Amendments To The Law On The Use And Provision Of Personal Data For Direct Marketing Expected To Come Into Force On 1 April 2013

Introduction

The Personal Data (Privacy) (Amendment) Ordinance 2012 (Amendment Ordinance) was introduced to enhance the protection of personal data privacy of individuals offered under the Personal Data (Privacy) Ordinance (PDPO) and was gazetted on 6 July 2012.

While a majority of the amendments under the Amendment Ordinance came into effect on 1 October 2012, the new restrictions on the use and provision of personal data in direct marketing, being one of the most important areas of change under the Amendment Ordinance, are expected to come into force on 1 April 2013 in order to provide a transitional period and to allow the Privacy Commissioner for Personal Data (Commissioner) to issue guidance notes and information. Provisions relating to the legal assistance scheme provided by the Commissioner will take effect on a subsequent date to be announced.

This note provides a summary on the new provisions relating to the use and provision of personal data in direct marketing as well as other major amendments introduced by the Amendment Ordinance.

A copy of the Amendment Ordinance and an information leaflet on the Amendment Ordinance issued by the Commissioner can be obtained here (see archive) and here (see archive) respectively.

Defined Terms Under The PDPO And The Amendment Ordinance

Below are some of the commonly used defined terms under the PDPO and the Amendment Ordinance:

• Data subject, in relation to personal data, means the individual who is the subject of the personal data.

• Data user, in relation to personal data, means a person, who either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the personal data.

• Personal data means any data:

  1. relating directly or indirectly to a living individual;

  2. from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

  3. in a form in which access to or processing of the data is practicable.

• Use, in relation to personal data, includes to disclose or transfer the data.

• Consent, in relation to a use or provision of personal data in direct marketing, includes an indication of no objection to the use or provision.

• Direct marketing means:

  1. the offering, or advertising of the availability, of goods, facilities or services; or

  2. the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,

  through direct marketing means.

• Direct marketing means means:

  1. sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or

  2. making telephone calls to specific persons.

Amendments In Relation To The Use And Provisions Of Personal Data For Direct Marketing

New requirements in relation to the use of personal data for direct marketing (tentatively effective on 1 April 2013)

Introduction of an “opt-in” regime

Before the Amendment Ordinance, when a data user uses the personal data of a data subject for direct marketing purposes for the first time, the data user is required to inform the data subject that the data user must, without charge to the data subject, cease using those data if the data subject so requests.

While the above opt-out rights is preserved in the new section 35F of the PDPO, an “opt-in” mechanism is introduced by the new section 35E of the PDPO. It provides that a data user must not use personal data in direct marketing without the data subject’s consent, and if such consent from the data subject is given orally, the data user must, before using the personal data, send a written confirmation to the data subject within 14 days from receiving the consent. However, it should be noted that consent is defined to include indication of no objection.

New additional specified actions before using personal data in direct marketing and the grandfathering arrangement

The Amendment Ordinance introduces a new section 35C to the PDPO to require that a data user, before using a data subject’s personal data in direct marketing, must take certain actions, either orally or in writing, which include:

1. informing the data subject that the data user intends to use his/her personal data and that the data user may not so use the data unless the data subject’s consent has been received;

2. providing the data subject with the information of the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used; and

3. providing the data subject with a channel, without charge by the data user, for the data subject to communicate his/her consent to the intended use.

The above information must be presented in an easily readable (if in written form) and understandable manner.

A grandfathering arrangement is provided in the new section 35D to exempt the use of pre-existing personal data from complying with the additional specified actions above, if before the commencement of section 35C:

1. the data subject had been explicitly informed in an easily readable (if in written form) and understandable manner of the intended use or use of his/her personal data in direct marketing in relation to a class of marketing subjects;

2. the data user had actually used such personal data in direct marketing;

3. the data subject had not required the data user to cease to use those data; and

4. the data user had not, in relation to the use, contravened any provisions of the PDPO,

provided that the pre-existing data is used in the same class of marketing subjects as before the commencement of the new provisions.

Non-compliance with the provisions in relation to use of personal data for direct marketing is a criminal offence subject to maximum penalty of a HK$500,000 fine and imprisonment for 3 years.

New requirements in relation to the provision of personal data for direct marketing (tentatively effective on 1 April 2013)

The current PDPO has no provisions specifically addressing the restrictions on the provision of personal data to another person for direct marketing or the sale of data. The new sections 35J and 35K introduced by the Amendment Ordinance, require that a data user must take the following actions in writing before he/she can provide a data subject’s personal data to another person for use by that other person in direct marketing:

1. informing the data subject that the data user intends to provide his/her personal data and that the data user may not so provide the data unless the data subject’s written consent has been received;

2. if the data is to be provided for gain, informing the data subject that the data is to be so provided;

3. providing the data subject with written information as to the kinds of personal data to be provided, the classes of persons to whom the data is to be provided, and the classes of marketing subjects in relation to which the data is to be provided;

4. providing the data subject with a channel, without charge by the data user, for the data subject to communicate his/her consent to the intended provision in writing; and

5. obtaining the prior written consent to such provision from the data subject.

Similar to the provisions in relation to use of personal data in direct marketing, the information provided to data subjects pursuant to section 35J must be presented in an easily readable and understandable manner. Again, consent is defined to include indication of no objection. No similar grandfathering arrangement is provided and new section 35L of the PDPO states that a data subject can opt-out at any time.

Failure to comply with the requirements in relation to the provision of personal data is a criminal offence. For contraventions involving the provision of personal data for gain, the maximum penalty is a fine of HK$1 million and imprisonment for 5 years. If the data is provided otherwise than for gain, the maximum penalty is a fine of HK$500,000 and imprisonment for 3 years.

Other Major Amendments To The PDPO

New powers of the Commissioner to provide legal assistance in civil actions (effective date to be announced)

The newly introduced section 66B of the PDPO increases the power of the Commissioner by providing the Commissioner with discretion to grant legal assistance to an aggrieved individual. The form of assistance may include:

1. providing advice;

2. arranging for the giving of advice or assistance by a solicitor or counsel;

3. arranging for representation by a solicitor or counsel in the steps preliminary or incidental to any proceedings; and

4. providing any other form of assistance considered appropriate.

The Commissioner will have regard to the circumstances, including in particular, whether the case raises a question of principle, or whether it is unreasonable, having regard to the complexity of the case or the applicant’s position in relation to the respondent or other parties involved in the case, to expect the applicant to deal with the case unaided.

New offence for disclosing personal data obtained without consent from data users (effective on 1 October 2012)

Section 64 of the PDPO is amended to provide that a person commits an offence if he/she discloses any personal data of a data subject obtained from a data user without the data user’s consent and:

1. with an intent to obtain gain for himself/ herself or another person;

2. with an intent to cause loss to the data subject; or

3. causes psychological harm to the data subject.

The maximum penalty for the offence is a HK$1 million fine and imprisonment for 5 years.

Greater enforcement power of the Commissioner (effective on 1 October 2012)

Before the Amendment Ordinance, the Commissioner could serve an enforcement notice on a data user when, after investigation, it is of the opinion that a data user is (i) contravening a requirement under the PDPO or (ii) has contravened a requirement under the PDPO and is likely to continue or repeat the contravention. It is an offence not to comply with the directions of an enforcement notice. Now, the Commissioner is empowered to serve an enforcement notice irrespective of whether the contravention will continue or be repeated.

New offence for repeated contravention of a requirement under the PDPO on same facts (effective on 1 October 2012)

Before 1 October 2012, if a data user complied with an enforcement notice but then contravened a requirement of the PDPO again on the same facts, the Commissioner could only issue another enforcement notice to the data user. New section 50A(3) of PDPO makes it an offence if a data user, having complied with an enforcement notice, intentionally does the same act or makes the same omission in contravention of the requirement under the PDPO as specified in the enforcement notice. The data user on conviction is subject to a fine of HK$50,000 and imprisonment for 2 years and, in the case of a continuing offence, a daily fine of HK$1,000.

Heavier penalties for repeated non-compliance with enforcement notice (effective on 1 October 2012)

The penalty for non-compliance with an enforcement notice on first conviction remains at the same level: a fine of HK$50,000 and imprisonment for 2 years and, in the case of a continuing offence, a daily penalty of HK$1,000. New section 50(A)(1)(b) of PDPO introduced a heavier penalty for second or subsequent convictions for contravening an enforcement notice of a fine of HK$100,000 and imprisonment of two years and, in the case of a continuing offence, a daily fine of HK$2,000.