The Personal Data (Privacy) Amendment Bill (the "Bill") was introduced into the Legislative Council on 13 July 2011. The Bill is the culmination of a consultation process which commenced in 2009 relating to the reform of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Bill aims to bring the Ordinance in line with technological and other advancements that have occurred since the Ordinance was enacted 15 years ago, and is in part a response to the mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong, including the sale of personal data by Octopus Rewards Limited.
The most significant amendments relate to direct marketing and the sale of personal information, data processing and the powers of the Privacy Commissioner for Personal Data (the "Privacy Commissioner"). The Bill also introduces increased penalties for breaches of the Ordinance. These key amendments are discussed below.
Provision and Use of Personal Data in Direct Marketing
A number of new requirements relating to the use of personal data for direct marketing have been introduced. They apply irrespective of whether the personal data was collected by the data user or by a third party. Before companies can provide or use personal data for direct marketing, they will be required to inform their customers of the types of data that may be used or provided, to whom the data may be provided, and the categories of goods/services that may be marketed to them. Companies shall also have to provide data subjects with the opportunity to opt-out of their personal data being used for direct marketing purposes. If data subjects do not opt-out within 30 days of receipt of such notification, they shall be deemed to have consented to their data being used for direct marketing.
Even though such consent is deemed given, data subjects may opt-out at any time (even after the 30 day response period has lapsed). The data user shall be required to cease using the personal data for direct marketing and also notify any transferees of such data to do the same.
Failure to comply with these provisions constitutes an offence, attracting a HK$500,000 fine and 3 years' imprisonment.
Companies who intend to use or provide personal information for direct marketing or intend to sell personal data, will need to review their personal information collection statements to ensure that they comply with the new requirements. The proposed amendments relating to direct marketing will not apply retrospectively, i.e. they will not apply to the continued use of personal data that was collected prior to the amendments coming into force and that was used for direct marketing purposes in a way that did not contravene the then current provisions of the Ordinance.
Sale of Personal Data
The Bill introduces new obligations on companies in relation to the sale of personal data, which are a clear response to the furore caused by the revelation of the large scale sale of personal data by Octopus Rewards Limited.
The new requirements regarding the sale of data mirror the ones for direct marketing. Where companies intend to sell personal data (whether the personal data was collected by them or by a third party), they must, before the sale, inform the data subject of the types of data that may be sold, to whom the data may be sold, and if the data is to be sold for direct marketing purposes, the categories of goods/services that may be marketed to data subjects.
Companies shall be required to provide a facility through which data subjects may opt-out of their personal data being sold. As is the case with direct marketing, if data subjects do not opt-out of their data being sold within 30 days of the data user's notification, they shall be deemed to consent to their data being sold. Data subjects may opt-out of their data being sold at any time (even once the 30 day response period has lapsed). Companies shall be required to cease selling the personal data and notify any purchaser of such data to cease use of the data.
Failure to comply with these provisions constitutes an offence, attracting a HK$1,000,000 fine and 5 years' imprisonment.
Disclosure of personal data with a view to gain, or intent to cause loss
The Bill introduces a new offence where a person (e.g. an employee of a data user) discloses personal data of a data subject that was obtained from a data user without the data user's consent: (i) with an intent for gain, or to cause loss to the data subject; or (ii) where the disclosure results in psychological harm to the data subject. These offences shall attract fines of HK$1,000,000 and 5 years' imprisonment.
An example of where these provisions may apply is where an employee takes personal data handled in the course of his/her business and sells it to a direct marketing company. The new provisions make the employee (rather than the employer) liable for the unauthorised disclosure of the personal data.
Regulation of data processors
Despite much public debate on this topic, the Bill does not introduce direct regulation of data processors (i.e. companies which process personal data on the instructions of others), but rather requires data users to use contractual and other means to ensure that personal data is protected from unauthorised or accidental access, processing, erasure or loss, and is not retained for longer than necessary for the purpose of processing the data.
The practical effect of this is that companies should enter into data transfer agreements with all parties engaged to process personal data on their behalf. Under the Ordinance, data users remain liable for the acts of their agents (which includes companies engaged to process data on their behalf). Therefore, it is important that data users have agreements in place requiring data processors to comply with the provisions of the Ordinance and indemnifying the data user in the event that a data processor breaches such provisions. This would provide data users with a contractual remedy against their data processors in the event that the data processors misuse any personal data. Companies should also take care when selecting data processors, and only engage companies that have suitable policies and procedures in place for the protection of personal data.
Provision of legal assistance to data subjects
The Bill empowers the Privacy Commissioner to provide legal assistance to aggrieved data subjects who intend to institute legal proceedings against a data user to seek compensation under the Ordinance, including providing advice to the aggrieved data subject or arranging for legal representation.
The current provisions of the Ordinance empower the Privacy Commissioner to issue an enforcement notice for breaches of the Ordinance only in circumstances where the breach is continuing or where it is likely that the breach will continue or will be repeated. The Bill removes this requirement and empowers the Privacy Commissioner to issue an enforcement notice where an investigation reveals that the data user has breached the Ordinance, irrespective of whether the breach is likely to continue or be repeated.
Timeframe for implementation
There is no precise timeframe for the implementation of the Bill at this stage (as the Bill still has to be debated further by the Legislative Council after the summer recess, before passing to the committee stage and undergoing a final reading). However, it is expected that the amendments will be implemented some time in 2012.
Although the amendments highlighted above are not imminent, companies may wish to take the opportunity to review their practices relating to data collection and use prior to the amendments coming into force, particularly if they engage in direct marketing, they sell personal data, or outsource the processing of personal data to third parties.
HONG KONG SET TO IMPLEMENT A DATA USER RETURN SCHEME BY 2013
The Privacy Commissioner has looked at further changes to the privacy regime in Hong Kong and recently issued a consultation document setting out the mechanism for a Data User Return Scheme (the "Scheme"). The Scheme would require certain categories of data users to file annual data user returns with the Privacy Commissioner ("Data Returns"). Provisions allowing the Privacy Commissioner to request returns from specific data users are already present in Part IV of the Ordinance. However, until now the Privacy Commissioner has not exercised the right to request data user returns from data users. The consultation document seeks public views on the implementation and operational framework for the Scheme in Hong Kong. It is expected that the implementation framework for the Scheme will be finalised by the end of 2011 with a view to the first phase of the Scheme being rolled out in the second half of 2013.
Overview of the Scheme
The Scheme aims to provide better protection of personal data among corporate data users. Once the Scheme is implemented, certain categories of data users will be required to submit annual Data Returns detailing the personal data they control, the purposes of collection or processing of such data, as well as any additional information they wish to disclose. It is hoped that the Scheme will lead to greater accountability and transparency of data protection practices of corporations as well as an enhancement of their data privacy protection standards. Once the Scheme is implemented, it shall be an offence not to submit a Data Return or to submit a late Data Return, or to intentionally provide false or misleading information in a Data Return.
The Privacy Commissioner will keep a register of data users (the "Register") which would contain all the information submitted by data users in their annual Data Returns. The register will be available to the public for inspection, thus giving the public an opportunity to understand data users' privacy practices and compare them with the practices of other data users. It will also provide data subject with a single point of access to information about how data users handle their personal data.
To whom will the Scheme apply?
It is proposed that the Scheme will be initially rolled out in three phases. The first phase shall apply to the public sector. The second phase shall apply to three large regulated industries (the banking, telecommunications and insurance industries). The third and final phase shall apply to organisations with a large database of members (such as companies which operate customer loyalty schemes). These initial sectors have been selected by the Privacy Commissioner, because of the large amount of personal data under their control, the sensitivity of the personal data they control, the frequent and diverse use of the personal data they hold, the relative high number of complaints in these sectors and because it is the common practice in these sectors to transfer personal data to third parties for marketing or other purposes.