In November 2014, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published the “Best Practice Guide for Mobile App Development” and in December 2014 the PCPD published the “Guidance Note on Personal Data Protection in Cross-border Data Transfer”. Given the increasing use of mobile apps (i.e. software applications developed specifically for use on mobile devices such as smartphones or tablets) to obtain personal data, data users face new challenges in relation to compliance with the Personal Data (Privacy) Ordinance, Cap. 486 (“PDPO”). This article looks at the requirements under the PDPO and the best practice for the use and transfer of personal data in direct marketing, particularly through the use of mobile apps.
I. Collection and Use of Personal Data for Direct Marketing Via Mobile App
“Direct marketing” is defined under the PDPO as the offering, or advertising of the availability, of goods, facilities or services. Sending marketing collaterals to customers by email or mail providing information on products and services offered by the data user is one example of direct marketing. Strictly speaking, if a mobile app only accesses data stored on mobile devices and does not transfer the data to third parties, or has not used the data in a way that may identify an individual, its developer may not be considered a “data user” under the PDPO.
However, if the app developer intends to use personal data collected from the app in direct marketing, it has a duty to comply with the PDPO and inform the data subject of the intention to so use his/her personal data. Pursuant to the Data Protection Principles under the PDPO, a data user is required to take certain actions before collecting and using personal data in direct marketing. Non-compliance with the following requirements can result in a maximum fine of HK$500,000 and imprisonment of up to 3 years. A data user must:-
Further, when data is collected through mobile apps, it is difficult to obtain consent from data subjects by signature or orally. The best practice may be to obtain consent through a pop-up consent clause with a tick box which states: “I agree to the use of my personal data by [the data user] for direct marketing purpose.” Putting a tick in the box would be considered as an act of giving consent and as fulfilling the requirements under the PDPO.
As a data user, the app developer must also inform the data subject that he/she will be able to opt-out from any use of his/her personal data in direct marketing at any time without charge. If the app developer fails to do so, he is liable, upon conviction, to a maximum fine of HK$500,000 and imprisonment of up to 3 years under the PDPO. Therefore, it is important to make use of the PIC Statements to provide for an opt-out mechanism (e.g. opt-out through the app, by email or by mail). The opt-out clause should indicate that once the app developer receives notification from the data subject, it will cease to use his/her personal data concerned without charge.
II. Transfer of Personal Data to Third Parties for Direct Marketing
It is not uncommon for personal data collected from a mobile app to be transferred by the app developer to third parties, such as companies within the same group. Before transferring personal data to third parties (including the app developer’s agents, subsidiaries, or companies under the same group), the app developer, as a data user, is required by the PDPO to do the following:-
i. Notify the app user in writing of:
ii. Obtain the app user’s written consent. Oral consent is insufficient for the transfer of personal data.
Transfer of personal data outside Hong Kong
As mobile apps may be downloaded by users worldwide, the use of personal data often involves third parties located overseas. Section 33 of the PDPO provides for the transfer of personal data outside Hong Kong and it requires data users to obtain written consent from the data subject before transferring his/her personal data overseas. However, the section has not yet been brought into force.
According to the PCPD’s media statement dated 29 December 2014, the Administration has not set a firm date for implementation of section 33. However, in December 2014, the PCPD published a Guidance Note on Personal Data Protection in Cross-border Data Transfer (“the Guidance Note”) and encourages voluntary compliance with the provisions. Although the provisions are not in operation and it seems that the transfer of personal data is unrestricted at present, it is still advisable for data users to follow the Guidance Note which can serve as a practice guide for data users to prepare for the implementation of section 33 and to maintain a high corporate standard in the protection of personal data.
III. Enforcement and Prosecution
In 2014, the Privacy Commissioner referred 20 cases to the police for criminal investigation, of which 17 cases related to suspected contraventions involving the use of personal data in direct marketing. There was only one conviction recorded in 2014 which was unrelated to direct marketing3.
1 Apple Inc. (App Store), Google Inc. (Google Play), Samsung Electronics Co., Ltd (Samsung GALAXY Apps), Microsoft Corporation (Microsoft Store), Nokia Corporation (Nokia Store), Blackberry Limited (Blackberry World), Amazon.com, Inc. (Amazon Appstore).
2 Media Statement published by the Office of the Privacy Commissioner on 10 December 2014.
3 Media Statement published by the Office of the Privacy Commissioner for Personal Data dated 27 January 2015.
4 Ditto FN3