Out-Law News 3 min. read
27 Mar 2013, 11:17 am
Paul Haswell of Pinsent Masons, the law firm behind Out-Law.com, said that businesses should ensure that they comply with the new rules, which have been laid out in the Personal Data Privacy Amendment Ordinance, in time for them taking effect on 1 April, despite the fact that there is confusion as to how precisely businesses should respond.
Haswell said that businesses should not adopt a 'wait and see' approach to the new regime. Those that do could face stiff penalties if they are found to be acting in breach of the new rules. He was commenting after Hong Kong's Privacy Commissioner issued new guidelines for individuals on their right to opt-out of direct marketing (9-page / 225KB PDF).
"Despite the guidelines, it is still not clear how effectively the amendments to the Ordinance will be enforced or how likely it is that the maximum penalties may be imposed in the event that the new rules are breached," Haswell said. "As a result, it may be tempting to adopt a 'wait and see' attitude to enforcement of the Ordinance. However, such an approach may well be a mistake."
"Whilst the increased financial penalties for not complying with the Ordinance may not be high enough to discourage some, the negative publicity that would come with being one of the first organisations to fall foul of the new rules should be," the expert said. "The furore surrounding the sale of personal data by Octopus Holdings Limited in 2010, which effectively was the impetus behind the Personal Data Privacy Amendment Ordinance, showed that Hong Kong does not take kindly to misuse of its personal data. One cannot help but think that the Privacy Commissioner will be keen to show that the new rules are not there to be flouted."
In the Octopus Holdings case Hong Kong's Privacy Commissioner found the firm guilty of selling information about approximately 2 million users of its reward cards to business partners without consent. The company escaped punishment, but the case prompted the new rules on direct marketing to be introduced.
Under the new regime organisations wishing to conduct direct marketing must obtain the consent of individuals before they can use their personal data as part of those activities. In addition, organisations cannot transfer individuals' personal data to others engaging in direct marketing without having individuals' consent to do so. Individuals must also be provided with a right to freely opt out of allowing companies to use their personal data in their direct marketing activities.
In the run up to the new rules coming into force this has led to many organisations contacting customers asking whether they wish to opt-out of direct marketing communications, with organisations taking very different approaches as to how consent is obtained. Some businesses allow users to simply "unsubcribe" from marketing communications by way of clicking an internet link, but others are being criticised by requiring opt-outs to be made in writing to an organisation's data officer. It is not yet clear whether all these methods are compliant.
Businesses face a fine of up to one million Hong Kong dollars (approximately £85,000) if they sell individuals' personal data to third parties without having appropriate consent to do so. Individuals within those firms may also be subject to prison sentences of up to five years if it can be shown that they are responsible for the unlawful sale of personal data under the new framework.
The new regime provides flexibility to individuals to select either the categories of their personal data that they wish to permit businesses to use in direct marketing, the kind of direct marketing they wish to receive or place restrictions on the "classes of transferees" businesses would be allowed to pass their personal data to. However, businesses do not have to inform individuals that they can confer their consent so selectively.
In its guidance the Privacy Commissioner made clear that businesses cannot rely on individuals' "non-response" to a request to use personal data in a direct marketing context. Only consent that is expressly given is valid.
"In determining whether or not a 'consent' has been validly given, it will be relevant to consider the circumstances under which the data was collected and the consent obtained," the watchdog said.