Back

Policy Statement & Submission

2021/03/19

Consultation Paper on Real-name Registration Programme for SIM Cards

19 March 2021

Mr Edward Yau, GBS, JP
Secretary for Commerce and Economic Development
Commerce and Economic Development Bureau
21st Floor, West Wing, Central Government Offices
2 Tim Mei Avenue, Tamar
Hong Kong

Dear Mr Yau,

Re: Consultation Paper on Real-name Registration Programme for SIM Cards

The Hong Kong General Chamber of Commerce is pleased to submit our views in response to the Government’s proposed introduction of a mandatory registration system for pre-paid Subscriber Identity Module (SIM) cards.

The Chamber agrees that the potential for abuse of non-contractual SIM cards is real and significant but recommends that a balanced and measured approach be adopted to regulate their use. In practical terms, this would entail examining the potential costs and benefits of such a system, addressing privacy implications and providing greater clarity on the rights and responsibilities of users and operators, as well as those responsible for enforcing the law.

We hope you will find our comments useful to your deliberations.

Yours sincerely,

George Leung

CEO

Encl.


Commerce and Economic Development Bureau Consultation Paper “Real-name Registration Programme for SIM Cards” (January 2021)

Response by The Hong Kong General Chamber of Commerce (HKGCC)

HKGCC welcomes the opportunity to respond to the proposals in this Consultation Paper (the CP). We set out below first our general comments on the proposed compulsory registration of the identity of SIM card users in Hong Kong, and then our specific comments on each of the proposals in the CP.

General Comments

  1. The CP describes how the anonymity provided by pre-paid SIM cards in Hong Kong has enabled them to be used extensively for various criminal activities[1]. Against this background, it seems that the proposed compulsory registration system for these cards has two objectives: (a) to deter their use for criminal activities, by removing the current anonymity that they provide; and (b) where they are used for criminal activities, to enable the perpetrators to be identified and therefore brought to justice more easily[2]. While we agree with these objectives, it should be noted that those intent on criminal activities through telecommunications have other means of doing so without disclosing their identities, such as faking their caller identification or using overseas numbers. The proposed compulsory registration system would therefore not be a panacea for this problem, and further measures may be required to address it.
     
  2. With this in mind, it would be instructive to know if the jurisdictions which have implemented SIM card registration systems - some 155 according to the CP[3] - have experienced a net reduction in the crimes associated with pre-paid SIM cards, as a result of the introduction of a registration system. This information would help demonstrate whether the potential benefits of such a system would outweigh the substantial costs of implementing it (costs are referred to further in paragraph 4 below).
     
  3. The proposed compulsory acquisition of personal data as a condition for the provision of mobile telecommunications services, and the potential disclosure of such data to “law enforcement agencies” (which are not defined in the CP) clearly raises implications under the Personal Data (Privacy) Ordinance (PDPO). It is important that there is no conflict between the proposed regulation that would implement the compulsory registration system[4] and the PDPO, to avoid any legal uncertainty about how the new regime will operate. Avoiding such uncertainty will benefit both the businesses that need to comply, and those responsible for enforcement. Under the PDPO, the first data protection principle (DPP 1) is that personal data may only be collected “for a lawful purpose directly related to a function or activity of the data user who is to use the data”. Would the licensees’ collection of personal data for the purpose of the prevention or detection of crime (the purpose of the proposed compulsory registration system) directly relate to the function or activity of the data user? We assume that the Bureau is satisfied that this is the case, or if not, that such collection would be covered by one of the exemptions in the PDPO, in particular under Section 58 (relating to crime). If this is not the case, an amendment to the PDPO may be required to permit the collection of personal data for such a purpose.
     
  4. The costs of implementing the new regime - with millions of pre-paid SIM cards circulating in the market, and requiring the setting up of new databases[5] - will undoubtedly be substantial. It is not clear from the CP whether the mobile operators will be expected to bear all of these costs, or whether the Government will be contributing, in whole or in part, to these costs. Given that the new compulsory registration system is designed to achieve a public purpose, namely the prevention or detection of crime, it seems reasonable that the Government should bear the start-up costs of the new registration system, or at least make a substantial contribution towards them.

Comments on Specific Proposals

Proposal 1

SIM card users should provide the following information as set out in their identity document, together with its copy, for registration –

  • name in Chinese and English (as applicable);
  • identity document number (HKID number or serial number of other acceptable identity documents such as travel documents for visitors);
  • copy of identity document; and
  • date of birth.

A company or corporation can be registered as a PPS user if it can provide business registration information and designate a person (with provision of his or her personal particulars as listed above) as representative or responsible person for the company/corporate user.

The scope of the SIM cards that would be subject to the new registration system needs to be clarified. For example, SIM cards sold in Hong Kong for use in Hong Kong would clearly be covered. But what about SIM cards sold in Hong Kong for use only outside Hong Kong, or SIM cards sold outside Hong Kong for use in Hong Kong? There are also SIM cards issued by overseas mobile operators which could be purchased and used in Hong Kong. To achieve the objective of the prevention and detection of crime, we believe that the registration system should apply to all SIM cards to be used for mobile devices in Hong Kong, whether or not they are sold in Hong Kong.

As regards companies or corporations, while we agree with the proposed requirement to provide business registration information and contact details for a designated person within the organisation, we do not agree that such person’s personal particulars need to be provided, as such person would not and should not be held liable for any misuse of the SIM cards (and this should be made clear under the new regime). Under DPP 1 of the PDPO, any personal data collected should not be excessive in relation to the purpose for which it is collected: the collection of personal information about the contact person in a company would in our view be excessive.

Proposal 2

Each user (including company/corporate user) can register no more than three PPS cards with each licensee.

We do not understand the rationale for such a restriction, in circumstances whether the sale of each SIM card can be traced to a particular individual or company under the proposed new regime. We are not clear whether there is any evidence that the absence of such a restriction might lead to the creation of a black market in registered cards, as the CP suggests[6]. On the contrary, it seems unlikely that a SIM card user would wish to take the risk of being implicated in a potential criminal investigation by selling the SIM card. Even if the user was prepared to take this risk, this possibility would exist whether the user has one, two, three or more SIM cards.

While it is difficult to see the benefit of such a restriction, there are definite costs:

  • it would interfere with the forces of supply and demand, by preventing consumers from buying services that operators are prepared to supply to them;
  • it would distort competition between operators, by preventing consumers from buying services from the operator of their choice: a user that wish to purchase nine SIM cards would be forced to buy three SIM cards from three operators, instead of all nine from the operator of their choice;
  • the restriction to three SIM cards from any operator would be particularly problematic for companies, which may require many more SIM cards for their staff. If they cannot purchase sufficient pre-paid SIM cards - with the flexibility and scalability that they provide - they may have to resort to more expensive and less flexible subscription plans, thereby increasing their costs.

We therefore oppose such a restriction.

Proposal 3

Registration of an SSP or PPS user below the age of 16 (young person) should be endorsed by an “appropriate adult” who may be the parent, relative or guardian of the young person or someone who has experience in dealing with the young person having special needs (e.g. a registered social worker).

While we have no objection in principle to this Proposal, it is not clear:

  • how the mobile operator is expected to verify whether the “appropriate adult” falls within a permitted category; and
  • whether the “personal particulars” which the appropriate adult will be required to provide are the same as those that the SIM card user will be required to provide under Proposal 1 above.

We recommend that these matters be clarified, either in the implementing regulation, or in guidelines that the Communications Authority (CA) will be invited to promulgate[7].

Proposal 4

Licensees should check, clarify, and verify the information provided by users, and to deregister the concerned SIM cards if there is reasonable ground to believe that the information provided is false, misleading, or incomplete.

As the Licensee has to rely on information contained in the identity document provided by the user, it is not in a position to verify that this information is accurate or that the document is genuine. It is not clear what would constitute reasonable grounds to believe that the information provided is false, misleading, or incomplete. If the obligation to de-register the SIM card under these circumstances is to remain, the CA guidelines should give examples of situations where de-registration would be justifiable.

Proposal 5

The personal information of the registered SIM card users should be kept and stored by respective licensees (including MNOs, MVNOs and CLOTS licensees) offering the relevant SIM services for at least 12 months after the SIM cards are deregistered.

Under the second data protection principle of the PDPO, all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which it is to be used. It is not clear why a minimum period of as long as 12 months is considered necessary for keeping records of users after SIM cards are de-registered. This would impose substantial storage costs on licensees, given the vast number of SIM cards in circulation.[8] We would recommend that consideration be given to shortening this period to six months, or at most nine months.

Proposal 6

The real-name registration programme will be implemented in two phases. In the first phase, licensees should put in place a registration system with a database ready within the 120 days after the date of commencement of the Regulation. On the 121st day, i.e. the Registration Day, all new PPS cards that are available for sale in the market as well as new SSPs effective from this day will need to comply with the real-name registration requirements before service activation.

The second phase will allow 360 days after the date of commencement of the Regulation for users of existing PPS cards sold by licensees before the Registration Day to register their PPS cards in use (i.e. the Registration Deadline for PPS cards). Cards that have not completed real-name registration can no longer be used on the 361st day after the date of commencement of the Regulation.

Given the large scale of this project, it is crucial that sufficient time is allowed for it to be set up properly. Based on input from our relevant industry members, 120 days (only four months) would be insufficient for a proper system with databases and all the necessary procedures to be set up in Hong Kong. As the CP itself notes, the initial set-up phase in Macau (which has a population more than 10 times less than Hong Kong) was 180 days (6 months)[9]. We recommend that the initial set-up phase in Hong Kong should be at least 6 months and preferably 9 months (270 days).

The proposed duration of the second phase to register all existing PPS cards in use - namely 240 days (360 days minus 120 days) or 8 months - is also insufficient, given the vast number of PPS cards in use in Hong Kong[10]. We recommend that this period of 240 days be extended to 360 days (i.e. from 8 months to 12 months).

We note that in Macau, there was a further period of 180 days (6 months) allowing users of suspended PPS cards to apply for reactivation upon registration[11]. We recommend that this should also apply in Hong Kong.

Proposal 7

Licensees should not be required to re-register their existing SSP customers but should be required to ensure compliance with the real-name registration requirements upon commencement of new contracts or renewal of existing contracts.

We note the Bureau’s wish to minimise any impact of the new registration system on existing SSP users and operators[12]. For this purpose, where existing SSP users renew their contracts or choose to enter into new contracts, we recommend that operators should only be required to verify that the information provided by users is still correct, and make changes where necessary. Operators should not be required to go through the formal registration process for such customers. This would be unnecessarily burdensome, and any benefits from such a process would be exceeded by the costs. Registration should only be required for new SSP users, not existing ones.

The CP points out that some users, “especially the elderly and some needy groups”, may have difficulties in registering their SIM cards and require assistance in doing so[13]. It also states that the Bureau will collaborate with the mobile operators and non-governmental organisations in providing such assistance. It is not clear how this category of users would be defined, or what kind of assistance is envisaged.

would recommend that the “elderly” and “needy” category of users be defined. Consistent with the Bureau’s policy objective of minimising the burden of the new system on users and operators, we also recommend that the Bureau consider exempting this category of users from the registration requirement. Otherwise, if a manual registration process had to be created for this user category, this would impose substantial cost on the operators and users, which would not be outweighed by any benefit of such a process.

Proposal 8

LEAs can request licensees to provide SIM cards registration records pursuant to a warrant issued by a magistrate or without warrant in certain urgent or emergency situations.

In the interests of safeguarding the privacy of personal data, it should clearly be the norm that a magistrate’s warrant is needed before a licensee be required to disclose registration records. A requirement to produce such records should be confined to exceptional circumstances, and these circumstances (including the definition of “serious crimes”) need to be clearly specified in the legislation. This is not only to give clarity and certainty to licensees, but also to prevent enforcement being potentially undermined by procedural challenges.

With the same interests of safeguarding the privacy of personal data, and clarity, in mind:

  • “law enforcement agencies” need to be clearly defined: it is not clear from the CP who these are; and
  • the names and positions of personnel in these organisations who are permitted to authorise the compulsory disclosure of registration without a warrant in such circumstances should be published, for example in the guidelines to be issued by the CA.

Proposal 9

The existing sanctions such as those mentioned in paragraph 3.15 above (including financial penalties imposed by the CA on licensees) should be applied to all licensees in enforcing the real-name registration programme.

We have no comments on this Proposal.

HKGCC Secretariat
March 2021

 


[1] CP paras 2.2- 2.7.

[2] CP paras 2.3 and 2.4.

[3] CP para 2.10.

[4] CP para 3.1.

[5] CP para 3.11.

[6] CP para 3.6.

[7] According to CP para 3.1.

[8] CP para 1.1.

[9] CP para 2.12.

[10] Approximately 7.4 million, according to OFCA statistics, September 2020.

[11] CP para 2.12.

[12] CP para 3.12.

[13] CP para 3.13.

Click here to download

Top