The Personal Data (Privacy) (Amendment) Ordinance 2012 was formally adopted on 6 July 2012. The text of the Amendment Ordinance has undergone a number of changes since it was first introduced as the Personal Data (Privacy) (Amendment) Bill 2011 one year ago. One major change is the requirement to obtain express responses (as opposed to deemed consent) from the data subject for the use of personal data in direct marketing.
The Amendment Ordinance will take effect in two phases:
Phase 1 (from 1 October 2012)
- Introduces indirect regulation of data processors.
- Enhances the Privacy Commissioner’s power to issue enforcement notices.
- Increases the penalty for repeated contravention of enforcement notices.
- Introduces a new offence for the disclosure of personal data obtained without the data user’s consent.
- Introduces new exemptions: business due diligence, legal proceedings, self incrimination, etc.
Phase 2 (effective date to be announced)
- Regulates the use and transfer of personal data in direct marketing.
- Empowers the Privacy Commissioner to assist aggrieved data subjects in seeking compensation from data users through legal proceedings.
- Requires each party to legal proceedings to bear his own costs.
About use of personal data in direct marketing
If you wish to collect personal data for use in your own direct marketing, you should at least take the following steps:
- Inform the data subject that you will only use the personal data collected for direct marketing with his consent, provide information about the kinds of personal data to be used and the classes of marketing subjects, and provide a response channel to enable the data subject to communicate his consent. Consent includes an indication of no objection (in other words, an express response).
- The data subject may give his consent either generally or selectively. If the consent is given orally, you should send a written confirmation to the data subject regarding the consent given within 14 days.
- When you use the personal data in direct marketing for the first time, you should inform the data subject that you will cease using the personal data if you are so requested.
If at any time you receive a request from the data subject to cease using the personal data in direct marketing, you must comply with the request.
Non-compliance with the applicable requirements may result in a maximum penalty of a fine of HK$500,000 and 3 years’ imprisonment. There are some exemptions, including a grandfathering exemption that applies subject to a number of conditions being fulfilled.
Similar but slightly more stringent requirements apply if you wish to provide personal data (for gain or otherwise) to another party for use in direct marketing. If the personal data will be provided for gain, you must inform the data subject. Consent from the data subject must be received in writing. Failure to comply with the applicable requirements in providing personal data for gain may result in a maximum penalty of a fine of HK$1 million and 5 years’ imprisonment.
Several key steps to get prepared
- Perform a review on the existing practices in relation to the collection, use, transfer, processing, retention, and safeguards against loss or unauthorised transfer of personal data.
- Update and look to enhance documentation systems relating to the collection and handling of personal data.
- Revisit your current contracts with any data processors, and implement due diligence and monitoring plans for the selection and supervision of data processors.
- Develop protocols for the use of personal data for any direct marketing activities.
- Watch out for guidance notes to be issued by the Office of the Privacy Commissioner.