八达通、支付宝等钱包业务的牌照。

1.4. 虚拟银行牌照

  1. 放債人牌照:警务处、公司注册处、法庭

任何人在香港經營放債人業務必須領取放債人牌照。放債人的領牌事宜及放債交易受香港法例第163章《放債人條例》規管。

  • 放债人法庭:負責就放債人牌照申請作出裁定及發出牌照。
  • 放债人注册处处长(现由公司注册处处长兼任):負責處理放債人牌照,牌照續期及在牌照上簽註的申請;並備存放債人登記冊以供公眾查閱。
  • 警務處處長:負責執行《放債人條例》,包括審查放債人牌照、牌照續期及簽註的申請,以及調查有關放債人的投訴。
  1. 汇款业务牌照—由海關關長發出

全称为:金錢服務經營者(即匯款代理人和貨幣兌換商)牌照

根據打擊洗錢條例,海關關長是有關當局,負責監管金錢服務經營者(即匯款代理人和貨幣兌換商),監督持牌金錢服務經營者在客戶盡職審查及備存紀錄的責任和其他發牌規定的合規情況,以及打擊無牌經營金錢服務。

  1. 證券牌照—由證監會發出

下列為《證券及期貨條例》所界定的受規管活動:

牌照 受規管活動 例子
第1類 證券交易 • 為客戶提供股票及股票期權的買賣/經紀服務

•為客戶買賣債券

•為客戶買入/沽出互惠基金及單位信託基金

•配售及包銷證券

第2類 期貨合約交易 • 為客戶提供指數或商品期貨的買賣/經紀服務

•為客戶買入/沽出期貨合約

第3類 槓桿式外匯交易 • 以孖展形式為客戶進行外匯交易買賣
第4類 就證券提供意見 • 向客戶提供有關沽出/買入證券的投資意見

•發出有關證券的研究報告/分析

第5類 就期貨合約提供意見 • 向客戶提供有關沽出/買入期貨合約的投資意見

•發出有關期貨合約的研究報告/分析

第6類 就機構融資提供意見 • 為上市申請人擔任首次公開招股的保薦人

•就《公司收購、合併及股份購回守則》提供意見

•就《上市規則》的合規事宜為上市公司提供意見

第7類 提供自動化交易服務 • 操作配對客戶買賣盤的電子交易平台
第8類 提供證券保證金融資 • 為買入股票的客戶提供融資並以客戶的股票作為抵押品
第9類 提供資產管理 • 以全權委託形式為客戶管理證券或期貨合約投資組合

•以全權委託形式管理基金

第10類 提供信貸評級服務 • 就公司、債券及主權國的信用可靠性擬備報告

理解GDPR的跨境效力其实很简单 – It’s simple to understand the extra-territorial effect of GDPR

calm to GDPR《欧盟数据保护条例》(GDPR)已于2018年5月25日生效。在此之前(乃至直至现在),隐私律师为此已经忙碌了很久。由于GDPR具有某种“域外效力”,位于欧盟之外的企业也总会担心,希望了解自己在欧洲之外的生意是否收到影响。
The EU General Data Protection Regulation (GDPR) has come into force on 25 May 2018.   Before the day (and maybe until today), privacy lawyers have been busying in advising their clients on how to comply with the new law .  In particular, since GDPR implies certain “extra-territorial effect”, enterprises located outside of EU are also seeking advice from their counsels on whether the the new regulation would impact their business outside of Europe.

香港電腦保安事故協調中心 (HKCERT) 在一篇帖子里列出了GDPR适用于非欧洲企业的一些例子:
In their post, HKCERT has listed a few examples where a non-EU company’s service would be considered under GDPR’s umbrella.

  1. 未在欧洲设立任何分支机构的一间公司,通过建立于美国服务器的网站向在欧洲内的个人提供免费的社交服务——GDPR适用
    A Company without any EU subsidiaries offering free social media services via a website hosted in US to individuals in the EU – GDPR applies
  2. 酒店预订服务,使用cookies追踪过往顾客(包括身在欧盟的顾客)的浏览历史,以便定向投放广告——GDPR适用
    Hotel book business using cookies to track past customers’ (including EU-based customers) browsing in order to target specific hotel adverts to them – GDPR applies
  3. 一家香港的鲜花速递公司允许身处于欧洲的个人通过该公司的网站在香港订购鲜花并送达香港本地的收件人。而送花的费用是以欧元计价——GDPR适用
    HK flower delivery company allowing individuals in the EU to make orders for fulfilment only in HK. The price for the flower delivery services is denominated in an EU currency – GDPR applies

  4. 香港的零售公司使用网站接收预订并送货。身处欧洲的个人可以访问网站,但网站是英文的。订单是以港币计价,送货范围仅限香港地址—— GDPR不适用
    HK retailer with a website for orders/deliveries. The website is accessible to individuals in the EU in English. The currency is the HK dollar and the address fields only allow HK addresses – GDPR doesn’t apply

那么,究竟应该掌握什么规律,才可以简单确定GDPR的跨境效力呢。很简单:如果你的企业不在欧洲,并且不以身处于欧洲的个人为目标消费者,那么GDPR就管不了你。
Put it in simple, the extra-territorial effect of GDPR is limited. If your company is not targeting individuals who are physically staying in the territory of Europe, GDPR won’t apply to your business.

需要澄清的是:GDPR并不管EU国家公民在EU范围外接受服务时,提供自己的个人信息的情况——只要这些信息的采集和处理过程均是在 EU境外完成。例如,下面这些例子中,服务提供者并不需要将 GDPR作为其处理EU护照持有者的个人信息时的准则,而只需要遵守服务提供当地的法律:
It is important to clarify that GDPR does not apply to the collection and process of a EU passport holder’s personal data when the personal data is collected and processed outside of EU.  For examples, in the following cases, service providers don’t need to take GDPR as the standard for the processing of personal data collected from a EU passport holder, but just need to consider the local laws where the service is provided:

  • 一家日本旅行社为一名通常居住于以色列的法国人提供旅行服务;
    a Japanese company offering tourism services to French expats living permanently in Israel;
  • a mobile APP recommending restaurants in Hong Kong, which enables a UK passport holder to book table and receive discounts.
    一个推荐香港的餐厅的手机APP,可以让身处香港的英国人通过预定餐厅或者获得优惠。

事实上,GDPR其实根本不考虑国籍(其第二条已经说得很清楚了)。GDPR考虑的是在欧盟范围内的任何数据主体的权利。所以,一位旅居于德国的叙利亚难民也拥有与欧洲护照持有者相同的权利。如果你的公司瞄准了在欧洲留学的中国学生,那么你也要以GDPR作为自己的隐私权政策标准。
In fact GDPR never considers citizenship (according to its Article 2).  It simply protects the rights of data subjects for anyone living in the territory of EU. Therefore, a refugee living in Germany will enjoy the same right to the EU passport holders. If your company targets Chinese students studying in Europe, then you should take GDPR as the standard of your privacy policy.

GDPR的跨境效力,其实主要是体现在其对在欧洲营业的企业的规管:只要你的营业地是在欧洲,或者是只要收集信息的主体位于欧洲,那么不管你收集的是来自哪里的个人信息,你都需要符合GDPR的要求。更多的例子可以参考这里
The extra-territorial effect of GDPR is mainly reflected in its effects to the companies who are operating in the territory of EU.  Namely, if a data collector/controller is located in EU, then it shall comply with GDPR, without considering whose data will be collected and where the data will be originated.  See more examples here.

合规过程不易,但思路应当保持简洁。
The process of compliance is not easy, but its concepts should be kept simple.

Data Privacy under the PRC Network Security Law and the Draft PRC E-Commerce Law

First, here are some slides for quick reference if you are lazy and don’t want to read.

Capture6

Capture7
Capture8

The PRC Network Security Law (“NS Law”) has come into force on June 1, 2017. This law provides certain provisions in relation to the data privacy. Some of them appear to be beneficial to the individual data owners, whilst some others may be counter-productive to the protection of data privacy.

In parallel, the legislative branch of the Chinese government has published a draft PRC E-Commerce Law (“Draft EC Law”) for public consultation in December 2016.  This draft law has not yet to be passed by the PRC National People’s Congress (NPC) to become effective. However, its provisions have reflected some basic attitudes of the Chinese authority towards the protection of data privacy.

This essay sets out and provides my comments on the key provisions with respect the data privacy under the NS Law and the Draft EC Law.  In order to make readers digesting these laws easily, I will apply Daniel J. Solove’s theory of categorization of the data privacy issues.

1. Data Collection and Aggregation

“Aggregation” means the gathering of a person’s data from different sources and then combining them to form a clearer image of the person.

  • Art. 22.3 of the NS Law: ISP cannot collect its users’ personal information without the expressive consent. Art. 41 of the NS Law: ISP shall publish the rules, purpose, method, and scope of collection of personal information. No collection without users’ consent.[Comments: (i) These provisions do not distinguish “collection” and “aggregation”.  (ii) As a result, although these provisions have clearly required an operator to obtain consent before collecting its users’ information, they did not address the issue whether a third party can search and aggregate personal information (either from the public domain or from the first-hand data collectors.)]

2. Surveillance

Surveillance means the act or system enabling the government or a company to monitor user’s activities (“Big brother is watching you”).

  • Art. 51 of the Draft EC Law obliges E-commerce business operators to provide data to government authority (although it also said that the government authority should adopt “necessary measures” to protect data security).
    [Comments: (i) This provision legitimized (rather than prohibited) the surveillance practice.]
  • Art. 21.3 of the NS Law: ISPs are obliged to monitor and record user’s activities and should keep records for no less than 6 months.
    [Comments: (i) this could be counter-productive to protecting privacy from the individual data owner’s perspective; (ii) the 6 months storage obligation is not new in China, but the NS Law makes the compliance to be a necessity (at least on paper). ]

3. Identification

Identification means to identify a particular person or a particular group of persons by data analysis.

  • Art. 42.1 of the NS Law: No sharing of identifiable personal data without consent. Art. 50 of the Draft EC Law: an E-commerce business entity is obliged to take protection measures to ensure anonymity before it shares the e-commerce data with another E-commerce business entity.[Comments: Article 42 of the NS Law first prohibits business operators from divulging personal information to a third party. Then it says that if the data cannot identify a particular person, then it is fine to transfer without the data owner’s consent. Article 50 of the Draft EC Law has generally kept consistency with the NS Law on this regard. ]
  • Art. 45 of the Draft EC Law confirms that the buyers have autonomy over their personal data; it also defines the personal data with a detailed list, such as name, ID certificates number, address, contact details, information of geographical location, bank card info, transaction records, payment records and records of accepting logistic services.[Comments: The Draft EC Law did not distinguish the “private personal data” and the “business personal data”.  In some countries, use and aggregation of the business contacts (e.g. office telephone numbers, office email address and other info shown on a business card) may enjoy certain exemptions.]
  • Art. 46 of the Draft EC Law first provides that collection of personal data requires user consent; then it prohibits the denial of service due to the user’s refusal of providing personal data.

4. Disclosure and Insecurity

Disclosure means the data holder’s own act of disclosing the private facts. Insecurity means the situation that the data is attacked and stolen.

  • Art. 21. 2 and 21.4 of the NS Law request ISP to take technical measures to protect its system from attack; ISP also needs to classify, backup and encrypt data.
  • Art. 22.1 and 22.2 of the NS Law request ISP to take remedial actions when its system is in risk; provide security maintenance during the term of service. These provisions also generally requested the producer of network security products or services to report the authority about the data breach.
  • Art. 27 of the NS Law generally prohibits hacking acts. It also prohibits the assistance of hacking practice, such as tech support, advertising, and settlement of payment.
    [Comments: The provision did not clarify if the “assistance” means knowingly assistance. It also did not clarify if “constructive knowledge” also applies to this provision.]
  • Art. 42.2 of the NS Law requests ISP to take technical measures to protect data from disclosure, damages or loss. It also mentioned that the data holder shall report the data breach to the relevant authority.
  • Art. 49 of the Draft EC Law provides that e-commerce business entities must establish rules and technologies to prevent disclosure of data. It also provides if there is a data breach, the e-commerce business entity is obliged to (i) take remedial measures, (ii) notify the users and (iii) report to government authorities.

5. Exclusion 

Exclusion means the act/rule disabling/excluding a user from maintenance and deletion of his personal data from the system. The reason for deletion can be either those data are objectively outdated or the data owner simply changed its mind of disclosing the data.

  • Art. 43 of the NS Law: User has right to request deletion if the service provider’s collection or use of personal information in breach of the law/agreement; or there are mistakes in the personal information.[Comments: According to this provision, if there is no mistake in the personal information and the service provider does not breach the contract, then the data owner will not have right to remove the data he/she has provided to the service provider. It is not clear whether “mistake” herein includes “outdated”.  However, it seems clear that data owner would have lost an absolute right of deletion.]
  • Art. 47 of the Draft EC Law: provides that when a user requests correction or supplement of his/her personal information, the E-commerce business entity should correct or supplement the information accordingly.
  • Art. 48(3) of the Draft EC Law: provides that a user has right to delete its personal information. However, such right of deletion only arises (and is only mentioned) upon lapse of agreed / statutory term of preservation of personal data.

6. Increased Accessibility

Increased accessibility means, without the consent of the personal data owner, making the information that is already available to the public EASIER for a wider scope of the audience to access.

E.g., a buyer’s review of a particular product is usually made available to the public.  However, the buyer might not want his friends or colleagues to know that he purchased such product.

Neither the Draft EC Law nor the NS Law has provision preventing increased accessibility of data.

7. Blackmail, which means using a person’s personal data to blackmail him/her.

In e-commerce scenarios, it is possible that an e-commerce vendor may blackmail a buyer with the buyer’s personal records when the vendor gives a negative review of the vendor’s product. The Draft EC Law has no provision preventing such blackmails.

8. Distortion

Distortion: means disseminating false and misleading information to manipulate the way a person is perceived and judged by others.

  • Art. 42.1 of the NS Law provides that service providers cannot distort personal information. But this appears to be too general.
  • Art. 52 of the Draft EC Law stipulates that the state should promote all e-commerce business entities to ensure that information is accurate and reliable etc.

9. Second Use

Second use means the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent.

  • Art. 52 of the Draft EC Law provides that the State shall establish public data sharing mechanism. Such mechanism necessarily involves the second use of data. However, no guidance or rules are provided in relation to second use except to the extent that the State should ensure e-commerce business entities shall protect the liability, security, and authenticity of aggregated data.

 

Draft PRC E-Commerce Law: Compliance Check

Below are a few slides reflecting the result of a compliance check of the leading e-commerce service providers’ user terms or privacy policies (sorry I will not disclose their names).  The survey was conducted under the assumption that the provisions in Draft PRC E-Commerce Law (as published for public comments on December 27, 2016) will be effective.

Capture1

Capture2

Capture3

Capture4 Capture5

Integrating the Cultural Diversity into the Welfare Theory: What We Should Acknowledge in the Debates

IP & Creative Industry Series:

Integrating the Cultural Diversity into the Welfare Theory: What We Should Acknowledge in the Debates

Executive Summary

Other than listing out the “advantages” and “disadvantages” of each school of the IP theories, this essay tries to apply the theories into two controversial topics: (a) traditional knowledge and (b) copyright reform.

This essay argues that, while each of the four mainstream IP theories has their “functions” in policy forming, the welfare theory brings a platform for stakeholders in different sectors and countries. However, without appreciating the diversity of culture and the variety of people’s demands to the good life, it would be hard to reach consensus on basic aspects of the IP law reform, not to say building a legal system that is adaptive to the fast-developing technologies.

The next section of this essay addresses the hype in the protection of “traditional knowledge”. I will argue that, while the “fairness” theory and the “personal hood” are used to support their arguments, parties of debates appear to cite these theories with utilitarian purposes. The platform of conversation was actually built on the base of welfare theory.

The third section discusses the copyright reform by reviewing the history of Chinese copyright laws. I will argue that he driving force of copyright reform in developing countries are utilitarian purposes. Personhood and fairness theories are used by policy makers to decorate their arguments. Social welfare integrated with cultural perspectives is indeed the driving force of legal reforms.

Debates on Traditional Knowledge

Among others, debates relating to traditional knowledge focus on two aspects of sub-topics. One is about the protection or using of traditional culture heritages in contemporary arts or entertainment contents; the other focuses on using certain community’s knowledge in medical or other scientific developments.

To support their arguments in “creating new laws to protect” the indigenous communities from free use of traditional knowledge by current content industry and pharmaceutical industry, people cite theories from different schools of IP theories. For examples:

  • using labor-desert theory to argue that the culture heritages should be owned by the original group of people and their descendants;
  • using distributive justice theory to argue that enabling indigenous people with certain IP protection to their cultural expressions is a mechanism of redistribution of wealth;
  • using personhood theory to argue that because traditional knowledge manifests the personalities of their creators, the IP laws should admit the interest of the descendant’s of the creators.
  • On the other hand, people against the new exceptions and laws for the traditional knowledge also cites various theories purposely (if not randomly). For examples,
  • using the “public domain” theory (which derives from the Lockean theory) to argue that traditional knowledge protection will “encroach the public domain” and thus prevents freedom of idea and discourage the innovation;
  • using personhood theory to argue that, because all persons must be enabled to express themselves artistically, the low should recognize increasing dependence of creativity upon re-use of existing knowledge;
  • using the welfare theory to argue that, because it is hard to identify the ownership of traditional culture, creating new laws for them will not provide welfare to the whole society; and
  • using the autonomy theory under the culture school to argue that people should not be bound to choose a particular traditional culture.

By observing the above arguments, one may find that arguers on both sides appear to flip their positions on various IP theories and cite “useful” ones to support their arguments respectively. In particular, a very interesting phenomenon is that the “public domain” theory, whose arguers are generally opposing restriction of the public use of the traditional knowledge, is controversially preferred by developing countries in their arguments in favor of the exceptional IP rules for the traditional knowledge. In my view, this flipping of positions per se shows that the arguers are largely base their arguments with utilitarianism.

Then, if people are indeed mostly relying on the welfare theory, why different people have conflicting views on the protection/restriction/exception of the traditional knowledge? The answer can be found from the culture version the IP theory. Different countries have different interest given their regime, geographic location, and history. Within one country, a different group of people also have different interest as well as the preference for good life. Such matrix of diversity makes debates on the traditional knowledge complicated.

Copyright Reform

Similar to the debates on traditional knowledge, the discussion (and legislative practice in many countries) for copyright reform is also complicated due to diversity of interest and the different culture traditions, but on its surface, arguers tend to not acknowledge this reason but like to utilize the social welfare theory (as a tool but not a guiding philosophy), the fairness theory and the personhood theory to justify their positions.

This leads to flips among theories too. For example in the recent discussion on amendments to the PRC Copyright Law, arguers for a stronger power of collective management societies cite the theory of social welfare to support their points. In the meantime, the same group of people may utilize the personhood theory to support the right of lending and the right of withdrawing (with an updated version of work). The fairness theory is particularly popular in arguing that the “remuneration” right is more important than the right to prohibit public from using a work (i.e. the injunctive reliefs).

There are researches showing that even in European countries, incentive theory, instead of the “personhood rights”, is the main power driving the creation and development of copyright laws. Respect to moral rights is largely a tradition derived from the logic of the continental civil acts. In other words, traditions and cultural factors are more important in forming the social views on copyright protection and the scope of fair use.

This is also the case in China, historical evidence shows that Chinese culture does not have a tradition of “property” that stresses the prohibition rights. In the meantime, providing high remunerations to the authors (either by the government or private users) is a continuous tradition. This explains why the injunctive reliefs are less supported in Chinese courts and why China has developed remuneration rules even during the years of 1960s-1970s. This also explains why in the regulations on protection of the right of communication through information networks, the law makers have provided generous fair use exceptions to use of works for remote education and for poor regions.

Conclusion

By observing the debates in traditional knowledge and the driving force in copyright reform, this essay concludes that the social welfare theory derived from utilitarianism is the actual driving power in the legal reform.  In addition, diversity of culture and tradition brings different views on the function of the IP regime.  Acknowledging these two points will bring all the arguers to the same table and thus enable us to find the essence of debates more efficiently.