After many months of uncertainty, the Personal Data (Privacy) (Amendment) Ordinance 2012 was gazetted on 6 July 2012. Most of the amendments came into operation on 1 October 2012.
The Ordinance introduces a more stringent regulatory regime by amending the Personal Data (Privacy) Ordinance (PDPO). Key features include:
The existing law adopts an “opt-out” approach so that a data subject only needs to be informed that the data may be used for direct marketing and the data may be so used unless the subject expressly objects. The amendments introduce a new requirement for data subjects to give positive consent and data users must provide detailed information so that data subjects can make an informed choice. There will be more onerous notification requirements prior to use including:
Data users who use a data subject’s personal data without complying with the above requirements will be liable upon conviction to a fine of HK$500,000 and 3 years’ imprisonment.
What is consent?
Whilst the law states that consent of the data subject is required, it is not clear what constitutes consent. There are also two types of consent depending on how the data is to be used. If the data is being used for the data user’s own direct marketing, consent is defined as including an indication of no objection. Therefore, would a lack of response or silence qualify as consent? It is hoped that there will be further guidance from the Privacy Commissioner on what this means in practice. From our experience, the Commissioner is likely take a stricter view as to what constitutes consent and we do not expect him to accept “deemed consent”. Our experience also indicates that the Commissioner tends to go further than the law and is likely to reject bundled consent.
Sale or Disclosure of Personal Data
Where data users intend to transfer or sell personal data to a third party, they must inform the data subjects in writing of the kind of personal data that will be provided, the classes of persons to whom the data will be provided and the classes of marketing subjects in relation to which the data is to be used. If the personal data will be provided to others for gain, then the data subject must be specifically informed of this. The data may not be provided unless the data user has received the data subject’s written consent.
Failure to comply with the above requirements constitutes an offence, and the data user is liable on conviction to:
Unlike the restrictions on using personal data for direct marketing, oral consent will not suffice. Thus, although “consent” for this purpose also includes an “indication of no objection”, silence clearly cannot be regarded as sufficient if written consent is required.
The new law also targets certain questionable practices. It will now be an offence for a person who has obtained personal data without consent, to subsequently disclose it for gain (of money or other property), or with an intent to cause loss (of money or other property), or the disclosure causes psychological harm to the data subject. Concern has been expressed by Hong Kong journalists that press freedom could be hampered if reporters are at risk of imprisonment if they reveal information that might cause psychological harm to a data subject. Members of the media may be exempted if they can show that the disclosure is in the public interest but it remains to be seen how these provisions will be implemented in practice.
Data User Return Scheme
The amended law finally provides for the implementation of a Data User Return Scheme (“DURS”). This has been in the law since the original Data Privacy Ordinance was passed but has never been brought into force. Under DURS certain classes of data users will be required to submit an annual return detailing the personal data they control and the purposes of collection or processing of such data.
The Commissioner will keep a Register of Data Users, which is a database that contains all the information submitted annually by data users. The register will be available to the public for inspection and will give data subjects an opportunity to understand data users’ privacy practices and compare them with the practices of other data users.
Data users failing to comply will be liable to a fine of HK$10,000 and imprisonment for up to 6 months.
It been proposed that DURS will be rolled out in three phases
However, the exact timeframe for the implementation of DURS has yet to be announced.
The Amendment empowers the Privacy Commissioner to issue an enforcement notice where an investigation reveals that the data user has breached the PDPO. This removes the current requirement under the PDPO whereby the Privacy Commissioner is empowered to issue an enforcement notice for breaches of PDPO only in circumstances where the breach is continuing, likely to continue, or be repeated. A breach of an enforcement notice constitutes a criminal offence. Hence, the amendments will result in the loss by data users of a “second chance” before attracting serious consequences.
The Amendment empowers the Privacy Commissioner to provide legal assistance to aggrieved data subjects who intend to institute legal proceedings against a data user to seek compensation under the PDPO, including providing advice to the aggrieved data subject, or arranging for legal representation. This is likely to make it easier for data subjects to take action against data users and an increase in breach of privacy claims from aggrieved data subjects can be expected.
Third Party Data Processors
One of the perceived loopholes of the previous legislation is that third parties engaged to process personal data are not regarded as data users and are, therefore, not obliged to comply with the requirements of the PDPO. The law now requires data users to use contractual or other means to ensure that data processors employed by them adopt appropriate security measures and data retention practices. This will apply to off-shore data processors as well.
The new law will have a significant impact on business operations in Hong Kong and data users should start reviewing their data handling policies. It is likely that the existing policies and internal controls will need upgrading in any event.
If direct marketing is part of your business, then particular action needs to be taken to meet the requirements of the new law to avoid criminal consequences. This will include preparing appropriate notices to data subjects and putting in place procedures and mechanisms for notifying data subjects and for them to provide their consent. Care must also be taken to ensure that no further direct marketing materials are sent without such consent.
It will be necessary to carefully review any external data processors to ensure that they are reliable and have adequate systems and controls themselves. Contracts with third party data processors should clearly set out expected service levels and allow for appropriate action to be taken in case of breach, including providing for termination and indemnities.
Having appropriate policies in place is only the first step. Staff will often need training to be aware of the issues and the business’ internal policies and protocols may also be needed in the event of a breach of the PDPO. Operations will need to be monitored to ensure compliance.
The Ordinance is now in force. Although the significant provisions regarding direct marketing and the legal assistance scheme will take effect at a later date, probably sometime in 2013, it is important for data users to take action now to prepare for the transition.