On 9 and 14 September 2015, Hong Kong Broadband Network Limited and Links International Relocation Limited respectively were convicted for breaching the direct marketing provisions under the Personal Data (Privacy) Ordinance (“PDPO”). These are the first set of convictions issued under the direct marketing provisions in Hong Kong which came into effect on 1 April 2013.
The Direct Marketing Provisions
On 27 June 2012, the Personal Data (Privacy) (Amendment) Ordinance 2012 (“Amendment Ordinance 2012”) was passed. Some of the amendments came into force on 1 October 2012, whilst the direct marketing and legal assistance provisions came into force on 1 April 2013.
In brief, the effect of the restrictions on direct marketing is that data users cannot use an individual’s personal data in direct marketing, or transfer such personal data to a third party for their use in direct marketing, without that individual’s express prior consent1. In order to obtain valid consent, the data user must notify the individual of the following pursuant to Section 35C of the PDPO:
- that it intends to use their personal data for direct marketing, and cannot do so without their consent;
- the type of personal data that will be used;
- the classes of goods, facilities or services that will be advertised; and
- a response channel through which the individual can communicate his/her consent (without charge).
If a data user also intends to transfer the personal data to a third party for their use in direct marketing, then, in addition to the above notice, the data user must notify the individuals of the classes of transferees to whom their personal data may be transferred, and whether the personal data will be transferred for gain2.
Silence or a lack of response from an individual will not amount to valid consent for the purposes of direct marketing. In addition, when an individual’s personal data is used for the first time in direct marketing, i.e., when the first marketing email is sent, then the data user must notify the individual that they can opt-out of receiving such direct marketing communications at any time, and must provide them with a means to communicate such withdrawal of consent3.
A notice from a data subject requesting the cessation of use of their personal data for direct marketing purposes must be complied with promptly4 irrespective of the timing of such request (i.e., whether it comes after the first instance of direct marketing or later).
A breach of the direct marketing provisions is a criminal offence and depending on the breach may result in a maximum fine of HK$500,000 and up to 3 years imprisonment or a fine of HK$1,000,000 and up to 5 years imprisonment.
The Hong Kong Broadband Network Limited Case
In May 2013, a month after the direct marketing provisions came into effect, the Privacy Commissioner (“PC”) received a complaint from a customer of Hong Kong Broadband Network Limited (“HKBN”). Readers may remember that just before the direct marketing provisions came into force on 1 April 2013, there was a flurry of activity as many companies sent notices to customers relating to their privacy policies. We mention in passing that most of these notices were inadequate and/or counterproductive, with many data subjects being prompted by such notices to request that they be unsubscribed from marketing lists and/or to scrutinise the small print.
In this case, the complainant alleged that he had sent an opt-out request to HKBN in April 2013 by email and post. HKBN acknowledged receipt of the opt-out request in writing. However, in May 2013, the complainant received a voice message from HKBN, which notified him of the upcoming termination of his service contract, and also further promoted the services of HKBN.
After receiving the complaint in May 2013, the PC referred the matter for prosecution. HKBN was subsequently charged for failing to cease using the complainant’s personal data in direct marketing after receiving the complainant’s request, in breach of Section 35G(3) of the PDPO. The case was heard before the Tsuen Wan Magistrates Court. HKBN entered a plea of not guilty.
During the trial, HKBN testified that the purpose of the call was to notify the complainant that his service contract was coming to an end, and that it had provided scripts to its staff to prevent a breach of the PDPO.
Upon reviewing the evidence, the magistrate found that the true purpose of the call was to promote HKBN’s services and to try and convince the complainant to renew his contract – the “reminder” that the complainant’s contract was coming to an end was simply used as an opener to the direct marketing activities. The magistrate’s decision was partly based on the fact that HKBN had trained its employees to continue calling the complainant even though he was unavailable, and that the call had been made more than 6 months before the complainant’s service contract was set to expire. The magistrate also found that a mere written notice or text message from HKBN to the customer about the termination of the service would have sufficed, if the true intent was merely to remind the complainant of such expiration.
As a result, HKBN was found to have committed an offence under Section 35G of the PDPO, and was ordered to pay a fine of HK$30,000.
HKBN has stated that it intends to appeal the decision.
The Links International Relocation Limited Case
In November 2013, the PC received a complaint from a customer of a storage company (“Company A”), whose business was later taken over by Links International Relocation Limited (“Links”). The complainant had previously hired Company A to provide storage services to him, and he had provided his personal data to Company A for such purpose (e.g., name, residential address, company email address, mobile number and credit card details). Company A ceased operations and its business was taken over by Links. Links sent a direct marketing email to the complainant in August 2013. In the email, Links identified the complainant by name and provided the complainant with an unsolicited quotation for its storage services, as well as its standard terms and conditions. The complainant was not a customer of Links and had not been notified about his use of personal data nor had he given consent for the use of his personal data for direct marketing.
After receiving the complaint, the PC referred the matter to the police for criminal investigation. On 7 September 2015, Links was charged at the Eastern Magistrates Court for breach of Section 35C of the PDPO, namely failure to take the specified steps, including obtaining the data subject’s consent, before using his data for direct marketing purposes.
Links pleaded guilty and on 14 September 2015 it was fined HK$10,000.
The actual fines imposed on HKBN and Links respectively are relatively small. The fine imposed on Links for example is no higher than the fines under the old and more limited direct marketing provisions before the 2013 amendments. However, unlike before when convictions under the old direct marketing provisions went unreported this time the reputational damage cannot be ignored as the convictions have made headlines. Such headlines lead to erosion of customer trust and prevention, as always, is better than cure.
We expect that more cases relating to the direct marketing provisions will come before the courts in the future resulting in more fines and even prison sentences where perhaps more egregious circumstances warrant them.
We also expect to see the Hong Kong courts imposing fines and prison sentences for breaches of Section 50A (which makes it an offence to breach an enforcement notice issued by the PC) and possibly Section 64 (which makes it an offence for a person to disclose any personal data obtained from a data user without that data user’s consent in certain circumstances, e.g., a rogue employee selling personal data to a competitor).
The recent cases highlight the fact that even notifying a customer of the data user’s services, or of any deals or offers in relation to existing services, amounts to direct marketing and, unless such marketing has been sanctioned by the data subject, the notification will be carried out in breach of the PDPO. An enforcement action in such a scenario is not just a risk, but almost a certainty.
Data users are reminded to: (i) comply with notification obligations under the PDPO and obtain an individual’s prior consent before using their personal data for any form of direct marketing; (ii) maintain accurate and up-to-date opt-out lists; and (iii) offer training and monitoring of front-line staff who deal with customers as scripts and template emails provided to them are no adequate substitute.