The Personal Data (Privacy) (Amendment) Bill 2011 (the "Amendment Bill") which was published in July 2011 is generally expected to be passed by the Legislative Council before its term ends in July this year.
In response to the direct and cross-marketing activities that have led to high-profile investigations by the Office of the Privacy Commissioner for Personal Data (the "PCO") and subsequently provoked a public outcry, the Amendment Bill was introduced with the primary aim to regulate the use and sale of personal data in marketing.
The key impact of the Amendment Bill would be to lay down a set of procedures to be followed by data users in connection with the use and sale of personal data in direct marketing and cross-marketing activities. The Amendment Bill makes non-compliance with the prescribed procedures a criminal offence, which can result in hefty fines and jail terms.
The Current Position
The data users will also be required to provide the data subject with a response facility through which the data subject may, without charge from the data user, indicate in writing whether he/she objects to the intended use. It is worth-noting that the data users will remain generally free to use personal data for direct marketing purposes if they do not receive a reply from the data subjects in 30 days.
That said, data subjects must also be informed of their right to opt out on first use of their personal data for direct marketing purposes, and they may opt out at any time thereafter.
Any contravention of the new direct marketing provisions will be an offence punishable by fines of up to HK$500,000 and imprisonment for up to three years.
The sale of personal data will now be specifically dealt with under the new law. This is targeted at arrangements of the kind that was criticised by the PCO in the Octopus Rewards case.
Data users who intend to sell personal data will be subject to disclosure requirements similar to the ones outlined above in respect of direct marketing activities. Data subjects will also have a similar right to opt out.
Failure to comply with the new provisions will subject the data users to a fine of up to HK$1 million and imprisonment for up to 5 years.
The Amendment Bill will create a new offence prohibiting the data users to, in the absence of the data subject's consent, disclose personal data with the intention to gain or to cause loss or psychological harm to the data subject. The maximum penalty that an offender will be subject to is a fine of HK$1 million and imprisonment for 5 years.
The Amendment Bill has a provision on grandfathering which provides, subject to certain conditions, that the new disclosure requirements outlined in (a) above will not apply to the continued use by data users of personal data that has been used in direct marketing prior to the commencement of the Amendment Bill.
Data users should however embrace this relief with caution.
To ensure compliance of the new law, it would be advisable for Hong Kong businesses to:
You have no pages selected. Please select pages to email then resubmit.