The Personal Data (Privacy) (Amendment) Ordinance ("Amendment") was passed by Hong Kong's Legislative Council just before the end of the year's legislative session and it will come into effect on 1 October this year. The changes are as predicted by our previous alerts1; and it is now time to consider what they mean for your organisation and prepare accordingly.
The major change, as expected and reflecting public sentiment, is the introduction of extensive provisions for the use of personal data in direct marketing. Most importantly, criminal liability will attach to breaches of the provisions relating to direct marketing and unauthorised sale of disclosure of personal data. Other significant changes include the introduction of new offences and the provision of enhanced powers to the Privacy Commissioner in a number of circumstances, including the provision of assistance to aggrieved data users: a powerful mix that we anticipate will result in more investigations and prosecutions of privacy breaches.
Section 34 of the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO") was until now the only section dealing with direct marketing. As a result of some high profile privacy incidents, the Privacy Commissioner for Personal Data ("the Commissioner") issued a guidance note in relation to direct marketing practices2 and the Amendment has codified obligations for data users in this area by introducing a new Part VIA to the PDPO which will regulate the use and sharing of data for direct marketing.
Use of data for direct marketing
Where data users intend to use personal data for the purpose of direct marketing they will be required to inform data subjects that:
they intend to use the personal data and that they may not do so without consent; the kinds of personal data that will be used; the classes of marketing subjects (meaning the goods, facilities or services that may be marketed to the data subjects) in relation to which the data will be used; and provide a means, without charge, by which the data subject can communicate their consent to the data user. Failure to provide this information to a data subject will be an offence.
When using a data subject's personal data in direct marketing for the first time, the data user must also notify the data subject that it is required to cease using the data if the data subject so requests.
These requirements apply irrespective of whether the personal data was collected from the data...