Reform of the Personal Data (Privacy) Ordinance - has the right balance been struck?
The Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995 to protect privacy rights of individuals. However, it is only in the past two years that privacy and data protection issues have been in the public eye. The Privacy Commissioner (PCO) has been increasingly active, following what he has recently described as "a series of privacy catastrophes". Please see our Client Alert dated 3 November 2010 for comments on the Octopus and Wing Lung cases.
Media attention and public concerns have provided further impetus to the current efforts to reform the PDPO. After several public consultations, the Hong Kong Government introduced proposed amendments to the PDPO to Hong Kong lawmakers, by way of the Personal Data (Privacy) (Amendment) Bill (Bill), in July 2011. These amendments address a number of topical issues: direct marketing, the unauthorised sale or disclosure of personal data, repeat offenders and service providers who process personal data. However, the Bill does not include, as the PCO had hoped for, powers for the PCO to award compensation to aggrieved data subjects or impose fines for serious breaches of the data protection principles in the PDPO. It remains to be seen if lawmakers will take up these issues, or other issues which were initially discussed during the consultation process but dropped in the Bill.
Data subjects (individuals who provide personal data to others) will welcome the measures proposed by the Bill. However, data users (anyone who collects or uses personal data) will face more constraints in the ways in which they collect or use data and be liable to more serious sanctions. The question remains as to whether the right balance has been found or will there be further changes during the course of the legislative process?
What are the material changes?
1. Tighter controls over the collection and use of personal data in direct marketing
Data subjects must be informed before their personal data is used for direct marketing and given an opportunity to object. A data user who ignores objections will be subject to a fine of HK$500,000 and 3 years imprisonment.
2. Stiff penalties for questionable uses of personal data
The Bill addresses two suspect practices: (a) the sale of personal data without prior notice or in breach of an objection to the sale, and (b) disclosure of personal data for profit or malicious purposes without consent. The penalties are the same in both cases: a fine of HK$1,000,000 and 5 years imprisonment.
3. Expect more challenges from aggrieved data users
The Bill will empower the PCO to provide legal assistance to aggrieved data users in specified circumstances.
4. Heavier penalties for repeat offenders
Repeat offenders will be liable to increased fines and imprisonment.
5. Supervision of data processing
Data users who use third party service providers for data processing (data processors) will be required to ensure these data processors comply with the PDPO.
We look at these changes in more detail below.
There is already a provision dealing with direct marketing - section 34 of the PDPO. After the Octopus incident, it became clear the provision did not adequately deter questionable practices. In October 2010, the PCO issued a Guidance Note on the Collection and Use of Personal Data in Direct Marketing; the Bill now follows through with specific requirements for the use of personal data for direct marketing purposes.
Before personal data can be used or provided (otherwise than by sale) for direct marketing, the data subject must be informed about the following:
- the kinds of personal data that will be used or provided;
- the classes of persons to which the data will be provided; and
- the classes of goods or services that will be marketed.
In addition, an "opt-out" mechanism for the data subject must be provided. If the data subject objects, the data user will stop its use or provision of personal data.
Penalties for contravention will be a fine of HK$500,000 and imprisonment for 3 years.
Sale or Disclosure of Personal Data
These new provisions impose specific requirements on data users who sell personal data and will heavily penalise the unauthorised sale or disclosure of personal data.
Firstly, before a sale (defined as the provision of personal data for gain in money or other property) can occur, the same protective measures as for direct marketing must be implemented. That is, the data subject must be informed about:
- the kinds of personal data that will be sold;
- the classes of persons to which the data will be sold; and
- where the data is used in direct marketing, the classes of goods or services that will be marketed.
Similarly, an "opt-out" mechanism for the data subject must be provided.
Secondly, where a person obtains personal data without consent and subsequently discloses it for gain or malicious purposes (described as disclosure "with an intent to cause loss to the data subject" or "causing psychological harm to the data subject"), this will be an offence.
The penalty for each of these offences is a fine of HK$1,000,000 and imprisonment for 5 years.
More challenges and complaints
The PDPO currently enables an aggrieved data subject who suffers damage due to a contravention of the PDPO to seek compensation. Under the Bill, the PCO will be able to provide legal assistance to the data subject. Accordingly, where a case raises a question of legal principle or is difficult for the applicant to deal with unaided (for example, if there are complex legal issues), the PCO can assist by providing legal advice or arranging for one of his in-house lawyers or external counsel to act for the applicant in legal proceedings.
We make three observations here. The first is the introduction of another provision in the Bill - a usual provision for regulatory authorities - providing the PCO and his officers with immunity from legal liability where they have acted in good faith. The second, more important, observation is that the PCO's effective partnering with other regulators (notably the financial regulators, such as the Hong Kong Monetary Authority, who issued 3 circulars in the 3 months after the PCO's report on the Octopus incident) has brought about quick changes to banks' practices in the use of personal data of their customers. Finally, the very recent prosecution and successful conviction of OnCard Limited for a breach of section 34 on 25 July, demonstrates the PCO's willingness to pursue criminal sanctions.
In conclusion, expect more challenges, complaints and regulatory inquiries (and not necessarily from the PCO) if you are a data user.
Supervision of Data Processors and Sub-Contractors
Presently, a data processor is not treated as a data user if he only holds, processes or uses personal data solely on behalf of the another person, and not for his own purpose. Accordingly, he is not required to comply with the requirements of the PDPO. The Bill will require the data user to use contractual or other means to ensure that its data processors and sub-contractors, whether within Hong Kong or offshore, comply with the requirements under the PDPO.
A new offence will be introduced for data users who, having complied with the directions in an enforcement notice, subsequently and intentionally do the same act or engage in the same practice. The penalty will be the same as for breaching an enforcement notice i.e. liability to a HK$50,000 fine and 2 years imprisonment.
A new provision will impose a heavier penalty for repeated non-compliance with an enforcement notice. The increased penalty will be a fine of HK$100,000, with the same period of imprisonment (that is, 2 years), and, in the case of a continuing offence, a daily fine of HK$2,000.
What action should you take?
Realise that data privacy is a hot topic: make it a priority
- Have internal procedures that clearly set out your policies about the collection and use of personal data;
- Monitor compliance with such internal policies;
- Make senior management and staff who handle personal data aware of the issues and your internal policies;
- Have a plan to deal with potential data breaches - including how you will handle the PCO, your other regulators, your clients and the media.
Direct marketing: assess the extent to which your business depends on it
- If these activities are integral to your business, start thinking about how you will handle the new requirements;
- Change drafting style: do not use technical language, complicated formatting or small font. The Bill, and the PCO, expects you to present information to data subjects in a manner that is easily readable and understandable.
Review your arrangements with your service providers
- Know the types and the extent to which your service providers hold or process personal data for your business
- Know how your service providers handle personal data, do they:
- have capable people and adequate systems and controls;
- segregate your customers' personal data from the data of other organisations for whom they provide services?
- Review your contracts with your service providers, do they:
- set out service levels;
- allow you to terminate or take appropriate action for breach?
Navigate the regulatory minefield
- Refer to our November 2010 Alert for our 10 practical steps to strengthen your privacy terms.
- Read some of the topical PCO publications : Collection and Use of Customer's Personal Data by ICBC/Wing Hang Bank/Citibank/Fubon Bank, all issued June 2011; Guidance Note on the Collection and Use of Personal Data in Direct Marketing issued October 2010 and Guidance on Data Breach Handling and the Giving of Breach Notifications issued June 2010. Click here for a link to the PCO's website. You should expect the PCO to be on the lookout for organisations who are ignorant of these issues.
- Bite the bullet. If your privacy terms or internal controls are inadequate for your business and operational needs, make the necessary changes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.