On 30 December 2015, an individual was convicted for breaching the direct marketing provisions under the Hong Kong Personal Data (Privacy) Ordinance (PDPO). This conviction closely follows three earlier convictions in September and November 2015, and marks the first conviction against an individual for the transfer of personal data to a third party for use in direct marketing, without obtaining valid consent.
Relevant PDPO Provisions
The new direct marketing provisions introduced by the Personal Data (Privacy (Amendment) Ordinance 2012 came into effect on 1 April 2013. Under the new Sections 35C and 35J of the PDPO, data users are prohibited from using an individual's personal data for direct marketing purposes, or from transferring an individual's personal data to a third party for their use in direct marketing, unless the individual has provided his/her express prior consent.
To obtain valid consent for the transfer of personal data to a third party, for the purposes of direct marketing, the data user must notify data subjects of the following:
- that it intends to transfer their personal data for direct marketing purposes, and cannot do so without their consent;
- the classes of transferees to whom their personal data will be transferred;
- the type of personal data that will be transferred;
- the classes of goods, facilities or services that will be marketed by the third party recipient;
- whether the personal data is being transferred in return for gain (e.g., in return for payment, etc); and
- a response channel through which the individual can communicate his/her consent in writing (without charge).
The consent for such transfer must be obtained in writing. Breach of the direct marketing provisions is a criminal offence and may result in a maximum fine of HK$500,000 or HK$1,000,000 and up to 3 or 5 years imprisonment (depending on the gravity of the breach).
In April 2014, the Hong Kong Office of the Privacy Commissioner of Personal Data (PCPD) received a complaint against a real estate agent and an insurance agent. The complainant alleged that the real estate agent had obtained the data subject's name and mobile phone number (the “Personal Data”) at a social function. The real estate agent subsequently provided the Personal Data to an insurance agent for her use in direct marketing. The real estate agent did not notify, or seek, the complainant's prior consent before transferring his Personal Data, nor did she check that the real estate agent had obtained such consent. The insurance agent called the complainant two months later, identified herself as a financial planner of an insurance company and informed the complainant that the first defendant had given her the Personal Data. The complainant refused to engage further with her when he realised the insurance agent intended to market to him financial planning and insurance products.
The case was referred for prosecution and brought before the Eastern Magistrates' Court. The real estate agent was found to have committed an offence under Section 35J of the PDPO as a result of him transferring the Personal Data to the insurance agent without the complainant's consent, and was ordered to pay a fine of HK$5,000. The insurance agent was charged with the offence of using personal data in direct marketing without taking specified actions under Section 35C of the PDPO, but was acquitted as the magistrate could not dismiss the possibility of her attempting to take such actions had the complainant not hung up on her, the first time she contacted him.
Courts Continuing with Hard Line Approach?
This latest case is just one of a series of convictions in the last half of 2015 for breach of the direct marketing provisions1 under PDPO. On 9 September 2015, a telecommunications company was convicted for failing to comply with an individual's request to cease receiving direct marketing materials, and was fined HK$30,000. This case was closely followed by another conviction against a relocation and storage company on 15 September 2015, for its failure to comply with the notification requirements and to obtain consent for the use of the complainant's personal data in direct marketing. The storage and relocation company was fined HK$10,000. On 3 November 2015, a company that provides body check services was also convicted for failing to comply with a client's request to no longer receive direct marketing materials, and was subject to a fine of HK$10,000.
The actual fines imposed by the Hong Kong courts so far are relatively small. While such fines may be commensurate with the breach, prison sentences and higher fines should not be ruled out for more egregious cases, such as where a large volume of personal data has been sold or transferred to a third party for direct marketing purposes, without obtaining the required consent.
Irrespective of the level of fine imposed, the damage to the reputation of a data user in the event of a conviction can be a much harsher punishment and one from which it may take a long time to recover.
The recent case highlights the fact that individuals and not only corporate entities may be held accountable for breaches of the PDPO. Collection of data in a social context does not imply consent to use the data for direct marketing and certainly cannot imply consent to the transfer of data to third parties for such purposes. In any event, implied consent is not valid consent for such direct marketing and a follow-up by email seeking consent in writing would have been the correct way to go.