AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Faculty of Law Research Series

Faculty of Law, UNSW
You are here:  AustLII >> Databases >> University of New South Wales Faculty of Law Research Series >> 2011 >> [2011] UNSWLRS 49

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

McLeish, Robin; Greenleaf, Graham --- "Reform of Hong Kong’s privacy Ordinance after 15 years" [2011] UNSWLRS 49

Last Updated: 15 December 2011

Reform of Hong Kong’s privacy Ordinance after 15 years

Robin McLeish and Graham Greenleaf[*]

Citation

This paper was published in Privacy Laws & Business International Report, Issue 113: 1, 15-17, October 2011. This paper may also be referenced as [2011] UNSWLRS 49.

Abstract

Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995. It was the first comprehensive data privacy statute in Asia. Although the PDPO was ahead of its time when it was enacted, it is has not been amended significantly since then. As a result, it has not kept pace with rising public expectations in relation to personal data privacy. In an attempt to meet those expectations, the Hong Kong Government published the Personal Data (Privacy) (Amendment) Bill in July 2011, following a two year consultative process, to overhaul the PDPO. The Bill is intended to be introduced into the Legislative Council in its 2011/2012 session. This article is a critique of the Bill.

The Bill does not include the extensive strengthening advocated by the Privacy Commissioner, but does propose modest improvements. Companies will always have to give individuals notice that they intend to sell their personal data, or even use it for their own marketing, but will still be allowed to do so unless the individual exercises an ‘opt out’ right. Breaches can make businesses liable to a fine of up to HK$1 million (US$128,500), an amount that is potentially crippling for a small business. There are considerable anomalies in these provisions. It seems that a blanket ‘Don’t ever sell my personal data’ notice would be possible. This raises the prospect that an inventive ‘Do not sell/market’ list broker could offer a service to send mass written notifications to major Hong Kong organisations, relieving individual data subjects of the burden of multiple notifications, thus turning direct marketing completely on its head. The drafter may also have overlooked the fact that public bodies controlling public registers sell personal data by providing copies of the information in their registers for a fee and are generally obliged to do so by the legislation governing the registers. The Bill would, on its face, apply to prevent them so doing this unless they complied with its notification and objection provisions.

The Bill will improve the current weak enforcement provisions. The Commissioner will now be able to order organisations to remedy contraventions of the Ordinance. Compensation proceedings will now be moved to the District Court, where the usual costs order is ‘no order as to costs’, which may reduce or remove the deterrent effect of the risk of expensive court costs. The Commissioner will also be empowered to assist litigants. For the first time, the Commissioner will also be empowered to assist parties to reach a settlement or compromise. It is possible that the Bill may be strengthened by the legislature (LegCo), because of the extent of public disquiet over the data breach scandals involving police and hospitals, and data sales scandals involving data from the Octopus transit card, banks and telcos.

Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995. It was the first comprehensive data privacy statute in Asia. Although the PDPO was ahead of its time when it was enacted, it is has not been amended significantly since then. As a result, it has not kept pace with rising public expectations in relation to personal data privacy. In an attempt to meet those expectations, the Hong Kong Government published the Personal Data (Privacy) (Amendment) Bill (Bill) in July 2011, following a two year consultative process, to overhaul the PDPO. The Bill is slated for introduction into the Legislative Council in its 2011/2012 session, which has just commenced.

Radical new restrictions on sale of personal data and its use for marketing

The Bill proposes a sweeping new Part VIA for the PDPO governing the ‘Sale and use of personal data’. Under the provisions of the proposed Part VIA, before personal data could be sold, the data subjects would have to be given written notice of the kinds of personal data to be sold, the classes of persons to whom it is to be sold, and if the recipients are to use it for direct marketing: ‘the class of marketing subjects in relation to which the data is to be used’. These requirements would apply irrespective of the source of the personal data (whether collected from the data subject or not) or the notice given to the data subject of purposes for which the data is to be used. The data subject would also have to be provided with an ‘easily understandable’ facility to opt out in writing from part or all of the types of sale, but could opt out without using that facility. The new provisions provide that the data subject must be given 30 days to object to the sale, measured from whichever is the later of when the data is collected or when the notice is given.

The sale of personal data without compliance with these new requirements would render the seller liable to a fine of up to HK$1 million (US$128,500), an amount that is potentially crippling for a small business. As a defence, the data user would have to prove it ‘took all reasonable precautions and exercised all due diligence to avoid the commission of the offence’.

The universal opt-out for data subjects from the sale of their personal data provided for in the Bill would override the current requirement of the PDPO’s data protection principle 3 (DDP3) for ‘express consent’ (i.e. opt-in) for the use of personal data for a purpose that was not the purpose for which the data was collected or a purpose directly related thereto. However, the new opt-out provisions would apply even where the personal data had been collected for the purpose for which it is proposed to sell the data, which a data user is presently permitted to do without any reference to the data subject. While there is some loss and some gain to the rights of data subjects in this proposed change, if a data user fails to comply with the new provisions it would be open to claims for damages as well as a substantial fine.

The proposed Part VIA would also allow data subjects to object in writing, either in advance or retrospectively, to the sale of their personal data for direct marketing, and require the data user to notify anyone to whom the personal data is sold in future of this objection. Non-compliance with such an objection by either seller or buyer would have the same penalty and defence as for non-compliance with the new provisions to control the sale of personal data.

It seems that a blanket ‘Don’t ever sell my personal data’ notice would be possible. This raises the prospect that an inventive ‘Do not sell/market’ list broker could offer a service to send mass written notifications to major Hong Kong organisations, relieving individual data subjects of the burden of multiple notifications, thus turning direct marketing completely on its head.

It seems the drafter of the Bill may have overlooked the fact that public bodies controlling public registers sell personal data by providing copies of the information in their registers for a fee and are generally obliged to do so by the legislation governing the registers. The proposed Part VIA would, on its face, apply to prevent them so doing this unless they complied with its notification and objection provisions. However, provision is made for the Chief Executive to have a power to exempt categories of data user/types of personal data from the sale restrictions. It may be it is the government’s intention to exempt controllers of public registers from the restrictions of the proposed Part VIA using this power.

The value of many businesses lies in their databases of personal data. The sale of such a business could be argued to be primarily a sale of personal data. If so, this could not be done under the proposed Part VIA without giving the data subjects the option of objecting. In fact, it seems due diligence for such a sale could not be performed at all because the proposed new exemption in the Bill to allow the transfer of personal data for purpose of carrying out due diligence for the proposed sale of a business expressly excludes transfers of personal data to carry out due diligence for the sale of a business that is primarily a sale of personal data. Previously, the transfer of personal data in order to carry out due diligence whatever the nature of the business to be sold was thought to be covered by the provisions of DPP3 that permit the use of personal data for a purpose that is directly related to the purpose for which it is collected. If the new provisions are passed, that reasoning would no longer hold up.

Under the proposed Part VIA, where a data user intends to provide personal data to others for use for direct marketing otherwise than by sale, similar provisions on notification and objection to those for sale would apply.

Replacing the existing direct marketing opt-out provisions of the PDPO, the proposed Part VIA provides that before data users can use personal data for their own direct marketing, they must give the data subjects notice of the kinds of personal data to be used and the proposed ‘classes of marketing subjects’, and must provide an opt-out facility similar to that described above in relation to the sale of personal data. The penalty for contravention of these requirements would be a fine of up to HK$500,000 (US$64,250) and the same defence of taking ‘all reasonable precautions and [exercising] all due diligence to avoid the commission of the offence’ is provided for. If the data user obtained the data from another seller or provider and that seller or provider had already given the data subject the required notice and objection option, the data user would not have to do so again. Data subjects would be able to give a subsequent ‘don’t market to me’ notice in any written form: more potential work for the suggested ‘Do not sell/market’ intermediary suggested above.

Further, under the proposed Part VIA notice of a right to opt-out would have to be given when the data is first used for direct marketing (a reincarnation of the existing direct marketing opt-out provisions of the PDPO). At first sight, it may not be obvious why this is necessary given the new provisions providing for similar rights, but the answer is that the notice given pursuant to those provisions may have been given months before the data is used for direct marketing, so the Bill gives the data subject a second notice at the time when it is most pertinent.

The proposed Part VIA would also make it an offence for a person to disclose personal data obtained by that person from any data user without consent if this is done with intent to obtain gain in money or other property for themselves or another, or to cause loss in money or property to the data subject, or if the disclosure causes psychological harm to the data subject. Commission of the offence would render the person concerned liable to a fine of up to HK$1 million (US$128,500) and imprisonment for up to 5 years.

Limited additional enforcement powers

In changes to the current provisions on enforcement notices issued by the Privacy Commissioner (PC), the Bill provides for the PC to be able to direct a data user to remedy a contravention of PDPO without the current need to be of the opinion that the contravention will continue or be repeated. Contravention of an enforcement notice would continue to be an offence. In addition, provision is made for a new offence of repeating the same contravention without need for a further enforcement notices.

During the consultation process, the Privacy Commissioner argued to be given powers to award compensation to aggrieved data subjects and impose fines for serious breaches of the data protection principles in the PDPO, but the Bill does not provide for such powers. It remains to be seen whether any member of the Legislative Council will propose amendments to the Bill to do so or make other changes during the passage of the legislation.

Compensation – District Court jurisdiction and assistance to claimants

The Bill provides for the District Court to have exclusive jurisdiction over claims for damages for contraventions of the PDPO with same remedies as are available from the Court of First Instance. This would bring the PDPO into line with Hong Kong’s equal opportunities legislation. The usual costs order in such proceedings is to be ‘no order as to costs’ as is the case in the equal opportunities legislation (although some in-roads have made into this ‘default’ position in the jurisprudence on costs orders awarded in the equal opportunities cases). It is widely thought that one reason why there have been so few civil claims under the PDPO (and no successful ones to date) is that claimants have been deterred from bringing proceedings by the risk of costs being awarded against them. If so, the new provisions should result in more cases being brought.

Provision is also made in the Bill for the PC to prescribe forms to assist complainant to ask questions of respondents. If the respondent replies, the reply would be admissible in evidence, but if the respondent intentionally does not reply, or the reply is evasive or ‘equivocal’, then the Court could draw adverse inferences if it is just and equitable to do so.

In addition, provision is made in the Bill for the PC to assist complainants by giving advice, arranging for a solicitor’s or counsel’s advice, or arranging for representation ‘by any person’, including for ‘giving effect to a compromise’, and ‘any other form of assistance which the Commissioner may consider appropriate’. There seems therefore to be ample scope for the PC to assist in the negotiation of settlements or compromises of compensation claims under the Bill. The PC’s costs would be met from any damages awarded as a first charge as in the case of the legal aid authority in Hong Kong in respect of legally aided cases and the Equal Opportunities Commission in respect of equal opportunities actions it funds.

Other reforms

The draft Bill contains many other proposals worth noting, including the following.

Conclusion

Many other changes to the PDPO that were argued for by the PC and other critics of the limits to his powers and the difficulties faced by claimants in obtaining remedies under the PDPO have not included in the Bill.

Nevertheless, if the Bill is passed in its current form, the rights of data subjects to control the sale of their personal data and its use for direct marketing will clearly be substantially strengthened and the obstacles to mounting claims for compensation under the PDPO should be reduced. Data users, on the other hand, will face higher risks for misuse of personal data. At the same time, however, they will have greater clarity as to the circumstances in which they can sell personal data and transfer it for use for marketing purposes.


[*] Robin McLeish is of Counsel, Hong Kong SAR; Graham Greenleaf is Professor of Law & Information Systems, University of New South Wales


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLRS/2011/49.html