Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

Collection and use of personal data for direct marketing — Lessons from the Octopus Case in Hong Kong

Hong Kong   Data protection is currently a hot topic in Hong Kong. This is largely due to the furor caused by the discovery of the large scale sale of personal data by Hong Kong’s Octopus Rewards Limited (a company owned by Octopus Holdings Limited) over a number of years. We reported previously that the Hong Kong Privacy Commissioner launched an investigation into Octopus Rewards Limited and Octopus Holdings Limited. In October the Hong Kong Privacy Commissioner issued his final report on the sale of personal data by Octopus for the purposes of direct marketing. A Guidance Note providing practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance (the "Ordinance") relating to use of personal data for direct marketing was published on the same day.

On 18 October 2010 the Constitutional and Mainland Affairs Bureau (the "CMAB") published a consultation paper which summarises the responses to the consultation of the review of the Ordinance undertaken last year and puts forward the current proposals for reform. The CMAB has proposed 37 amendments to the Ordinance and the public are invited to comment on the proposals until 31 December 2010.

The Octopus case

As outlined previously in this blog, Octopus Holdings Ltd. and its related companies including Octopus Rewards Limited (collectively referred to as "Octopus") operate the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets.

The Privacy Commissioner’s investigation was focussed on the use and collection of personal data in relation to a rewards program that is linked to the Octopus card, whereby card holders may earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). Card holders must register with Octopus in order to take advantage of the Rewards Program and were requested to supply a broad range of personal information on the registration form (some of which was required for the application to proceed).

Octopus provided the personal information of almost 2 million card holders to six business partners for direct-marketing over nearly eight years, earning the company HK$44 million in revenue.

Findings of the Privacy Commissioner

On 18 October 2010, the Privacy Commissioner issued his final determination on the matter. In his report, the Privacy Commissioner found that as the personal data was collected in connection with a rewards program whereby customers benefit from redemption of goods and services in addition to direct marketing offers, the purposes of collection of personal data under the Rewards Program was lawful. However, the Privacy Commissioner found that Octopus had breached two of the six Data Protection Principles set out in the Ordinance.

Data Protection Principle 1 ("DPP1") relates to the purpose and manner of collection of personal data and clearly states that data should only be collected if it is necessary and not excessive for a lawful purpose directly related to the activity of the data user. DPP1 also requires that where personal data is collected from the data subject, he or she should be informed of: (i) the purpose of collection; (ii) the classes of persons to whom the data may be transferred; (iii) the right to, and practicalities of, access to the data; (iv) whether it is obligatory to supply the data; and (v) if so, the consequences of not doing so.

The Privacy Commissioner found that while the data was collected by Octopus for a lawful purpose, the collection of data such as Hong Kong identity card number, passport number, birth certificate number as well as month and year or birth was excessive for the purpose of customer identification. It was found that Octopus could have conducted customer authentication using less intrusive data (e.g. name, telephone numbers and home address) and accordingly Octopus was held to have contravened DPP1.

Further, the Privacy Commissioner found that Octopus did not take all reasonable steps to inform its customers of the classes of persons to whom the personal data may be transferred (thereby contravening DPP1). This was partly attributable to the fact that classes of transferees were referred to in vague terms such as "any person who is under a duty of confidentiality to us", and partly because the Personal Information Collection Statement ("PICS") was printed in unreasonably small font.

The Privacy Commissioner also held that Octopus contravened Data Protection Principle 3 ("DPP3"). DPP3 relates to the use of personal data and requires that personal data should only be used for a purpose directly related to the purpose for which it was collected, unless the data subject expressly consents to another use. DPP3 was breached because customers’ personal data was shared with business partners for monetary gain without the consent of Octopus’s customers, as the sale of personal data was not stated as a purpose of data collection in the PICS published by Octopus in relation to the Rewards Program. The sale of personal data is not prohibited by the Ordinance as such and can be a legitimate purpose for which data is collected but this has to be made clear at the time the data is collected. In the present case the Privacy Commissioner held that the "sale of data" may not be considered to be the purpose of the data collection (or a directly related purpose). Therefore Octopus was found to be in breach of DPP3.

A further interesting finding as a result of the investigation was that Octopus Holding was held liable for the acts of its subsidiary Octopus Rewards which is the Octopus entity that operated the Rewards Program.

Under the Ordinance as it currently stands, a breach of a data protection principle is not an offence and the only action the Privacy Commissioner may take is to serve an enforcement notice on a party that is found to be contravening the Ordinance. Only in the event that a party contravenes an enforcement notice will they be penalised. The Privacy Commissioner however found that it could not issue an enforcement notice as Octopus had ceased or suspended all arrangements with business partners to sell customers’ personal data and had undertaken to implement various changes to its practices in relation to the collection and use of personal data, in order to comply with the requirements of the Ordinance.

Proposals for reform

As we reported previously in this blog, the CMAB published the Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, and received public comments on the proposed amendments until 30 November 2009. 

The CMAB published the Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance (the "Report on Public Consultation") on 18 October 2010 and the public are invited to provide comments on the proposed amendments until 31 December 2010. The Report revealed that the Government has adopted 37 of the 55 amendments proposed in the initial Consultation Document, including amendments relating to direct marketing, data security, statutory powers and functions of the Privacy Commissioner, offences and sanctions and rights of data subjects.

As a result of the Octopus case, a number of further amendments have been proposed specifically dealing with the transfer of personal data for direct marketing purposes, requiring a data user to communicate a clear Personal information Collection Statement outlining its intent to use the personal information for direct marketing and clearly identifying the class of transferees and the kinds of data to be transferred, as well as requiring the data user to provide an opt-out function for people who do not wish their personal information to be used for direct marketing. A further amendment is proposed which would make it an offence if a data user failed to comply with the requirements of the Ordinance in relation to direct marketing and subsequently used the personal information for direct marketing.

Guidance Note

On the same day the final report came out, the Privacy Commissioner issued a guidance note entitled "Guidance on the Collection and Use of Personal Data in Direct Marketing ("Guidance Note"). The Guidance Note is designed to provide practical guidance on direct marketing.

The Guidance note replaces the Fact Sheet on "Guidelines on Cold-Calling" and the Guidance Note on "Cross-Marketing Activities" previously published by the Privacy Commissioner. The Guidance Note covers a number of issues which have been included in the latest round of proposed amendments to the Ordinance but also provides guidance on compliance with the Ordinance as it currently stands. It is expected that the Privacy Commissioner will either revise the Guidance Note or replace it with a new Code of Practice, if and when the proposed amendments are adopted.

The Guidance Note sets out, among other things, the following requirements:

  • Collection of personal data for direct marketing should be related to the original purpose of data collection
  • Personal data should not be excessively collected (name and contact details should generally be sufficient for the purposes of direct marketing)
  • Collection of additional personal data for direct marketing should be voluntary (and the data subject should be informed of the voluntary nature of collection)
  • Personal data should not be collected using deceptive/misleading means (e.g. bundled consent)
  • The PICS should be effectively communicated to the data subject (taking into account layout, presentation, language etc.)
  • The purpose of use of personal data and the classes of transferees should be clearly defined using specific terms. Terms such as "such other purposes as the Company may from time to time prescribe" should not be relied upon to cover direct marketing as a purpose of collection. Similarly, terms such as "such other agents as the Company may from time to time appoint" or "all business partners" should not be used when defining the classes of transferees.

The Guidance Note also contains recommendations relating to the use of personal data from public registers; managing and maintaining opt-out requests; direct marketing activities conducted by agents, contractors and business partners; and the sale of personal data to third parties for direct marketing purposes.

The Octopus case has exposed dubious and lax practices in relation to data protection adopted by many companies in Hong Kong. In response to a request from the Privacy Commissioner, the financial regulator, the Hong Kong Monetary Authority, has issued three circulars between 12 August 2010 and 25 October 2010. The circulars restate recommendations made by the Privacy Commissioner in relation to the collection and use of personal data, in the wake of the Octopus case. HKMA has requested that all approved financial institutions in Hong Kong undertake reviews of their privacy policies and that they suspend all transfer of data to unconnected third parties for marketing purposes, until legal advice on this is sought and discussed with and approved by the authorities.

So where to now? The Ordinance is set for a review, and for now all data users in Hong Kong are advised to revamp their personal data polices and take heed of the advice provided in the Guidance Note if they use such data for direct marketing.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Registered Foreign Lawyer), Hogan Lovells, Hong Kong.