20 January 2015
For the first time since the Personal Data (Privacy) Ordinance ("PDPO") came into force in 1996, an individual has received a jail sentence for breach of the PDPO.
The PDPO protects the personal data of living individuals. Any person who controls the collection, processing, storage or use of personal data in Hong Kong is subject to the requirements of the PDPO.
Breach of the PDPO or non-compliance with enforcement notices issued by the Privacy Commissioner, may amount to a criminal offence and result in a fine and/or imprisonment. For example, a person who uses personal data for direct marketing purposes without the relevant data subject's consent will commit an offence and be subject to a maximum fine of HK$500,000 and up to 3 years imprisonment. Failure to comply with an enforcement notice issued by the Privacy Commissioner, which requires certain remedial or preventative steps to be taken, will also constitute an offence, and attracts a maximum fine of HK$50,000 and 2 years imprisonment on first conviction (with a daily penalty of HK$1,000 if the offence continues).
In October 2012, an individual lodged a complaint with the Office of the Privacy Commissioner ("PC"), claiming that an insurance agent had obtained her personal data through unfair means.
The insurance agent had originally contacted the complainant whilst he was employed at insurance company A. The insurance agent subsequently moved to insurance company B. He then contacted the complainant and persuaded her to sign up for a new insurance policy, without disclosing the fact that he had resigned from insurance company A and the policy would be issued by insurance company B. The complainant claimed that the insurance agent had misled her, and in so doing had obtained her personal data by unfair means.
The PC made enquiries with the insurance agent. In response to those enquiries, the insurance agent falsely told the PC that he had been assigned to work with the complainant whilst he was employed by insurance company A. However, this was denied by insurance company A. The insurance agent had therefore committed an offence under Section 50B(1)(b)(i) of the PDPO.
Under Section 50B(1)(b)(i) of the PDPO, it is a criminal offence for a person to make a statement to the PC, which he knows is false, or to knowingly mislead the PC. Such an offence incurs a maximum fine of HK$10,000 and 6 months imprisonment.
On 4 December 2014, the insurance agent was sentenced to 4 weeks imprisonment.
Section 64 of the PDPO
It is worth noting that the insurance agent's actions could have potentially fallen foul of Section 64 of the PDPO. The new Section 64 was introduced by the 2012 amendments to the PDPO, and makes it an offence for a person to disclose any personal data obtained from a data user without that data user's consent, if:
a. that person intended to make a gain (either monetary or otherwise), for their own benefit or the benefit of another;
b. that person intended to cause loss to the data subject; or
c. the disclosure caused psychological harm to the data subject.
An example that was given in the Information Leaflet1 issued by the PC of when a person may be in breach of Section 64, was the sale by an employee of customers' personal data in return for money, without the consent of his employer. In such circumstances, it would be the employee, rather than the employer, who would be guilty of an offence under Section 64, and liable to a maximum fine of HK$1,000,000 and 5 years imprisonment.
As no written judgment is available in respect of the insurance agent's conviction, it is not clear whether or not his actions could have amounted to an offence under Section 64 of the PDPO. So far, no person has been charged under Section 64 of the PDPO.
This is the first time a prison sentence has been issued for a breach of the PDPO, and is likely to be only the start of such actions and convictions. We anticipate that the Hong Kong courts will start to take a more hard-line approach to offenders under the PDPO, not only in respect of Section 50B(1)(b)(i), but also other provisions e.g., Section 35E (which makes it an offence to use an individual's personal data for direct marketing without their consent), Section 50A (which makes it an offence to breach an enforcement notice issued by the PC) and possibly Section 64 discussed above.
The amendments made to the PDPO in 2012, the latest suite of guidance notes issued by the PC, the fact that the PC is recommending an increasing number of cases for prosecution and that the courts are willing to impose custodial sentences serve to emphasize the increased attention that the protection of personal data is receiving in Hong Kong.
In addition to providing full cooperation and responding honestly to any enquiries made by the PC, it is vital that all data users carry out periodic audits and put in place mechanisms and procedures that ensure that their polices and practices are in full compliance with the provisions of the PDPO at all times.
1 "Information Leaflet: Offence for disclosing personal data obtained without consent from the data user", issued by the Privacy Commissioner in September 2012.