On February 14, in To Man Choy Jacky v. Securities and Futures Commission, the Hong Kong Court of First Instance (Court) rejected a set of legal and constitutional challenges to the authority of the Hong Kong Securities and Futures Commission (SFC) to obtain and execute search warrants, to seize various digital devices pursuant to those warrants, and to require individuals to provide to the SFC the passwords to their email accounts or digital devices.
This case consolidated five separate applications for judicial review. It stemmed from two ongoing SFC investigations concerning (1) a Hong Kong Exchange-listed company, Aeso Holdings Ltd (“Aeso”) and its 2017 listing and (2i) bond placements by two other Hong Kong Exchange-listed companies, Skyfame Realty (Holdings) Ltd (“Skyfame”) and China Agri-Products Exchange Ltd (“China Agri”).
The Court itself deemed the background facts of the investigations to be “of some considerable complexity.” In brief, the Aeso investigation involved a sustained dispute between two groups of Aeso shareholders and allegations of fraud and market manipulation. The China Agri investigation stemmed from an SFC inspection of a firm that had placed private bonds for Skyfame, which led to concerns that the placing scheme and the related bond program might constitute securities fraud under the Hong Kong Securities Fraud Ordinance (Ordinance).
Because the Aeso Investigation and the Skyfame/China Agri Investigation involved common parties, the SFC conducted a joint operation based on warrants that magistrates issued in each investigation. In the course of the joint operation, SFC representatives –
- Found digital devices (including mobile phones, tablets and/or computers) belonging to applicants in the CFI case (Applicants);
- Conducted keyword searches to check for relevant materials when no password was required to access certain devices, and when Applicants voluntarily unlocked the digital devices, “looked for relevant materials by using keyword searches or by scrolling through the contents to look for relevant materials”;
- Based on the above-mentioned searches, were able “to identify materials contained in emails, contact lists and messaging applications that were relevant, or believed to be relevant, to the SFC’s investigations”;
- Requested the Applicants to provide printouts of the relevant materials or login names/passwords to the email accounts or digital devices to enable the SFC to access the same, but Applicants either declined to do so outright “(in some instances by asserting legal professional privilege), or used various excuses not to provide the same;”
- In one case in which an Applicant asserted legal professional privilege, “suggested that the relevant emails and attachments thereto could be printed out and kept under seal for the time being pending the resolution of the legal professional privilege claim,” but the Applicant rejected the claim;
- Decided “to seize various digital devices belonging to the Applicants”; and
- Issued notices under the Ordinance that required the Applicants “to provide the login names and/or passwords to various email accounts or digital devices.”
In its decision, the Court rejected the Applicants’ arguments that the decisions to seize and retain the Applicants’ digital devices and to issue the notices requiring provision of the login names and/or passwords were ultra vires, unlawful or unconstitutional. With regard to seizure of such devices, the Court held that the SFC was “clearly and amply empower[ed]” to do so:
In order that the SFC can effectively discharge its investigative functions in relating to dealings or transactions in the securities and futures markets, it is obviously essential that the SFC has the power to seize and retain digital devices containing evidence of, or relating to, the relevant dealings or transactions.
With regard to retention of the devices, the Court held “that there can be no valid complaint about the continued retention of the digital devices if the decisions to seize them were lawful in the first place,” which the Court had previously found to be the case.
With regard to the notices, the Court took note of
the practical reality that information, documents and records are nowadays mostly kept in digital or electronic forms and stored in (inter alia) email accounts and digital devices which (i) would almost inevitably contain large amounts of personal or private, but irrelevant, materials, and (ii) are often also protected by specific login names/IDs and passwords.
It found that the Ordinance empowered the SFC “to require the Applicants to provide means of access to email accounts and digital devices which contain, or are likely to contain, information relevant to its investigations even though the email accounts and digital devices would likely also contain other personal or private materials which are not relevant to the SFC’s investigations.” It also characterized the safeguards that the SFC offered to protect the Applicants’ privacy as “a practical and reasonable compromise of the conflicting interests of the SFC and the Applicants.”
With regard to the warrants themselves, the Court held that they satisfied the five requirements for such warrants under the Ordinance:
- “the magistrate’s satisfaction on information laid on oath by an employee of the SFC of the relevant matter was stated”;
- “(2) the persons authorized to execute the warrant (namely, each and all employees of the SFC, amongst others) were specified”;
- “(3) the premises authorized to be entered and searched were identified”;
- “(4) the authorization given to the specified persons to search for, seize and remove any record or document which such persons had reasonable cause to believe might be required to be produced under Part VIII of the [Ordinance] was stated”; and
- “(5) the validity period of the warrant was given.”
It also found that nothing in section 191(1) of the Ordinance “require[s] a warrant issued under that section to state the relevant offence or misconduct in respect of which the warrant was applied for and granted,” and that even if such a requirement could be found, the warrants in the present case specified the grounds on which records and documents might be required to be produced under the Ordinance.
Note: This decision is a significant victory for the SFC in several respects. The Court not only generally affirmed the general constitutionality and legality of the SFC’s investigative powers, but approved the SFC’s broad construction of the Ordinance’s language in the exercise of those powers. In addition, the Court’s endorsement of the SFC’s authority to require provision of login names and passwords will undoubtedly encourage the SFC to do so in other investigations in which digital devices may contain relevant information.