The Personal Data (Privacy) (Amendment) Ordinance (Amendment Ordinance) came into operation on 1 October 2012, with the exception of those provisions relating to direct marketing and legal assistance which will take effect on a further date to be announced.
The Amendment Ordinance introduces various amendments to the Personal Data (Privacy) Ordinance, which was enacted in 1995 (Ordinance), and tightens the regulatory framework to improve the protection of personal data privacy. Key changes under the Amendment Ordinance are highlighted below.
Disclosure of Personal Data Obtained without Data User’s Consent
The Ordinance did not previously expressly address the unauthorized disclosure of personal data by a person who obtained such personal data from a data user, save for stating certain general principles.
Following the passing of the Amendment Ordinance, it is now an offence for a person to disclose any personal data he obtained from a data user without the latter’s consent and with the intent to (i) obtain gain for himself or another person, or (ii) cause loss to the data subject. It is also an offence if the unauthorized disclosure, irrespective of its intent, causes psychological harm to the data subject. The penalty for these two new offences is a fine of up to $1,000,000 and imprisonment for up to five years.
A person charged with an offence may defend by arguing that the disclosure was made:
- with the reasonable belief it was necessary to prevent or detect crime;
- as required or authorized by law or court order;
- with the reasonable belief that the data user had given consent; or
- in the course of news activity or a directly related activity with the reasonable belief that the publishing or broadcasting of the personal data was in the public interest.
Useful Q&As and additional information about enforcement are available in a leaflet published by the Commissioner entitled “Offence for Disclosing Personal Data Obtained without Consent from the Data User”.
Outsourcing Personal Data Processing
The Ordinance did not previously expressly define “data processor” and only stated general principals with respect to a data user’s obligations regarding its agents and data processors.
The Amendment Ordinance broadly defines a “data processor” to include any person who processes personal data on behalf of another and not for his own purpose. The Privacy Commissioner notes in a leaflet on the new provisions that this definition is expansive. It expressly provides that, if a data user (essentially the equivalent of a data controller in the EU) engages a data processor, either within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to (i) prevent any personal data transferred to the data processor from being kept longer than is necessary for the processing of the data; and (ii) prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
Although the Amendment Ordinance does not require specific clauses to be entered into with the data processors (as is the practical case in the EU), the Privacy Commissioner has published a leaflet entitled “Outsourcing the Processing of Personal Data to Data Processors”, that describes contractual and other approaches for complying with the new requirements when outsourcing personal data processing.
Data Access Requests
The Ordinance previously only provided that a data user must comply with a data access request not later than 40 days after receiving the request.
The Amendment Ordinance clarifies that a data user, within 40 days after receiving a data access request, shall, if he has the requested data, inform the requestor in writing that he has such data and supply a copy of it to the requestor, or, if he does not have such data, send a negative confirmation in writing to the requestor.
The Amendment Ordinance also expands the existing grounds on which a data user might refuse to comply with a data access request. The additional grounds include:
- non-disclosure or secrecy requirements under the laws of Hong Kong; and
- where the Hong Kong Police Force receives a data access request regarding criminal conviction records from a requestor who has a clear record, it is only required to provide an oral response that it does not hold any such record within 40 days after receiving the request.
Broader Enforcement Power
The Amendment Ordinance extends the enforcement power of the Privacy Commissioner in the following aspects:
- under the Ordinance, the Privacy Commission could not serve an enforcement notice if the data user’s contravention activity had ceased. The Amendment Ordinance enables the Privacy Commissioner to serve an enforcement notice on a data user to remedy the contravention irrespective of whether the contravention is ongoing or has ceased;
- under the Ordinance, if the data user resumed the contravention activity shortly after compliance with an earlier enforcement notice, the Privacy Commission could only serve another enforcement notice. Under the Amendment Ordinance, it is now an offence to commit a repeated contravention intentionally and the penalty is a fine of up to $50,000 and imprisonment for up to two years and, in the case of a continuing offence, a daily fine of up to $1,000;
- the Amendment Ordinance also provides for heavier penalties for a second and subsequent convictions for contravening an enforcement notice, namely, a fine of up to $100,000 and imprisonment of up to two years and, in the case of a continuing offence, a daily fine of up to $2,000; and
- the Amendment Ordinance extends the time limit for laying information for prosecution of an offence from six months to two years from the date of the commission of the offence.
The Amendment Ordinance extends the grounds on which a data user is exempted from certain requirements under the Ordinance. The additional grounds include:
- the performance of judicial functions;
- the provision of identity and location data on health grounds;
- the care and guardianship of a minor;
- a due diligence exercise in connection with a business merger, acquisition or the transfer of business;
- any legal proceedings or for establishing, exercising or defending legal rights;
- the transfer of records for archive purposes to the Government Records Service;
- emergency situations; and
- self-incrimination in respect of any offence other than an offence under the Ordinance.
The new regulatory regimes in respect of direct marketing (including corresponding grandfathering arrangements) and legal assistance will be effected in the subsequent stages of the Amendment Ordinance’s implementation.
The new regime relating to direct marketing will clarify the requirements when using personal data for direct marketing and when providing personal data to another for use in direct marketing. It will also include grandfathering arrangements for pre-existing personal data as well as general exemptions and penalties for contravention.
Under the new regulatory regime, a data user will need to take the following actions before using personal data in direct marketing:
- subject to the grandfathering provisions, inform the data subject, in an easily understandable manner and if in writing in easily readable form, of certain prescribed information either (i) orally or in writing if the use of personal data in direct marketing is for his own purposes, or (ii) in writing if the personal data is to be provided to another person for use in direct marketing (whether for gain or not). The grandfathering provisions will waive such notification obligations for the use of any personal data of the data subject in relation to offering or advertising of the same class of goods, facilities or service or soliciting donations or contributions for the same class of purpose if any of the data subject’s personal data has been so used before the commencement of the new provisions regarding direct marketing;
- provide a free response channel through which the data subject may indicate whether he objects to the intended use or provision of his personal data;
- notify the data subject of his opt-out right when using his personal data in direct marketing for the first time; and
- comply with a data subject’s request at any time to cease to obtain gain for himself or another person or cause loss to the data subject.
A general exemption from the above requirement applies to the offering or advertising of social or health care services by certain service providers unless the personal data is provided to another person for use in direct marketing for gain.
Under the new regime relating to direct marketing, unauthorized disclosure of personal data either (i) with an intent to obtain gain for the data user or cause loss to the data subject; or (ii) causing psychological harm to the data subject (irrespective of the intent) constitutes an offence for which, upon conviction, the data user is liable to a fine of up to $1,000,000 and imprisonment for up to five years. For other convictions under the new regime relating to direct marketing, the penalty is a fine of up to $500,000 and imprisonment for up to three years.
Under the new regime relating to legal assistance, the Privacy Commissioner may grant legal assistance to an aggrieved individual seeking compensation from a data user for damages suffered as a result of the data user’s contravention of any requirement imposed by the Ordinance in relation to his personal data. The form of assistance to be rendered ranges from giving advice to representation in legal proceedings.
For companies already making a good faith effort to comply with data privacy requirements in the EU, complying with the new requirements of the Amendment Ordinance should be straight forward, but will still require gap analysis and appropriate remedial action for operations in Hong Kong. Companies that have been guided primarily by past requirements in Hong Kong or elsewhere with limited requirements, or that have not given compliance in this area much attention because of limited enforcement powers will have more work to do. As a starting point:
- review and, if necessary, revise existing policies and procedures with regard to the handling of personal data and dealing with data processors;
- review and, if necessary, revise contractual provisions with any existing data processors and prepare standard provisions to be adopted in future contracts with data processors;
- organize workshops with regard to the Amendment Ordinance and the new internal compliance practice for employees whose daily responsibilities include handling personal data and/or dealing with data processors; and
- take proactive measures to prepare for and cope with the new legal regime relating to direct marketing and the corresponding grandfathering provisions.
Additional information and public statements by the Privacy Commissioner about both the Ordinance and the Amendment Ordinance are available from its website at: www.pcpd.org.hk.