|June 13, 2012|
Previously published on June 11, 2012
The Personal Data (Privacy) (Amendment) Bill 2011 (the "Amendment Bill") which was published in July 2011 is generally expected to be passed by the Legislative Council before its term ends in July this year.
In response to the direct and cross-marketing activities that have led to high-profile investigations by the Office of the Privacy Commissioner for Personal Data (the "PCO") and subsequently provoked a public outcry, the Amendment Bill was introduced with the primary aim to regulate the use and sale of personal data in marketing.
The key impact of the Amendment Bill would be to lay down a set of procedures to be followed by data users in connection with the use and sale of personal data in direct marketing and cross-marketing activities. The Amendment Bill makes non-compliance with the prescribed procedures a criminal offence, which can result in hefty fines and jail terms.
The Current Position
a. Direct Marketing
Currently, the Personal Data (Privacy) Ordinance (the "PDPO") requires a data user, on the first occasion that it uses an individual's personal data for direct marketing, to inform the individual that he/she may, without charge, request the data user to cease to use his/her personal data. If the individual makes such a request, the data user should cease to use the data concerned. This is generally referred to as the "opt-out" arrangement.
b. Sale of Personal Data
The sale of personal data per se is not at present prohibited by the PDPO. One could probably seek to attack a sale conducted without the prescribed consent of the data subject by arguing that it does not fall within the original purpose (or a directly related purpose) of collection and therefore giving rise to a breach of Data Protection Principle
a. Direct Marketing
With the implementation of the Amendment Bill, the existing "opt-out" arrangement will be replaced by a regime with more stringent requirements. Specifically, the data users will be required to inform the data subjects in writing of:
i. the kinds of personal data to be used or provided,
ii. the classes of marketing subjects in relation to which the data is to be used, and
iii. the classes of persons to which the data is to be provided.
The data users will also be required to provide the data subject with a response facility through which the data subject may, without charge from the data user, indicate in writing whether he/she objects to the intended use. It is worth-noting that the data users will remain generally free to use personal data for direct marketing purposes if they do not receive a reply from the data subjects in 30 days.
That said, data subjects must also be informed of their right to opt out on first use of their personal data for direct marketing purposes, and they may opt out at any time thereafter.
Any contravention of the new direct marketing provisions will be an offence punishable by fines of up to HK$500,000 and imprisonment for up to three years.
b. Sale of Personal Data
The sale of personal data will now be specifically dealt with under the new law. This is targeted at arrangements of the kind that was criticised by the PCO in the Octopus Rewards case.
Data users who intend to sell personal data will be subject to disclosure requirements similar to the ones outlined above in respect of direct marketing activities. Data subjects will also have a similar right to opt out.
Failure to comply with the new provisions will subject the data users to a fine of up to HK$1 million and imprisonment for up to 5 years.
c. Disclosure of personal data with an intent to gain, or to cause loss
The Amendment Bill will create a new offence prohibiting the data users to, in the absence of the data subject's consent, disclose personal data with the intention to gain or to cause loss or psychological harm to the data subject. The maximum penalty that an offender will be subject to is a fine of HK$1 million and imprisonment for 5 years.
The Amendment Bill has a provision on grandfathering which provides, subject to certain conditions, that the new disclosure requirements outlined in (a) above will not apply to the continued use by data users of personal data that has been used in direct marketing prior to the commencement of the Amendment Bill.
Data users should however embrace this relief with caution.
To ensure compliance of the new law, it would be advisable for Hong Kong businesses to:
review existing personal information collection statements to set out clearly the intended purposes of collection and use, and the classes of persons to whom personal data may be transferred.
review and if necessary rectify any existing practices in conducting marketing activities.
review or develop internal guidelines and procedures for direct marketing and cross-marketing activities, and provide training to employees responsible for handling collected personal data.
review arrangements with third party data processors.