In the case of HKSAR vs Leung Jun Kit, an individual was convicted at the Eastern Magistrates’ Court for breach of the direct marketing provisions under Section 35J of the Personal Data (Privacy) Ordinance (“PDPO”) in December 2015. The conviction was upheld by the Court of First Instance on 2 June 2017. The judgment draws attention to the legal position of individuals as data users under the PDPO.
Background of the Case
The defendant obtained an individual’s name and mobile number (the “Complainant”) through the exchange of name cards at a social event. After a few months, the Complainant received a telephone call from an insurance agent who claimed to have obtained the Complainant’s mobile number from the defendant and offered financial planning services to the Complainant. The Complainant, however, expressed his disinterest and ended the telephone call. He later complained to the Office of the Privacy Commissioner for Personal Data.
The defendant was later charged and convicted of the offence of providing personal data to a third party for use in direct marketing contrary to Section 35J of the PDPO and was ordered to pay a fine of HK$5,000.
The insurance agent was charged with the offence of using personal data in direct marketing contrary to Section 35C of the PDPO. However, the insurance agent was not convicted as the Court could not rule out the possibility that she would have complied with the PDPO had the Complainant not ended the telephone call.
What the PDPO and Court of First Instance Say
Under the PDPO, ‘data user’ means a person who controls the collection, holding, processing or use of the data. The person is not restricted to a corporate entity and the defendant (an individual) is the data user in this case.
Further, Section 35 J of the PDPO provides that if a data user intends to provide an individual’s personal data to a third party for direct marketing, the data user must take the following actions :-
(a) inform the individual that the data user intends to provide the personal data to a third party for direct marketing purposes and he obtains the individual’s written consent to do so;
(b) provide the individual with the following written information including (i) if the personal data is to be provided for gain, e.g. monetary gain; (ii) the kinds of personal data that are to be provided to the third party e.g. name, telephone number, email address etc.; (iii) the third parties to whom the personal data is to be provided to; (iv) the kinds of goods and / or services that the third parties intend to market; and
(c) inform him of the response channel through which the individual may, without charge, communicate the consent in writing.
The Court of First Instance held that it is irrelevant if the insurance agent in fact used the personal data (and, if used, how the personal data was used) for direct marketing purposes. However, it is relevant that the defendant intentionally provided the personal data to the insurance agent for use in direct marketing without first taking the specified steps (as summarised in (a) to (c) above) and without the individual’s prior consent.
Penalty for Breach of PDPO
An offence contrary to Section 35J of the PDPO, if found to be liable, is a fine of up to HK$1,000,000 and an imprisonment of up to 5 years.
The judgment of the conviction of the defendant and the acquittal of the insurance agent suggests that, an individual becomes a data user as defined in the PDPO even when the personal data is obtained through an informal or social event or online social platform. The specified actions stated in the PDPO must be complied with or, at least, have to be complied with before the data user can provide the data to a third party and / or use the personal data for direct marketing purposes. No consent of the data subject can be implied under Section 35J of the PDPO and the consent must be written.
This is the first time where an individual is convicted for an offence contrary to the PDPO. It is important to note that not only corporations who collect personal data as part of the ordinary course of business are at risk in breaching the PDPO but also small-medium enterprises, start-ups and even individuals. A single incident could cause the Privacy Commissioner of Hong Kong to conduct investigations and / or start prosecution.
When the public is now more aware of protecting their own personal data or privacy, it is important to have good practice policies and guidelines in place within your organisation to ensure compliance with the law on data privacy in Hong Kong.
Our Intellectual Property team has both in house and private practice experience advising and working alongside organisations of various scales on drafting privacy guidelines, best practice policies for data collection (online and offline), privacy statements, etc.
To find out more about how we can assist you and / or your company, please contact us.