The Collection and Use of Personal Data Via Mobile App Under the Personal Data (Privacy) Ordinance

In November 2014, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published the “Best Practice Guide for Mobile App Development” and in December 2014 the PCPD published the “Guidance Note on Personal Data Protection in Cross-border Data Transfer”. Given the increasing use of mobile apps (i.e. software applications developed specifically for use on mobile devices such as smartphones or tablets) to obtain personal data, data users face new challenges in relation to compliance with the Personal Data (Privacy) Ordinance, Cap. 486 (“PDPO”). This article looks at the requirements under the PDPO and the best practice for the use and transfer of personal data in direct marketing, particularly through the use of mobile apps.

I.         Collection and Use of Personal Data for Direct Marketing Via Mobile App

“Direct marketing” is defined under the PDPO as the offering, or advertising of the availability, of goods, facilities or services. Sending marketing collaterals to customers by email or mail providing information on products and services offered by the data user is one example of direct marketing. Strictly speaking, if a mobile app only accesses data stored on mobile devices and does not transfer the data to third parties, or has not used the data in a way that may identify an individual, its developer may not be considered a “data user” under the PDPO.

However, if the app developer intends to use personal data collected from the app in direct marketing, it has a duty to comply with the PDPO and inform the data subject of the intention to so use his/her personal data. Pursuant to the Data Protection Principles under the PDPO, a data user is required to take certain actions before collecting and using personal data in direct marketing. Non-compliance with the following requirements can result in a maximum fine of HK$500,000 and imprisonment of up to 3 years. A data user must:-

1. inform the app user what types of personal data will be collected and used, and the classes of marketing items (e.g. promotional emails, SMS messages or brochures sent by mail) in relation to which the data is to be used;
2. inform the app user of its intention to use his/her personal data for direct marketing; and
3. obtain consent (oral or written) from the app user prior to the collection and use of his/her personal data.

When personal data is collected through a mobile app, app developers must establish their own privacy policy to inform data subjects of their intention to collect and use personal data collected through the app. In fact, privacy enforcement authorities from around the world, including the UK, Canada, France, Finland, Colombia, Ireland, Italy, China, Holland, New Zealand, Norway, Korea, Estonia and Hong Kong issued a joint open letter to seven app marketplaces¹ on 9 December 2014, calling on them to make it mandatory for mobile app developers to post links to privacy policies prior to download if they are going to collect personal information². To ensure compliance with the Data Protection Principles, mobile app developers should carefully draft their privacy policies and Personal Information Collection statements (“PIC Statements”) to cover all requirements mentioned above.

Further, when data is collected through mobile apps, it is difficult to obtain consent from data subjects by signature or orally. The best practice may be to obtain consent through a pop-up consent clause with a tick box which states: “I agree to the use of my personal data by [the data user] for direct marketing purpose.” Putting a tick in the box would be considered as an act of giving consent and as fulfilling the requirements under the PDPO.

As a data user, the app developer must also inform the data subject that he/she will be able to opt-out from any use of his/her personal data in direct marketing at any time without charge. If the app developer fails to do so, he is liable, upon conviction, to a maximum fine of HK$500,000 and imprisonment of up to 3 years under the PDPO. Therefore, it is important to make use of the PIC Statements to provide for an opt-out mechanism (e.g. opt-out through the app, by email or by mail). The opt-out clause should indicate that once the app developer receives notification from the data subject, it will cease to use his/her personal data concerned without charge.

II.         Transfer of Personal Data to Third Parties for Direct Marketing

It is not uncommon for personal data collected from a mobile app to be transferred by the app developer to third parties, such as companies within the same group. Before transferring personal data to third parties (including the app developer’s agents, subsidiaries, or companies under the same group), the app developer, as a data user, is required by the PDPO to do the following:-

i.  Notify the app user in writing of:

1. the kinds of personal data to be provided;
2. the classes of persons to whom the data is to be provided;
3. the classes of marketing subjects in relation to which the data is to be used;
4. the intention to use such data in direct marketing; and

ii.  Obtain the app user’s written consent. Oral consent is insufficient for the transfer of personal data.

Similar to the collection and use of personal data, the app developer can fulfill the above requirements by adopting a privacy policy, PIC Statements and a consent clause with a tick box. It is worth noting that under the PDPO, the transferer of data (i.e. the app developer) has no obligation to ensure that the third party transferee had obtained consent before using the data as long as the app developer itself had obtained consent for the transfer. Even if the third party transferees are companies within the same group, it is advisable to remind them to obtain consent prior to the use of the personal data to ensure compliance with the PDPO.

Transfer of personal data outside Hong Kong

As mobile apps may be downloaded by users worldwide, the use of personal data often involves third parties located overseas. Section 33 of the PDPO provides for the transfer of personal data outside Hong Kong and it requires data users to obtain written consent from the data subject before transferring his/her personal data overseas. However, the section has not yet been brought into force.

According to the PCPD’s media statement dated 29 December 2014, the Administration has not set a firm date for implementation of section 33. However, in December 2014, the PCPD published a Guidance Note on Personal Data Protection in Cross-border Data Transfer (“the Guidance Note”) and encourages voluntary compliance with the provisions. Although the provisions are not in operation and it seems that the transfer of personal data is unrestricted at present, it is still advisable for data users to follow the Guidance Note which can serve as a practice guide for data users to prepare for the implementation of section 33 and to maintain a high corporate standard in the protection of personal data.

III.      Enforcement and Prosecution

In 2014, the Privacy Commissioner referred 20 cases to the police for criminal investigation, of which 17 cases related to suspected contraventions involving the use of personal data in direct marketing. There was only one conviction recorded in 2014 which was unrelated to direct marketing³.

The PCPD has conducted a survey of 60 popular mobile apps developed by Hong Kong entities in 2014 and found that their transparency in terms of privacy policy was clearly inadequate and there was no noticeable improvement compared with the results of a similar survey conducted in 2013. Thus the PCPD has made privacy and data protection issues related to the prevalent use of mobile apps one of its special focuses for 2015⁴. As the offences related to the collection and use of personal data in direct marketing could lead to a heavy fine and imprisonment, it is prudent for mobile app developers to seek proper legal advice on the handling of personal data to ensure compliance with the PDPO.

¹ Apple Inc. (App Store), Google Inc. (Google Play), Samsung Electronics Co., Ltd (Samsung GALAXY Apps), Microsoft Corporation (Microsoft Store), Nokia Corporation (Nokia Store), Blackberry Limited (Blackberry World), Amazon.com, Inc. (Amazon Appstore).

² Media Statement published by the Office of the Privacy Commissioner on 10 December 2014.

³ Media Statement published by the Office of the Privacy Commissioner for Personal Data dated 27 January 2015.

⁴ Ditto FN3