The data privacy law in Hong Kong underwent a microscopic review a result of the Octopus card case of unauthorized sale of customers’ personal data and greater awareness of individual’s privacy rights in today’s rapid changing technology. The widely consulted Personal Data (Privacy) (Amendment) Ordinance (“PDPAO”) was passed in June this year and majority of provisions under the amendment came into effect on 1 October 2012. Amendments relating to the use and provision of personal data for direct marketing and the provision of legal assistance which are the core changes will only come into effect in around mid-2013 to allow more time for transitional arrangements.
Personal Data (Privacy) Ordinance (“PDPO”)
Before the amendment, the PDPO provides inter alia that personal data shall not be used for any purpose other than the original data collection purpose or a directly related purpose, unless consent of the data subject is obtained. In respect of direct marketing, the data user must inform the data subject of his opt out right the first time when the data is used and shall cease to use the data if the data subject decides to opt out.
In the aspect of enforcement, non-compliance with a provision under the PDPO will entitle the commissioner to carry out an investigation and to issue an enforcement notice. It is an offence only if the data user fails to comply with the enforcement notice served on him.
After the amendment, more stringent regulations are in place for the use of personal data in direct marketing. The changes are contained in Part VIA and are summarized as follows :-
(a) Use of personal data in direct marketing
The data user must take each of the following specified actions before using personal data in direct marketing :-
(i) inform the data subject of his intention to use the personal data and that he may not use the data unless consented to by the data subject;
(ii) provide the data subject with specific information in respect of the kinds of personal data to be used and the classes of marketing subjects in relation to which the data will be used; and
(iii) provide the data subject with a channel through which the data subject may, without charge, communicate his or her consent to the intended use.
The information provided must be presented in a manner that is easily understandable and, if in written form, easily readable.
More importantly, where a data subject’s consent has been obtained orally, the data user must send a written confirmation to the data subject within 14 days confirming :- (i) the date of receipt of the consent; (ii) the permitted kind of personal data; and (iii) the permitted class of marketing subjects. This additional requirement under the PDPAO requires that the person giving oral consent be notified in writing to avoid any misunderstanding.
The new requirements set out above under the PDPAO will not, in general, apply to personal data properly collected and used in direct marketing before the commencement date of PDPAO.
Failure to undertake the requisite actions to use personal data in direct marketing under the new amendments is a criminal offence and the offender may be liable on conviction to a fine of HK$500,000 and to imprisonment for 3 years.
(b) Provision of personal data by data user to another for direct marketing
The PDPAO has included separate provisions to cover the circumstances where personal data is transferred or sold to other service providers for use in direct marketing.
Same as the above, all specified actions as listed above under “the use of personal data in direct marketing” must be complied with by the data subject and be in written form. The PDPAO also requires additional notification to be made to the data subject including :-
(i) if the data is to be provided for gain, that fact must be explicitly stated; and
(ii) the classes of persons to which the data is to be provided.
A data user who provides personal data of a data subject to another person for use by that other person in direct marketing without taking each of the above actions commits an offence and is liable on conviction to a fine of HK$1,000,000 and to imprisonment for 5 years if the data is provided for gain; or to a fine of HK$500,000 and to imprisonment for 3 years if the data is provided not for gain.
Suggested implementation measures to be undertaken by a data user
While the above amendments are yet to come into effect, it will be beneficial for data users to review their existing practices and implemental strategies to comply with the new provisions. Some of the steps that can be taken are :-
(a) to check and keep a good record of the existing personal data collected from data subjects to ensure proper consents have been obtained for direct marketing;
(b) to keep a good database of personal data being transferred to third party for use in direct marketing and ensure proper consents have been obtained;
(c) to ensure that there are proper channels through which the data subject may, without charge, communicate the data subject’s consent to the intended use;
(d) to review the existing personal information collection statement or agreements to ensure appropriate amendments are made to comply with the PDPAO; and
(e) to educate staff regularly and set out clear guidelines to ensure compliance with the new requirements.
If you have any queries regarding the above enews or any other questions relating to privacy or intellectual property laws, experienced lawyers in our Intellectual Property Practice will be happy to assist you.