The Government introduced the Personal Data (Privacy) (Amendment) Bill 2011 (the Bill) into the Legislative Council on July 13, 2011.
The Bill seeks to implement proposals published in a Hong Kong Government report in April 2011.
The proposals were formulated following a lengthy review process of the Personal Data (Privacy) Ordinance (PDPO), which commenced in 2009.
The recent enforcement action taken by the Privacy Commissioner against a number of Hong Kong banks over the transfer of customers’ personal data for direct marketing purposes and the Octopus Rewards incident demonstrate that the changes proposed in the Bill are both timely and relevant.
Key amendments in Bill include:
Cross marketing
There are specific provisions directed at cross marketing and selling personal data including the requirement of confirming in writing the types of personal data being transferred, the classes of persons to which data will be transferred and the categories of goods and services that will be cross-marketed.
Direct marketing
There have been substantial changes to the types of notices and procedures to be followed in direct marketing.
For example, data subjects will need to be provided with an ability to opt out of receiving marketing materials before its data is used for direct marketing, as well as being informed of their right to opt out on first use of their personal data for marketing purposes.
They will also have the right to opt out at any time subsequently.
New offences of sale or use in direct marketing
It will be an offence for a person to sell or transfer personal data or use it for direct marketing with providing certain information or if the person has objected to the sale and transfer of use. The maximum penalty in these circumstances for sale is HKD1 million and five years imprisonment, and for use or transfer it is HKD500,000 or 3 years imprisonment.
Privacy Commissioner to provide legal assistance
There is a new provision which will empower the Privacy Commissioner to provide legal assistance to data subjects who intend to bring proceedings under the Personal Data (Privacy) Ordinance to seek compensation from data users.
New offence
It will be an offence to disclose personal data of a data subject, obtained from a data user, without the consent of the data user if there is intent to (a) make financial gain (personally or otherwise); or (b) cause financial loss. It is also an offence if the disclosure causes psychological harm to the data subject. This is different from injury to feelings and it is likely that expert evidence would need to be adduced to prove psychological harm. The maximum penalty is HKD1 million and five years’ imprisonment. This could be relevant to employees who take personal data from client or customer lists for their own gain and may provide employers with a tool to discourage such losses.
Key points for employers to consider
- Even though many of the amendments relate to commercial uses of data such as direct marketing, they may be of interest to employers as a wide range of staff may handle the personal data. As a result, they should be appropriately trained and any existing systems to safeguard data should be reviewed and/or strengthened.
- The risk profile for any claims brought by data subjects being assisted by the Privacy Commissioner’s Office may require upgrading and escalating within the employer’s company for a swift resolution, as the scrutiny of the Privacy Commissioner’s Office is unlikely to be desirable and may attract negative publicity.
Source: Baker & McKenzie
For more information, please contact:
Jennifer Van Dale | (852) 2846 2483 | [email protected]
Anna Gamvros | (852) 2846 2137 | [email protected]
This article is published in HR Magazine Autumn 2011 issue.
Paul Arkwright
Publisher
