What you have to know about Hong Kong’s new data privacy regime

The Personal Data (Privacy) Amendment Ordinance (“Amendment Ordinance”) was passed in October 2012, with the provisions relating to the use of personal data for direct marketing becoming effective as of 1 April 2013. The long-awaited data privacy reforms encapsulated in the Amendment Ordinance reflect years of public consultations and legislative deliberations. Interestingly, some of the new restrictions in the Amendment Ordinance are more onerous and stringent than those of its Western counterparts (e.g. in the UK).

This article looks at the significant changes under the Amendment Ordinance which include the use of personal data for direct marketing, new offences, penalties and exemptions, what they mean for businesses (in particular the difficulties which some companies may now face in carrying out marketing activities and in relation to disclosure of personal data to third parties) and practical tips on compliance under the new data privacy regime.

Personal data protection in Hong Kong

Hong Kong was the first jurisdiction in East Asia to introduce legislation regulating the protection of personal data. The Personal Data (Privacy) Ordinance (Cap 486) (“Ordinance”) was enacted in 1995, the foundation of which is based on six underlying data protection principles (known as DPPs). In summary, the DPPs provide for the collection, use, transfer and security of personal data, policies in relation to protection of personal data (e.g. accuracy and duration of retention) and access to/correction of personal data.

Under the Ordinance, “personal data” means any data which relates to a living individual who can be identified from it (directly or indirectly) and which is held in a form which can be accessed or processed (e.g. emails, photos, video recordings). A “data user” means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data.

While Hong Kong has been a pioneer in personal data protection in some respects, recent years have seen a number of high profile data privacy breaches. Financial institutions have been caught up in crossmarketing activities involving sale and transfer of personal data without consent. We have seen unauthorised disclosure and circulation on the Internet of sexually explicit nude photographs of a local celebrity. Last but not least, there was the scandal in 2010 involving the sale of personal data by the operator of the ubiquitous Octopus cards without consent of almost 2 million card holders, which triggered a massive public outcry.

Since then, Hong Kong’s Privacy Commissioner, Allan Chiang, believes that businesses in Hong Kong have done better in terms of protecting personal data. However, there is room for improvement. In a recent report issued by the Privacy Commissioner, it was stated that while certain organisations generally met the legal requirements relating to collection and use of customers’ data for direct marketing, they tended to be less forthcoming in following the guidelines recommended by the Privacy Commissioner.

Amendments to the Personal Data (Privacy) Ordinance

After three years of deliberations, extensive consultations and heated debates during the consultation and legislative processes, the Amendment Ordinance came into force on 1 October 2012. The Amendment Ordinance signifies the Government’s commitment to enhancing the protection of individuals’ personal data following the high profile data privacy breaches in recent years. In particular, the Privacy Commissioner is keen to ensure that personal data is not used unscrupulously or to harass individuals by advertising products and services through direct marketing activities.

The Amendment Ordinance introduces various changes, the most significant of which include:

• tighter restrictions on the use of personal data in direct marketing (i.e. the advertising or offering of goods and services to, or the solicitation of donations from, specific persons); 
• new offences relating to disclosure of personal data obtained without consent and repeated contraventions of enforcement notices; 
• procuring compliance by third party data processors;
• increased enforcement powers of the Privacy Commissioner;
• new exemptions for the disclosure of personal data; and
• new powers of the Privacy Commissioner to offer legal assistance to aggrieved individuals.

Restrictions on Use of Personal Data in Direct Marketing – What is it all about?

Under the revamped direct marketing regime, from 1 April 2013, businesses are now required to inform individuals clearly and specifically about what information they collect, how that information will be used, who it will be transferred to and whether it is to be used for sale or gain. In addition, they must obtain consent (or an “indication of no objection” as it is defined in the Ordinance) before any personal data is used for direct marketing purposes. Individuals must also be provided with a channel, at no charge, through which they can communicate whether or not they consent to the use of their personal data for direct marketing.

These requirements apply to businesses across all sectors except those offering or advertising social or health care services in limited circumstances (unless they transfer personal data to a third party for gain).

Penalties

Failure to comply with these requirements attracts a penalty of up to HK$1m and 5 years’ imprisonment. A data user can seek to rely on the defence that it has taken all reasonable precautions and due diligence to avoid committing the offence. Obviously, it is in the data user’s interests to secure compliance in the first place.

Consent - Opt in or opt out approach?

The Amendment Ordinance does not specifically refer to an "opt in" or "opt out" approach in relation to obtaining an individual’s consent for use of his/her personal data for direct marketing. However, guidelines issued by the Privacy Commissioner appear to suggest that a data user who has not received explicit “indication of no objection” or consent to the use of personal data to receive marketing materials, cannot use that data for direct marketing activities. This means that the previous “opt out” approach will not satisfy this requirement, and in effect, businesses will now need to adopt an “opt in” approach to ensure that they receive unequivocal consent before they can send advertisements or any marketing materials to individuals.

Grandfathering arrangements

Understandably, there are valid concerns within the business community with respect to these new provisions. However, under a “grandfathering arrangement”, data users may not be required to comply with these new provisions if, prior to 1 April 2013, the following conditions have been satisfied:

• the data user has explicitly informed the individual of the use or intended use of personal data in direct marketing in an easily understandable and, if in written form, easily readable manner;
• the data user had already used such data;
• the individual has not objected to such use of the data; and
• the data user has not breached any requirements of the Ordinance in force as at the time of the use.

It is important to note that the grandfathering arrangement only applies where personal data has already been used in direct marketing by a business for its own direct marketing purposes and in relation to the same direct marketing activities before 1 April 2013. So, if a company transfers or sells personal data to a third party for their direct marketing purposes or for cross-marketing, or intends to use the personal data for different types of direct marketing activities, that company cannot rely on the grandfathering arrangement and must comply with the new provisions on notification and consent in relation to direct marketing. If a business is unable to meet the grandfathering arrangement conditions stated above, it should refrain from continuing to use personal data to carry out any direct marketing activities unless explicit consent has been obtained.

Privacy Commissioner’s views

The Privacy Commissioner recommends businesses to take a customer-centric and privacy-friendly approach when collecting personal data for direct marketing purposes. For example, provisions seeking consent for use of personal data for direct marketing in standard terms and conditions should be separated, and preferably include a “tick box” where an individual can indicate whether he/she agrees to such use of his/her data. 

New offences relating to unauthorised disclosure

Under the new regime, it is an offence to disclose personal data of an individual obtained from the data user without the latter’s consent, with an intent to either make financial or other gain or cause financial loss or other property loss to the individual. Another new offence introduced relates to unauthorised disclosure of personal data obtained from a data user without the data user’s consent and which causes psychological harm to the individual who is the subject of the data, irrespective of intent (e.g. a member of hospital staff obtains medical records of a patient, discloses them to someone else without the hospital’s consent, and the disclosure causes the patient psychological harm).

The penalties are a fine of up to HK$1m and 5 years’ imprisonment. Possible defences to such unauthorised disclosures include (i) reasonable belief that the disclosure was necessary to prevent or detect criminal activity, (ii) reasonable belief that the disclosure was made with the data user’s consent, or (iii) where the disclosure involves any journalistic activity, reasonable belief that the publication or broadcasting of the personal data was in the public interest.

These new offences are intended to capture situations where employees who are privy to sensitive or significant amount of personal data, either deliberately or inadvertently, breach data privacy obligations. Accordingly, it is important that employees in such capacities (e.g. employees in HR, finance, business support and/or other business sectors) are properly trained in data privacy compliance and equipped with a thorough understanding of the obligations and consequences of non-compliance.

New Powers of the Privacy Commissioner to Issue Enforcement Notices

The increased enforcement powers of the Privacy Commissioner are worth noting because previously, the Privacy Commissioner could not issue an enforcement notice unless the data privacy breach was likely to continue or be repeated. This meant that a data user could, shortly after compliance with an enforcement notice, resume the same contravention without fear of committing an offence. Under the Amendment Ordinance, the Privacy Commissioner may now issue an enforcement notice in respect of a contravention regardless of whether it is likely to continue or be repeated, and may also levy a heavier penalty for a second and subsequent conviction for contravening an enforcement notice.

Obligation on data users to procure compliance by third party data processors

The position under the Amendment Ordinance with respect to data processors remains unchanged in that it does not directly regulate data processors. It does introduce a new definition of “data processor” which refers to a person who processes personal data on behalf of another person and does not process such data for the data processor’s own purposes. A data processor may include a company (such as an affiliate or a third party processor) in Hong Kong or overseas.

The Amendment Ordinance provides under the revised DPP2 and DPP4, that a data user must ensure compliance by its data processors with DPPs 2(3) and 4(2) by contractual or other means. Essentially, this means that if a business engages a third party data processor, it should ensure that the data processor does not retain any personal data transferred to it for longer than is necessary for processing the data and that it will keep the data secure against unauthorised or accidental loss, access, erasure or processing. While non-compliance with the DPPs is not an offence, non-compliance with an enforcement notice is. Further, the consequences of non-compliance can be potentially significant under the new regime given the ease with which the Privacy Commissioner can now issue enforcement notices as well as levy harsher penalties for subsequent contraventions of enforcement notices.

New exemptions relating to disclosure of personal data

The Amendment Ordinance introduces a number of new exemptions to enable a data user to use personal data for a purpose that is neither the same as nor directly related to the purpose initially notified to the individual at the time of collection. Some examples of the exemptions include where the data:

• is required or authorized by applicable law or court order, or required in connection with any legal proceedings or for establishing, exercising or defending legal rights in Hong Kong;
• is required for purposes of conducting due diligence in connection with business, merger, acquisition or transfer or business; or
• is required to facilitate identification of an individual involved in a life-threatening or emergency situation.

Legal assistance to aggrieved individuals

On application to the Privacy Commissioner, the Privacy Commissioner may assist aggrieved individuals who require legal assistance, by providing advice or arranging for legal advice or any other form of assistance. Such assistance is available to individuals with meritorious cases who have a right to claim for compensation against a data user for any contravention of the Ordinance.

What next?

In view of the increased risk of sector-specific regulatory enforcement, local and cross-border investigations as well as fines and sanctions under the Ordinance, data privacy compliance for any business, and in particular regulated entities, has become of paramount importance. It is worth bearing in mind that being proactive and maintaining transparency in data privacy compliance is likely to generate customer loyalty and goodwill and be viewed favourably by regulators and courts alike. Accordingly, businesses that have not yet reviewed their existing practices and policies regarding handling of personal data should do so without delay, particularly, if any personal data is used for direct marketing activities.

Practical tips on data privacy compliance
Some practical tips on ensuring compliance with the new regulatory regime include:

• reviewing and revising, where necessary, existing notifications, data privacy policies and practices to incorporate the information required under the Ordinance;
• checking whether your business can avail of the grandfathering arrangement under the Amendment Ordinance in respect of any pre-existing personal data;
• developing procedures for promptly dealing with requests to cease the use or provision of data for direct marketing (e.g. online forms, setting up a central database, appointing officers);
• where personal data is obtained from sources other than the individuals themselves, securing written notices from the relevant data supplier that they have complied with the new notification and consent requirements;
• procuring data processors’ compliance with the Ordinance through contractual agreements and/or via regular audits; and
• training staff appropriately to meet the new requirements and to understand the consequences of noncompliance.