By Gabriela Kennedy (Partner) and Heidi Gleeson (Registered Foreign Lawyer) Hogan Lovells, Hong Kong.
The Personal Data (Privacy) Amendment Bill (the "Bill") was introduced into the Legislative Council on 13 July 2011. The Bill is the culmination of a lengthy consultation process into the reform of the Personal Data (Privacy) Ordinance (the "Ordinance") which commenced in 2009. The Bill aims to bring the Ordinance in line with technological and other advancements that have occurred since the Ordinance was enacted 15 years ago, and is in part a response to the mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong.
The most significant amendments relate to direct marketing and the sale of personal information, data processing and the powers of the Privacy Commissioner for Personal Data (the "Privacy Commissioner"). The Bill also introduces increased penalties for breaches of the Ordinance. These key amendments are discussed below.
Provision and Use of Personal Data in Direct Marketing
The Bill introduces a number of new requirements relating to the use of personal data for direct marketing, which apply irrespective of whether the personal data was collected by the data user or a third party. Before data users provide or use personal data for direct marketing, they will be required to inform data subjects of the types of data that may be used or provided, to whom the data may be provided, and the categories of goods/services that may be marketed to data subjects. Data users shall also have to provide data subjects with the opportunity to opt-out of their personal data being used for direct marketing purposes. If data subjects do not opt-out within 30 days of receipt of such notification, they shall be deemed to have consented to their data being used for direct marketing.
Even though such consent is deemed given, data subjects may opt-out at any time (even after the 30 day response period has lapsed). The data user shall be required to cease using the personal data for direct marketing and also notify any transferees of such data to do the same.
Failure to comply with these provisions constitutes an offense, attracting a HK$500,000 fine and three years’ imprisonment.
If data users intend to use or provide personal information for direct marketing or intend to sell personal data, it is advisable that they review their personal information collection statements to ensure that they comply with the new requirements. The proposed amendments relating to direct marketing will not apply retrospectively, i.e. they will not apply to the continued use of personal data that was collected prior to the amendments coming into force and that was used for direct marketing purposes in a way that did not contravene the then current provisions of the Ordinance.
Sale of Personal Data
The Bill introduces new obligations on data users in relation to the sale of personal data, which are a clear response to the furore caused by the revelation of the large scale sale of personal data by Octopus Rewards Limited.
The new requirements regarding the sale of data mirror the ones for direct marketing. Where a data user intends to sell personal data (whether the personal data was collected by the data user or a third party), the data user must, before the sale, inform the data subject of the types of data that may be sold, to whom the data may be sold, and if the data is to be sold for direct marketing purposes, the categories of goods/services that may be marketed to data subjects.
Data users shall be required to provide a facility through which data subjects may opt-out of their personal data being sold. As is the case with direct marketing, if data subjects do not opt-out of their data being sold within 30 days of the data user’s notification, they shall be deemed to consent to their data being sold. Data subjects may opt-out of their data being sold at any time (even once the 30 day response period has lapsed). The data user shall be required to cease selling the personal data and notify any purchaser of such data to cease use of the data.
Failure to comply with these provisions constitutes an offense, attracting a HK$1,000,000 fine and five years’ imprisonment.
Disclosure of personal data with a view to gain, or intent to cause loss
The Bill introduces a new offense where a person (e.g. an employee of a data user) discloses personal data of a data subject that was obtained from a data user without the data user’s consent: (i) with an intent for gain, or to cause loss to the data subject; or (ii) where the disclosure results in psychological harm to the data subject. These offenses shall attract fines of HK$1,000,000 and 5 years’ imprisonment.
An example of where these provisions may apply is where an employee takes personal data handled in the course of his/her business and sells it to a direct marketing company. The new provisions make the employee (rather than the employer) liable for the unauthorized disclosure of the personal data.
Regulation of data processors
Despite much public debate on this topic, the Bill does not introduce direct regulation of data processors (i.e. companies which process personal data on the instructions of others), but rather requires data users to use contractual and other means to ensure that personal data is protected from unauthorized or accidental access, processing, erasure or loss, and is not retained for longer than necessary for the purpose of processing the data.
The practical effect of this is that data users should enter into data transfer agreements with all parties engaged to process personal data on their behalf. Under the Ordinance, data users remain liable for the acts of their agents (which includes companies engaged to process data on their behalf). Therefore, it is important that data users have agreements in place requiring data processors to comply with the provisions of the Ordinance and indemnifying the data user in the event that a data processor breaches such provisions. This would provide data users with a contractual remedy against their data processors in the event that the data processors misuse any personal data. Data users should also take care when selecting data processors, and only engage companies that have suitable policies and procedures in place for the protection of personal data.
Provision of legal assistance to data subjects
The Bill empowers the Privacy Commissioner to provide legal assistance to aggrieved data subjects who intend to institute legal proceedings against a data user to seek compensation under the Ordinance, including providing advice to the aggrieved data subject or arranging for legal representation.
The current provisions of the Ordinance empower the Privacy Commissioner to issue an enforcement notice for breaches of the Ordinance only in circumstances where the breach is continuing or where it is likely that the breach will continue or be repeated. The Bill removes this requirement and empowers the Privacy Commissioner to issue an enforcement notice where an investigation reveals that the data user has breached the Ordinance, irrespective of whether the breach is likely to continue or be repeated.
Timeframe for implementation
There is no precise timeframe for the implementation of the Bill at this stage (as the Bill still has to be debated further by the Legislative Council after the summer recess, before passing to the committee stage and undergoing a final reading). However, it is hoped that the amendments will be implemented some time in 2012.
Although the amendments are not likely to be implemented for some time, companies may wish to take the opportunity to review their practices relating to data collection and use prior to the amendments coming into force, particularly where they conduct direct marketing, sell personal data, or outsource the processing of personal data to third parties.