The Personal Data (Privacy) (Amendment) Ordinance ("Amendment") was passed by Hong Kong's Legislative Council just before the end of the year's legislative session and it will come into effect on 1 October this year. The changes are as predicted by our previous alerts1; and it is now time to consider what they mean for your organisation and prepare accordingly.
The major change, as expected and reflecting public sentiment, is the introduction of extensive provisions for the use of personal data in direct marketing. Most importantly, criminal liability will attach to breaches of the provisions relating to direct marketing and unauthorised sale of disclosure of personal data. Other significant changes include the introduction of new offences and the provision of enhanced powers to the Privacy Commissioner in a number of circumstances, including the provision of assistance to aggrieved data users: a powerful mix that we anticipate will result in more investigations and prosecutions of privacy breaches.
Section 34 of the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO") was until now the only section dealing with direct marketing. As a result of some high profile privacy incidents, the Privacy Commissioner for Personal Data ("the Commissioner") issued a guidance note in relation to direct marketing practices2 and the Amendment has codified obligations for data users in this area by introducing a new Part VIA to the PDPO which will regulate the use and sharing of data for direct marketing.
Use of data for direct marketing
Where data users intend to use personal data for the purpose of direct marketing they will be required to inform data subjects that:
- they intend to use the personal data and that they may not do so without consent;
- the kinds of personal data that will be used;
- the classes of marketing subjects (meaning the goods, facilities or services that may be marketed to the data subjects) in relation to which the data will be used; and
- provide a means, without charge, by which the data subject can communicate their consent to the data user.
Failure to provide this information to a data subject will be an offence.
When using a data subject's personal data in direct marketing for the first time, the data user must also notify the data subject that it is required to cease using the data if the data subject so requests.
These requirements apply irrespective of whether the personal data was collected from the data subject by the data user.
There is some reprieve for data users, where they have previously explicitly informed the data subject of the intended use of the data, the data has been used for that purpose and the data subject has not objected to the use of the data in this matter. In that situation the new provisions will not apply to the continued use of the data.
However, data users are not automatically entitled to use the personal data once that notification of intended use for direct marketing has been provided. The new provisions make it an offence to use personal data, even where the above information has been provided, unless the data subject has consented. Whilst that seems like a particularly high threshold, it is important to note that for the purpose of the direct marketing provisions "consent" is defined to include an indication of no objection. Exactly what will suffice as an "indication of no objection" is not yet clear, although the Privacy Commissioner has indicated that he will issue guidance notes in relation to the new provisions and it is hoped that they will provide some further clarity.
Provision of data to third parties for direct marketing
Part IVA of the PDPO also includes a division regulating the provision of data to third parties, including where data is sold, for the purpose of direct marketing. The provisions are similar to those that govern the use of data (i.e. the requirement to inform data subjects of certain information and obtain their consent to such use) but also require data subjects to be informed of the class of persons their data will be provided to and whether it has been provided for gain. The Amendment imposes harsher penalties on data subjects that contravene these sections where the data has been sold.
Although the Amendment comes into effect on 1 October 2012, the provisions in relation to direct marketing will not come into operation until a day to be appointed by the Privacy Commissioner, which is likely to be early next year.
Disclosure of personal data for gain or to cause loss
Any disclosure of personal data, obtained without the data subject's consent, with an intent to -
- gain money or property, whether for the benefit of the person making the disclosure or a third party; or
- cause loss in money or other property to the data subject
is an offence3 and subject to relatively higher penalties of a fine of HK$1,000,000 or imprisonment for 5 years.
New powers for the Commissioner
Ability to disclose information
The Amendment has also increased the powers of the Commissioner. One of the most significant changes is the introduction of additional exceptions to the secrecy provision in section 46 of the PDPO. As a result of the Amendment, the Commissioner will be allowed, under specified conditions, to disclose information obtained to anyone where it is considered necessary for the proper performance of his functions under the PDPO or to overseas authorities for the purposes of performing his functions, or to assist an overseas authority in the performance of its functions.
Clients should bear this in mind when they are providing information to the Commissioner and as always ensure that they claim legal professional privilege in respect of information where possible.4
Assistance to aggrieved persons
The Amendment also introduces a new provision which allows the Commissioner to assist individuals (referred to as aggrieved persons) to determine whether or not they should commence proceedings under section 66 of the PDPO. Section 66 entitles individuals to seek compensation from data users if they have suffered damage as a result of a breach of the PDPO. The Commissioner may also, upon an application from an individual, provide assistance in any proceedings commenced under section 66. The Commissioner can provide any assistance he considers reasonable, including providing advice and arranging for legal representation.
These provisions are among those that do not come into effect on 1 October 2012, but which the Commissioner has indicated are likely to come into effect in early 2013.
Good news, there are new exemptions
Some good news for data users is the introduction of additional exemptions from complying with the Data Privacy Principles ("DPP"), including:
- Self-incrimination – a data user will be exempt from complying with a data access request if compliance would expose them to incrimination in proceedings for an offence, other than an offence under the PDPO;
- Legal proceedings – an exemption for compliance with DPP3, which requires prescribed consent before data can be used, will be available where use of the data is required or authorised by a court order, in connection with proceedings or required in connection with the exercising of a legal right;
- An exemption for data transferred as part of a due diligence exercise.
On the other hand, there are new offences
There are over a dozen new offences introduced by the Amendment, the majority of which are punishable by both fines and imprisonment, including offences for:
- Supplying false information in a data access request or data correction request;
- Providing false information for the purpose of obtaining the Commissioner's consent to carrying out a matching procedure;
- Failing to comply with the new provisions in relation to direct marketing. There are a number of offences in these new provisions, which are all punishable by fines of between HK$500,000 and HK$1,000,000 and imprisonment for between three and five years;
- Disclosure of data without the consent of the data subject where the disclosure causes psychological harm (this offence also carries a higher penalty than most, including up to five years imprisonment)
- Failure to comply with enforcement notices, including provision for daily penalties whilst the non-compliance continues;
- Obstructing the Commissioner in the performance of his functions;
- Failing to comply with the requirement to return or destroy data following the completion of a due diligence process; and
- a new 'catch-all' offence for contravening any requirements under the PDPO without reasonable excuse.
Certain provisions which introduce these new offences also carry a defence on the basis that the data user took all reasonable precautions and exercised all due diligence to avoid committing the offence. Of course, the onus rests on the data user to show that such precautions were taken. It remains to be seen how that defence will work in practice.
What you need to do
Most of the changes will come into effect on 1 October 2012 and before that date you need to carefully consider the changes to the PDPO and what steps will be necessary to ensure that your organisation will be able to comply with them. Some areas to consider are:
- amending policies in relation to marketing activities to ensure they will be in compliance with the new provisions when they come into effect; and
- reviewing arrangements with third party data processors.
We regularly advice clients in relation to their obligations under the PDPO and represent them in investigations and inquiries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.