Introduction

The revelation of the sale of customers' personal data by Octopus Holding Ltd, the leading electronic payment company in Hong Kong, to third party business partners for direct marketing purposes has sparked widespread public concerns over major privacy breaches by personal data collectors here. The concerns have spilled over to financial institutions and banks as they also receive and process voluminous amount of personal data from their customers by reason of their unique roles as lenders, deposit-takers and providers of various financial products and services.

The recent decision of the Administrative Appeal Board (the "Board") in Wing Lung Bank Limited v Privacy Commissioner for Personal Data may provide some useful insights on how banks should handle the personal data of their customers.

Wing Lung Bank Limited v Privacy Commissioner for Personal Data

In the case, Wing Lung Bank Limited (the "Bank") and a third party insurance company (the "Insurance Company") entered into 2 marketing agreements. Pursuant to these agreements, certain personal data of the Bank's credit card customers were provided to the Insurance Company and the Insurance Company then promoted its insurance products to the Bank's customers over the telephone.

The complainant in the case, being one of the Bank's individual customers successfully applied for a credit card issued by the Bank. In November 2007, she was approached by a staff of the Insurance Company through the telephone and purchased one of their insurance products believing it to be one of the Bank's. The complainant later lodged a complaint to the Privacy Commissioner for Personal Data ("PCPD") against the Bank for transferring her personal data to the Insurance Company. The PCPD subsequently issued an enforcement notice to the Bank.

The Bank appealed to the Board and its application was rejected for the following reasons :-

The Credit Card Application Form (the "Application Form")

The Bank's Application Form contained, inter alia, the following provisions :-

"4. The purposes for which data relating to a customer may be used are as follows :-

...

(viii) marketing services or products of the Group and/or selected companies ...;

5. Data held by the Group relating to a customer will be kept confidential but the Group may provide such information to the following parties for the purposes set out in paragraph 4 :-

...

(vii) any insurance company or agent, broker, merchant or other business partners of the Group ..."

The Bank argued that paragraph 5(vii) above could mean companies outside the group of the Bank. Having read the terms and conditions in the Application Form and other related documents given to the complainant by the Bank, the complainant should reasonably expect that her personal data would be transferred to third parties.

The Board rejected the Bank's argument by first stating that the small print of the provisions in the Application Form, including paragraphs 4 and 5 above, had the effect of discouraging customers from reading its contents. In addition, one cannot expect individual customers to go from one clause (paragraph 5) to another (paragraph 4) in such a small print document to find for themselves the manner in which their personal data would be dealt with. If the Bank had the intention of providing the personal data to a third party, it must clearly state such intention in a legible manner and obtain the express consent from its customers.

The Board further opined that "any insurance company" in paragraph 5(vii) above only referred to insurance company within the Bank's group instead of including insurance companies outside the group as contended by the Bank. The Board thus adopted a restrictive interpretation on the terms of the Application Form in order to provide greater privacy protection to customers.

The Credit Cardholder Agreement (the "Agreement")

The Bank also relied on clause 11(c) of its Agreement, which stated that any details of the cardholder may from time to time be used for direct sales and/or promoting products of the Bank, the Bank's affiliates and/or third parties carefully selected by the Bank.

The Board referred to PCPD's guidance on cross-marketing activities as amended in 2009 which recommended that if at the time a company collected the personal data it had no particular cross-marketing activities in mind but subsequently decided to do so, then prior to the transfer of such personal data to another company it must ensure that the use of the personal data is within the original purpose of collection of the data. The data collector should also consider informing the relevant customers of its intention and reason of doing so. Having reviewed the marketing agreements between the Bank and the Insurance Company, the Board considered that the transfer of the complainant's data to the Insurance Company did not fall within the original purposes for which such data was first collected, namely, for the application of a credit card issued by the Bank .

The Board further formed the view that the Bank has not notified the complainant in relation to its transfer of the complainant's data to the Insurance Company. The receipt of the Application Form and the Agreement by the complainant did not amount to her consent to the transfer or sale of her data by the Bank to the Insurance Company.

Conclusion

The Hong Kong Monetary Authority ("HKMA") has also issued a circular on the transfer of customer data for use in marketing on 12 August 2010. The circular is consistent with the opinion of the Board in the above case, e.g. the requirement of express consent from customers before transfer or sale of personal data and the relevant contractual provisions be in a reasonably readable size.

The HKMA's circular and the adoption of the restrictive approach in interpreting data privacy related contractual terms will give greater protection to customers on banks' handling of customers' data. At the same time, banks are also encouraged to review their current practices to ensure compliance with the guidelines issued by the HKMA.

Lawyers in our Banking Department will be happy to provide you with a copy of the above decision and the circular or assist you with any queries you may have on any banking matters.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.