13 July, 2012
The Personal Data (Privacy) Amendment Ordinance (the “Amendment Ordinance“) was passed on 27 June 2012. This ends a nearly three year process initially spurred by the need to bring the Personal Data (Privacy) Ordinance (the “Ordinance“) in line with technological and other advancements that occurred since the Ordinance was enacted in 1996. The process was accelerated by mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong, including the revelation of sale of personal data by the operator of widely used Octopus stored value cards in 2010.
The most significant changes relate to the use, transfer and sale of personal data for direct marketing and powers of the Privacy Commissioner for Personal Data (the “Commissioner”). A number of other changes relating to offences, penalties for breaches of the Ordinance and exemptions from various provisions of the Ordinance, have also been introduced. Some of the provisions of the
Amendment Ordinance will come into effect on 1 October 2012. A number will come into effect at a later date. These include provisions relating to use/transfer/sale of personal data for direct marketing purposes and the legal assistance scheme provided by the Commissioner, all of which are expected to be implemented in the first half of 2013. The rationale for the staggered implementation of the Amendment Ordinance is that adequate preparation time is needed in order to allow procedural changes, IT system enhancement, and the development of guidance notes and other educational materials that would assist companies to comply with the new law.
The Commissioner (and his predecessor) has been actively involved throughout all stages of the amendment process, by making numerous submissions during the consultation stage as well as lobbying the Bills Committee for further changes following the introduction of the draft bill. Although he has welcomed the amendments, the Commissioner remains concerned by the grandfathering arrangements applicable to the new direct marketing requirements and has indicated he will keep a close watch on developments.
We highlight below the major changes brought about by the Amendment Ordinance.
Use of personal data in direct marketing
New requirements
The most detailed changes introduced by the Amendment Ordinance relate to use of personal data for direct marketing. Stringent requirements are now imposed upon organisations which collect personal data (“data users“) to notify individuals from whom they collect such data (“data subjects“) of the intended use of their personal data, enabling data subjects to make an informed choice before supplying the data. These changes should come as no surprise as they follow to a large extent the provisions in the guidance note on direct marketing of 2010 which was issued in response to the Octopus débâcle. The difference is that the provisions are now part of the statute and non-compliance attracts increased penalties.
Before using personal data for direct marketing, data users are required to notify data subjects (orally or in writing) of their intention to use the personal data for such purposes. Personal data cannot be used for direct marketing without the data subjects’ consent. In addition, data users must also provide data subjects with:
- information relating to the type of data that may be used and the categories of goods/services that may be marketed; and
- a response facility whereby data subjects may indicate their consent to such use.
These requirements apply irrespective of whether the personal data was collected by the data user themselves or by a third party. Where personal data has been provided by a third party, data users will not have to comply with the above requirements, provided that the third party confirms in writing that they have complied.
The fact that data users can only use personal data for direct marketing with the consent of the data subject looks very much like an “opt-in” regime. However, “consent” is defined as including “an indication of no objection”. This tends to suggest that the requirement would be satisfied where the data subject does not exercise his/her right to opt-out (e.g. where an individual returns an application form without ticking an “opt-out” box). This is consistent with statements made previously by the Bills Committee favouring an “opt-out” approach. It is expected that the Commissioner will provide some guidance on how to comply with the consent requirement prior to these provisions coming into force.
Further requirements have been introduced in respect of oral consent. If consent is obtained orally, data users must write to data subjects within 14 days of receiving it to confirm: (i) the timing of the consent; (ii) the personal data that the consent relates to; and (iii) the classes of goods/services that may be marketed. Given these additional requirements in relation to oral consent, it may be more practical for
companies to obtain written consent from the outset. Written consent may also be useful evidence in the event of a dispute.
In addition to providing information to data subjects before using personal data for direct marketing (which as a matter of practice will often occur at the time of collection of such data), data users are also required to inform data subjects when using personal data for direct marketing for the first time, of the individual’s right to withdraw their consent in respect of such use. Data subjects therefore, may revoke their consent at any time and if a data user fails to comply with such a request they will be guilty of an offence.
Penalties
Failure to comply with any of the above requirements constitutes an offence under the Amendment Ordinance,attracting a maximum fine of HK$ 500,000 and 3 years’ imprisonment. This represents a significant increase from the maximum fine of HK$ 10,000 applicable under the direct marketing provisions of the Ordinance.
Grandfathering arrangement
Data users do not have to comply with the new direct marketing requirements if they use personal data collected prior to the commencement date of the direct marketing provisions (which date is yet to be confirmed) provided that: (i) they continue to use the data for their own purposes and to market the same classes of goods or services for which the data was collected; (ii) the data subject has not objected to
such use; and (iii) the requirements of the Ordinance have not been contravened.
The grandfathering arrangements will also apply where existing data is updated but it is likely that “updates” will be interpreted as being confined to the simple updating of preexisting data (e.g. updating existing contact information), and will not cover substantial updates (e.g. the acquisition of new data obtained through future dealings with the data subject).
As mentioned earlier, the Commissioner expressed concern that some companies may take advantage of the grandfathering arrangement by conducting large scale collection of data and direct marketing campaigns prior to the commencement of the direct marketing provisions. To prevent this, the Commissioner had recommended specifying a cut-off date as soon as possible after the passing of the Amendment Ordinance, after which time personal data collected would not be captured by the grandfathering arrangement. As this recommendation has not found its way into the Amendment
Ordinance, the Commissioner has indicated he will keep an eye on developments and has urged direct marketers not to abuse the grandfathering arrangement. This is most likely ‘code’ for monitoring of companies by the Commissioner and
further pressure for change.
Transfer/sale of personal data for use in direct marketing
New requirements
Significant changes have been introduced in relation to the provision of personal data for direct marketing (whether for financial or other gain or otherwise) in clear response to the furore caused by the discovery of large-scale sale of personal data by Octopus Rewards Limited over a number of years. These changes mirror those relating to use of personal data for direct marketing (outlined above), but there are a number of important differences.
Before providing personal data to third parties for use in direct marketing, data users are required to notify data subjects in writing of their intention to sell/transfer the personal data and that they cannot do so without the data subjects’ written consent. Data subjects must be provided with the same information required to be provided for use of their personal data for direct marketing (outlined above), as well as a description of the classes of transferees. Where the transfer is to be made in return for money or other property, the notification must contain a statement that the transfer is to be made for gain. A response facility must also be provided, enabling data subjects to indicate their consent to the proposed transfer/sale of their personal data. Unlike the provisions relating to use of personal data for direct marketing, the notification and the response facility must be in writing.
Data users cannot transfer/sell personal data to third parties without the written consent of data subjects (again, “consent” for this purpose is defined as including an indication of no objection). Unlike the provisions relating to use of personal data for direct marketing, oral consent will not be sufficient where personal data is to be transferred/sold. Consent may be revoked at any time, in which case the data user must cease transferring/selling the personal data for marketing purposes and may also be required to notify any transferees to cease use of such data.
There is no grandfathering arrangement for the transfer/sale of personal data for marketing purposes, and once the provisions are implemented, data users will have to comply with the new requirements in respect of all data (whether collected before or after the commencement date of these provisions). This means that data users will be required to notify existing customers and obtain their consent (including an indication of no objection), prior to transferring/selling personal data to third parties for direct marketing purposes.
Penalties
Failure to comply with the transfer/sale of data for direct marketing provisions constitutes an offence. Where personal data is provided for gain, the penalty can be as high as a HK$ 1,000,000 fine and 5 years’ imprisonment. A lesser penalty (i.e. maximum HK $ 500,000 fine and 3 years’ imprisonment) applies where the transfer is not for gain.
Disclosure of personal data obtained without consent
A new offence has been introduced where a person discloses personal data obtained from a data user without the data user’s consent for malicious purposes, namely: (i) with an intent for gain, or to cause loss to the data subject; or (ii) where the disclosure results in psychological harm to the data subject (maximum penalty: HK$ 1,000,000 fine and 5 years’ imprisonment). An example of where this provision may apply is where an employee sells personal data handled in the
course of his/her employment to a direct marketing company. The new provisions make the employee (rather than the employer) liable for the unauthorised disclosure of the personal data.
Unlike similar provisions in other jurisdictions (notably the UK) the Amendment Ordinance does not incorporate the requirement that the disclosure be made ‘knowingly or recklessly’, but contains a much narrower requirement that the act be committed with the intent for gain or to cause loss to the data subject.
Powers of the Commissioner
Under the Ordinance the Commissioner is empowered to issue enforcement notices for breaches of the Ordinance only in circumstances where a breach is continuing or likely to be repeated. This restriction came under public scrutiny as a result of the Octopus incident, where despite the Commissioner having found that the Ordinance had been breached by Octopus, he was unable to issue an enforcement notice as reoccurrence of the contravention was unlikely given that the sale of personal data had ceased and Octopus had undertaken to take steps to ensure compliance with the Ordinance in the future. The Commissioner’s inability to issue an enforcement notice in the Octopus case, brought to the fore the question of the effectiveness of the Ordinance, and appears to have been the catalyst for the inclusion of provisions in the Amendment Ordinance empowering the Commissioner to issue an enforcement notice, irrespective of whether a breach is likely to continue or be repeated. A contravention of an enforcement notice issued by the Commissioner under the Ordinance attracts a maximum penalty of a HK$ 50,000 fine (HK$ 1,000 per day for continuing breaches) and imprisonment for 2 years. There is currently no sanction for repeated non-compliance with an enforcement notice. If an organisation complies with an enforcement notice but subsequently repeats the contravening act on the same facts, the Commissioner is currently only empowered to issue a fresh enforcement notice. As a result, a person could intentionally breach the Ordinance after having complied with an enforcement notice on the same facts, with very little fear of further sanctions. The Amendment Ordinance addresses this loophole. It is now an offence to commit subsequent breaches on the same facts following compliance with an enforcement notice (subject to the same penalties as the initial breach). While the penalties for initial breaches of enforcement notices remain unchanged under the Amendment Ordinance, higher penalties have been introduced for repeated breaches of enforcement notices (e.g. where a data user contravenes an enforcement notice and is penalised and subsequently contravenes a fresh enforcement notice in the future) (maximum penalty: HK$ 100,000 fine (HK$ 2,000 per day for continuing breaches) and 2 years’ imprisonment).
New offences and exemptions
New offences
A number of new offences have been introduced in addition to those discussed above, including:
- Failure to comply with a notice of the Commissioner to: (i) provide information/documents relating to a data return; or (ii) correct information contained in a data user return which the Commissioner suspects to be inaccurate (maximum penalty: HK$ 10,000 fine); knowingly or recklessly providing false or misleading material in response to such notice (maximum penalty: HK$ 10,000 fine and 6 months’ imprisonment).
- Misuse of personal data supplied as part of a due diligence exercise (i.e. using the data for another purpose, or failing to return/destroy personal data after the completion of the due diligence exercise) (maximum penalty: HK$ 50,000 fine and 2 years’ imprisonment).
Exemptions
A number of exemptions have been introduced. For example, an organisation shall be exempt from the provisions of the Amendment Ordinance relating to use of personal data where such use is required: (i) by law or court order; (ii) in connection with legal proceedings; or (iii) for establishing or defending legal rights. Despite the absence of such an express exemption previously, use of personal data for such purposes was generally construed as being related to the purpose of collection of such data, and therefore not in breach of the Ordinance.
Another important exemption is the transfer of personal data in connection with a due diligence exercise for an M&A transaction. Such transfers shall be exempt from the provisions relating to use of personal data provided that: (i) excessive data is not transferred for due diligence purposes; (ii) the individual will continue to be provided with the same or similar goods/services following completion of the transaction;
and (iii) it is not practicable to obtain consent for the transfer. This exemption does not apply where the primary purpose of the transaction is the transfer of personal data.
No regulation of data processors
Despite much public debate on the topic, no direct regulation of data processors (i.e. companies which process personal data on an organisation’s behalf) has been introduced. Data users are required to use contractual and other means to ensure that personal data is protected from unauthorised or accidental access, processing, erasure or loss, and is not retained for longer than necessary for the purpose of processing the data.
Legal assistance scheme – provision of legal assistance
to data subjects
Aggrieved individuals are entitled under the current provisions of the Ordinance to commence civil proceedings seeking compensation where their personal data has been misused and they have suffered damage. However, given the costs associated with such proceedings, the provision has rarely been invoked. The Commissioner is empowered under the Amendment Ordinance to provide legal assistance to aggrieved data subjects seeking compensation under the
Ordinance, including providing advice and arranging for legal representation. This will make it more affordable for individuals to seek compensation when their personal data has been misused, and is likely to result in an increased incidence of individuals filing civil proceedings against organisations that misuse their personal data, particularly given the increased awareness of personal data privacy rights amongst individuals in Hong Kong in recent years.
Implications for business
In anticipation of the implementation of the direct marketing provisions early next year, corporate data users may wish to take this time to review their practices relating to direct marketing to ensure that they comply with the new requirements (e.g. revising personal information collection statements, forms used to collect personal data and optout/opt-in facilities).
Companies should note the limitations of the grandfathering arrangement relating to direct marketing: the arrangement only applies to the extent that existing data is used to market the same class of goods/services, and does not apply where existing data is to be sold/transferred to a third party. Also, while the arrangement applies to updates to existing personal data, it is unlikely that this would extend to substantial updates. Companies relying on the grandfathering arrangement for data collected prior to the commencement date of the direct marketing provisions would effectively have to implement two systems when using personal data for direct marketing (one for existing data and one for data collected after the requirements come into force). The failure to implement a uniform approach when using personal data for direct marketing may lead to confusion as to the ways in which particular data should be treated, resulting in inadvertent use of personal data in breach of the Ordinance. Companies may also risk non-compliance where existing data has been substantially updated or where such data is used to market different goods/services. Given this, it is advisable to have one system in place that complies with the new requirements relating to direct marketing irrespective of whether such data is collected before or after the implementation of the new requirements.
Companies obtaining personal data from third parties for marketing purposes should ensure that they obtain written notice from all such third parties confirming that the direct marketing requirements under the Amendment Ordinance have been complied with, to avoid having to embark upon a compliance exercise themselves in respect of such data.
The lack of regulation of data processors under the Amendment Ordinance means that greater care should be taken by companies when outsourcing the collection/processing of personal data to third parties, as they remain liable for the acts of their agents. It is important that agreements with data processors are put in place requiring data processors to comply with the provisions of the Ordinance and indemnifying data users in the event that data processors breach such provisions. Care should be taken when selecting data processors, and only companies that have suitable policies and procedures in place for the ,protection of personal data should be selected.
The higher penalties applicable under the Amendment Ordinance (particularly in relation to use/sale/transfer of personal data for direct marketing), as well as the introduction of new offences highlight the areas on which the Commissioner will focus his monitoring activities. While the penalties for breaches of the new direct marketing provisions represent a significant increase from those under the Ordinance, other penalties under the Ordinance (including failure to comply with an enforcement notice on the first occasion, and contravention of provisions of the Ordinance where no penalty has been prescribed) remain unchanged. On the whole, the penalties under the Amendment Ordinance fall short of the heavier penalties available or proposed in other jurisdictions (e.g. Singapore, Malaysia, Australia, Germany and the UK).
Recent cases of data breaches which have been played out in the public arena have underscored the importance of compliance and have shown the extent of the reputational damage that can be suffered as a result of an investigation by the Commissioner following a report of a breach. The changes brought about by the Amendment Ordinance are therefore likely to result in better and more robust data protection practices being adopted by corporations in Hong Kong.
The Amendment Ordinance may be accessed here:
For further information, please contact:
Gabriela Kennedy, Partner, Hogan Lovells
Heidi Gleeson, Hogan Lovells
Fiona Chan, Hogan Lovells