Hong Kong's main data protection law (the Personal Data (Privacy) Ordinance) has been amended to introduce important new requirements for companies who collect personal information in Hong Kong. The changes:
- impose new restrictions on the use and disclosure of personal information for direct marketing purposes;
- clarify the obligations on entities who use outsourced data processors;
- clarify how personal information may be disclosed and used during due diligence in M&A transactions; and
- strengthen the powers of the Privacy Commissioner to investigate data breaches, take enforcement action and impose penalties.
The new requirements introduced to the Ordinance are discussed in further detail below.
Use of personal data for direct marketing
A company may not use personal information of an individual for direct marketing purposes unless that individual has given his or her informed consent. This approach is a significant change from the 'opt-out' position under the previous law. However, there are exemptions for:
- companies in respect of data collected prior to commencement of these new provisions; and
- direct marketing companies who use personal information at the direction of a third party who has notified them that all required consents have been obtained.
When using an individual's personal information for direct marketing for the first time, a company must expressly tell the individual that he or she may revoke their consent at any time. The company must cease using the individual's personal data for direct marketing on request by that individual. These requirements reflect the existing 'opt-out' regime in the Ordinance.
A breach of any of these new requirements will constitute an offence attracting fines of up to HK$500,000 and up to three years' imprisonment, which is significantly harsher than previous penalties under the Ordinance.
Disclosure/sale of personal data to third parties for direct marketing
A company may not provide a third party (for consideration or otherwise) with personal information of an individual for the purposes of direct marketing unless that individual has given his or her informed consent, which may be revoked at any time.
Breach of these provisions can result in fines of up to HK$1,000,000 and up to five years' imprisonment, if the disclosure of data was for consideration, or up to HK$500,000 and up to three years' imprisonment, in other cases. Again, this is a significant increase to the previous penalty provisions in the Ordinance.
Obligations relating to data processors
The new Ordinance does not place new obligations on data processors, however it does require companies that outsource data processing to adopt means (contractual or otherwise) to:
- prevent the data processor from keeping personal data for longer than is necessary; and
- prevent unauthorised or accidental access, processing, erasure, loss or use of personal data.
The new Ordinance clarifies that personal data may be disclosed to another entity for the purpose of due diligence on a company or assets, provided that:
- the disclosure is no more than necessary for the purpose of the due diligence;
- on completion of the proposed transaction to which the due diligence relates, the acquirer will continue to carry on the same or a similar business to the business for which the target company had collected and used the data; and
- it is not practicable to obtain consent from the individual for the disclosure.
Any entity who receives personal data through due diligence may only use that data for the due diligence. It must return the personal data at the end of the due diligence and delete any copies that it may have retained.
The new Ordinance also includes provisions that increase the Privacy Commissioner's investigative and enforcement powers and sets out a new scheme for individuals to seek legal assistance to pursue claims of data breach.
In addition to the penalties for breach of the new direct marketing provisions, the new rules impose penalties of up to HK$1,000,000 and five years' imprisonment if a person:
- for profit or to cause loss to an individual, discloses to a third party personal information about that individual that was obtained from a data user without consent (whether or not for the purpose of direct marketing); or
- discloses to a third party personal information about an individual that was obtained from a data user without consent where that disclosure causes psychological harm to the individual.
The amended Ordinance also imposes heightened penalties of up to HK$50,000 and two years' imprisonment for a first conviction, and up to HK$100,000 and two years' imprisonment, for subsequent convictions, if a data user contravenes a notice of the Privacy Commissioner directing it to remedy a breach of the Ordinance.
All companies which collect data from individuals in Hong Kong should ensure that their methods of data collection, use and disclosure are in line with the new Ordinance. In particular, companies wishing to use personal information to market their products or third party products to individuals must satisfy themselves that they have the required consents to undertake these activities. If not, criminal penalties may apply.
The amendments to the Ordinance will come into effect in phases. The majority of provisions came into effect on 1 October 2012. However, the new provisions about direct marketing will come into effect at a later date (expected to be early to mid 2013) to give businesses the opportunity to prepare for the impact of the changes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.