Data protection law in Hong Kong gets more teeth

The Personal Data (Privacy) (Amendment) Ordinance ("Amendment Ordinance") was passed on 27 June 2012 and most changes came into effect on 1 October 2012. However, certain changes, including the introduction of a new direct marketing regime, will commence operation at a later date.  Michelle Chan, Tim Mak and Clarice Yue provide an overview of key changes below.

The Personal Data (Privacy) Ordinance ("PDPO") in Hong Kong came into operation in December 1996 and there have not been any major amendments since then.  The Privacy Commissioner for Personal Data ("Commissioner") has been issuing guidance notes from time to time to set out policy guidelines for data users to follow.

Most of the changes to the PDPO under the Amendment Ordinance came into force on 1 October 2012, although some provisions, including the new regime on "direct marketing" and "legal assistance to aggrieved data subjects" (discussed below), will commence operation at a later date.  A representative of the Commissioner's office has expressed the Commissioner's wish for all amendments to be put in place in the first half of 2013.

Key changes under the Amendment Ordinance are set out below:

Direct marketing - data users must not (i) use a data subject's personal data in direct marketing; or (ii) provide a data subject's personal data to a third party (i.e. transfer/ sale of data) for use in direct marketing, unless consent from the data subject has been obtained. In the case of data transfer/ sale, the consent must be communicated in writing.

Before using personal data in direct marketing, a data user shall take the following actions irrespective of whether or not the personal data is collected from the data subject by the data user himself:

• in an easily understandable and easily readable (if in written form) manner, inform the data subject of the data user's intention to use the data or provide the data to third party and that the data subject's consent is necessary for such use;
• provide the data subject with details of the intended use, including the kinds of personal data to be used, the classes of goods or services that will be marketed; and in the case of providing data to a third party, whether the data is to be provided for gain and the kinds of personal data to be provided; and
• provide the data subject with a channel to give his consent without charge.

The use of personal data must be consistent with the data subject's consent, which may be given generally or selectively. "Consent" is defined to include an indication of no objection.  Where oral consent is given to a data user for self-use of data, the data user shall, with 14 days, send a written confirmation to the data subject detailing the consent.

A data recipient may be exempt from obtaining the data subject's consent again if he has received a written notice from the data provider stating that he has complied with the requirements relating to the transfer of personal data to third parties and specifying details of the data subject's consent.

Additionally, as with the existing regime under the PDPO, a data user must:

• inform the data subject of his right to object when using the data subject's personal data in direct marketing for the first time; and
• cease to use the personal data in direct marketing if so required by the data subject.

A data subject may, at any time, require a data user either to cease to use his personal data in direct marketing or stop providing his personal data to third parties for direct marketing, and to inform any third parties to stop using the data.

If a breach involves a sale of personal data by a data user to a third party for gain, the maximum penalty is a fine of HK$1,000,000 and 5 years' imprisonment.  Non-compliance with each of the other requirements discussed above, if not for gain, is also an offence punishable by a HK$500,000 fine and 3 years' imprisonment.  It is a defence for the data user charged to prove that he has taken all reasonable precautions and exercised all due diligence to avoid the commission of the offence.

Grandfathering arrangement

There is a grandfathering arrangement under which these new requirements on direct marketing will not apply to personal data that has been used in direct marketing (which may be updated from time to time) provided that, before the new provisions come into operation:

• a data subject had been explicitly informed by the data user of the use or intended use of personal data in direct marketing in an easily understandable and, if in written form, easily readable manner;
• the data user had already used such data;
• the data subject had not objected to such use of the data; and
• the data user was not in breach of any requirements of the PDPO as in force as at the time of the use.

Disclosure of personal data obtained without the data user's consent - It is a criminal offence punishable by a fine up to HK$1,000,000 and imprisonment of 5 years for disclosing personal data of a data subject obtained from a data user without the data user's consent, if such disclosure (i) is with the intent for obtaining financial gain or causing financial loss to the data subject, or (ii) causes psychological harm to the data subject. For example, an employee commits an offence if he sells customers' personal data obtained in the course of his employment without the employer's consent.

Indirect regulation on the use of data processors - Obligations have been imposed on a data user who uses a data processor, which may be within or outside Hong Kong, to process personal data on the data user's behalf.  The data user must adopt contractual or other means to prevent (i) any personal data transferred to the data processor from being kept longer than is necessary; and (ii) unauthorised or accidental access, processing, erasure, loss or use of data transferred to the data processor for processing.

Increased penalties in relation to enforcement notices - Under the existing regime under the PDPO, the Commissioner has the power to issue an enforcement notice to any data user who is contravening a requirement under the PDPO or who has contravened such requirement in circumstances that make it likely that the contravention will continue or be repeated. Pursuant to the Amendment Ordinance, the Commissioner is empowered to issue enforcement notices for contraventions of the PDPO, irrespective of whether it is likely that the contravention will continue or be repeated, and direct the data user to remedy contraventions and prevent any recurrence of contraventions.

Penalties for a second or subsequent breach of an enforcement notice have been increased to a fine of HK$100,000 and imprisonment of 2 years.  A daily penalty of HK$2,000 will be imposed if the offence continues after conviction.

Further, if a data user, after complying with an enforcement notice, intentionally repeats the same act of contravention, the Commissioner is not required to issue another enforcement notice again as the subsequent contravention already constitutes an offence. The maximum penalty is a fine of HK$50,000 and imprisonment for 2 years.  A daily penalty of HK$1,000 will be imposed if the offence continues after conviction.

Legal assistance to aggrieved data subjects - the Commissioner may provide any type of assistance as he thinks fit (e.g. legal advice or legal representation by a legal practitioner) to data subjects instituting proceedings seeking compensation from data users for contraventions of PDPO, if:

• the case raises a question of principle; or
• it is unreasonable, in light of the complexity of the case or the data subject's position in relation to the data user, to expect the applicant to deal with the case unaided.

Exemption in due diligence exercises - disclosure or transfer of personal data will be allowed for due diligence purposes in merger and acquisition transactions provided that the proposed transaction is not primarily for the purpose of exploiting this exemption, and if (i) the transfer or disclosure of personal data is not more than necessary; (ii) the party acquiring the shares or business (or the new entity formed post transaction) will provide similar goods or services; and (iii) it is not practicable to obtain the consent of the data subject for the transfer or disclosure.

What practical steps should you take?

Data users are encouraged to review their company privacy policies and practices to ensure that their privacy policies and practices address the new changes under the Amendment Ordinance, particularly in relation to any use of personal data for direct marketing and any transfer of personal data to third party data processors. In view of the increased penalties for breach of enforcement notices, data users should also have in place stringent internal compliance procedures for compliance with the PDPO in general and with any enforcement notices.