SFC's powers in seizing digital devices and accessing electronic records confirmed
This is the first decision in Hong Kong confirming the SFC's powers to seize and require production of (i) digital devices and (ii) passwords to digital devices and email accounts.
In Cheung Ka Ho Cyril and others v Securities and Futures Commission (HCAL 2132-4, 2136-7/2018, 14 February 2020, unreported), the Applicants applied for judicial review of (a) the SFC's decisions to seize and retain certain digital devices; (b) the SFC's demands for production (including passwords to digital devices and email accounts) and (c) the validity of the search warrants for want of specificity.
Background
This case arose from two separate investigations involving the execution of search warrants issued by magistrates on multiple premises, in which the SFC seized a number of digital devices (including mobile phones, tablets and/or computers). Where no password was required to access such devices, the SFC conducted keyword searches to check for relevant materials. Where the Applicants unlocked the digital devices voluntarily on site, the SFC looked for relevant materials by using keyword searches or by scrolling through the contents to look for relevant materials.
Based on these searches, the SFC was able to identify materials contained in emails, contact lists and messaging applications that were relevant, or believed to be relevant, to the SFC’s investigations. The SFC requested the Applicants to provide print-outs of the relevant materials or login names/passwords to the email accounts or digital devices to enable the SFC to access the same, to which they declined. In the circumstances, the SFC decided to seize the devices, retained them, and issued notices under s183(1) of the Securities and Futures Ordinance (SFO) demanding a wide range of information from the Applicants, including the login names and/or passwords to various email accounts or digital devices.
SFC's decisions to seize and retain the digital devices
The Applicants argued that the digital devices in question were not “records” or “documents” subject to production under the SFO, thus the seizures were not authorised by the search warrants (which required the SFC to have “reasonable cause to believe” that the seized material “may be required to be produced pursuant to" the SFO). They also argued that the seizure disproportionately interfered with their right to privacy.
The Court disagreed. It held that: (a) having regard to the manner in which data and information are created, transmitted and stored by digital devices nowadays and the need for the SFC to be able to effectively discharge its investigative functions, the words “document” and “record” in the SFO should be construed to include digital devices, and the SFC was properly empowered to seize them under the search warrants; (b) the SFC had reasonable cause to believe that the digital devices contained, or were likely to contain, information relevant to the investigations; and (c) the interference with the Applicants' right to privacy (which is not absolute in any event) occasioned by the SFC's seizures of the digital devices satisfied the 4-step proportionality test established in Hysan Development Co Ltd v Town Planning Board (2016) 19 HKCFAR 372 (namely, (i) “legitimate aim”, (ii) “rational connection”, (iii) “no more than reasonably necessary”, and (iv) “fair balance”); and (d) the SFC's retention of the seized devices was justified as the investigations were ongoing.
SFC's demands for production of information
The Applicant's main arguments were that: (a) the s183(1) SFO production notices were ultra vires or beyond the powers of the provisions of the SFO because they required the Applicants to produce vast amounts of materials which were irrelevant to the SFC’s investigations; and (b) to construe s183(1)(a) SFO as permitting the SFC to require the production of large amounts of irrelevant materials for the purpose of sifting would give rise to a disproportionate interference with the right to privacy.
The Court held that the SFC is empowered, under s183(1) SFO, to require the Applicants to provide means of access to email accounts and digital devices which contain, or are likely to contain, information relevant to its investigations, even though the email accounts and digital devices would likely also contain other personal or private materials which are not relevant to the SFC’s investigations. The Court noted that the SFC had offered safeguards to protect the privacy of the Applicants which it considered to represent a practical and reasonable compromise (e.g. using keyword searches to identify relevant materials contained in or accessible through the digital devices, or viewing the contents together with the Applicants, so as to minimise the chance of their personal or other information which is irrelevant to the SFC’s investigations being viewed by its officers). The "violation of privacy" argument was also rejected for the same reasons as explained above.
Want of specificity in search warrants
The Applicants argued that the warrants failed to specify the scope of the search, seizure and removal authorised, or limit the records or documents authorised to be seized by reference to specific offences or misconduct to which such records or documents must relate.
The Court rejected such argument. It confirmed that, based on previous Court of Appeal decisions, the specificity required in a search warrant must be determined by reference to the terms of the empowering statute. It examined the contents of the search warrants in question, and held that they satisfied the requirements under s191(1) SFO, being the empowering statute in this case, and contained sufficient particulars.
Implications
This decision is significant. It leaves no question as to the SFC's ability to demand passwords to digital devices or email accounts accessible from the devices, when it has a reasonable cause to believe that the devices or emails in those accounts contain, or likely contain, information relevant to an investigation. The fact that one has the right to privacy (with regards to the other personal information on such devices which is irrelevant to the investigation) is no defence.
It also raises a further question: in a future dawn raid, can the SFC, armed with a s183(1) notice, demand individuals to log in to proprietary systems for their review on site? If so, it effectively removes the physical restrictions tied to a search warrant. Firms may want to re-assess how much connectivity to their proprietary online systems and database they have granted to staff via portable digital devices, and ensure that such connectivity is indeed necessary.