Two recent enforcement actions have brought into focus the issue of whether persons engaged by a company to carry out a direct marketing activity in Hong Kong on their behalf – whether agents or outsourced service providers – can have direct liability for mishandling personal data.

The general position under the Personal Data (Privacy) Ordinance (“PDPO”) is that the data user – i.e. the person(s) who control the collection, holding, processing or use of the data – is liable for compliance with the PDPO, including the activities of its data processors (i.e. the person who processes personal data on behalf of the data user and not for its own purposes). Therefore, unlike data privacy laws in other jurisdictions (for example, Singapore’s Personal Data Protection Act and the forthcoming EU General Data Protection Regulation) the PDPO does not impose direct obligations or sanctions on data processors.

However, in an enforcement decision announced on 16 May 2016 a marketing company engaged by a hotel (the “Marketing Company“) was fined for breaching the direct marketing provisions in the PDPO when conducting marketing on behalf of the hotel.

The complainant in the case made a reservation with a restaurant of a hotel in Hong Kong and, in the process of doing so, provided his surname and mobile number, following which he received calls which promoted membership of the hotel. On receiving a call from the Marketing Company, which was engaged by the hotel to provide marketing services, the complainant immediately informed the caller that he was not interested in membership and that he did not wish to be contacted again. However, he subsequently received a further call from the Marketing Company, which prompted the complaint to the Privacy Commissioner.

In this instance, it was the Marketing Company (i.e. the outsourced service provider engaged by the hotel to provide marketing services), that was prosecuted for the offences under the PDPO and not the hotel itself. Mr Stephen Kai-ya Wong, the Privacy Commissioner, when commenting on the case, stated that “in order to comply with the marketing target’s data subject’s opt-out request effectively, marketing companies (data users) have to maintain a list of all customers who have indicated that they do not wish to receive further marketing approaches…“. He further noted that marketing companies should have standing procedures in place and provide appropriate training in relation to compliance with opt-out requests from data users.

Interestingly in his comments on the case the Privacy Commissioner clearly identified the Marketing Company as a data user, though the Marketing Company itself was not seemingly responsible for the original collection of data, and was presumably acting under the direction of the hotel. The case was heard in the Magistrates’ Court, and so the decision is unfortunately not publicly available. Nonetheless, it may be surmised that the actions of the Marketing Company in this instance were considered to have constituted a sufficient degree of ‘control’ over the data, perhaps in its ability to decide on the nature of the marketing campaigns the Marketing Company was contracted to undertake, to be deemed a joint data user with the hotel and thus directly liable under the PDPO.

Similarly, in April 2016, it was announced that an insurance agent received a community sentence order for breach of the direct marketing rules, despite acting as an agent for an insurer whose products he was presumably promoting. Again in that case reference was made to “data user” compliance with the PDPO.

At the time of writing no enforcement action against either the hotel or insurer in question has been announced.

These cases would, therefore, appear to place direct liability on those outsourced service providers and agents – usually labelled as data processors – for direct marketing offences under the PDPO when undertaking direct marketing on behalf of their customers and principals. It is not clear whether this could extend to outsourced service providers in other contexts, but a parallel could certainly be drawn with other data processors where there is a level of ‘control’ or discretion over their use and handling of the relevant data. This is an area where we hope there will be further clarification in due course. In the meantime, service providers must note the potential consequences for breaches of the PDPO when dealing with personal data, whether or not they were initially involved in or responsible for the collection of the personal data in question.