In recent weeks, many Hong Kong businesses have circulated emails to contacts in their customer databases, offering recipients the ability to “opt out” of future direct marketing. This is in response to the introduction of a new Part VI A (effective as of 1 April 2013) into Hong Kong’s Personal Data (Privacy) Ordinance (the “PDPO”). Under this Part VI A, companies are obliged to meet certain new requirements in respect of their use of personal data for direct marketing purposes.
Under the new regulatory regime, subject to grandfathering provisions applicable to existing data (explained in more detail below), a data user cannot use a data subject’s personal data in direct marketing after 1 April 2013 unless that data user first:
- informs the data subject that the data user intends to use his personal data in direct marketing and that the data user may not do so without his consent;
- informs the data subject of the type of personal data to be used for, and the subject of such direct marketing (e.g. the services or goods to be offered);
- provides a free response channel through which the data subject may indicate whether he consents to the intended use of his personal data; and
- is in receipt of the data subject’s consent to the intended use of his personal data (which, according to guidance published by the Hong Kong Privacy Commissioner, must be by active “opt-in” by the data subject, not by silence);
The grandfathering provisions in the PDPO will waive the above obligations if, prior to 1 April 2013, (i) the data subject had been explicitly informed by the data user of the intended use or use of his personal data in direct marketing in relation to the class of marketing subjects, (ii) the data user had used any of the data for such marketing, (iii) the data subject had not “opted out” of such use and (iv) the data user was in compliance with the PDPO provisions in force at the time of the use. Note, however, that even if the grandfathering provisions apply, a data subject always has the right to opt out as discussed in the next paragraph.
Data user must continue to ensure compliance with the following requirements after 1 April 2013 (which cannot be waived by the grandfathering provisions):
- when using the data subject’s personal data in direct marketing for the first time, the data user shall inform the data subject of his “opt-out” right; and
- the data user shall, at any time, terminate use of the data subject’s personal data in direct marketing should such request (if any) be made by the data subject.
Breach of the provisions set out above may constitute an offence for which maximum liability upon conviction is a $500,000 fine and imprisonment for three years.
Under the new regime, provisions similar to those set out above exist to prohibit a data user from providing a data subject’s personal data to another person for that other person’s use in direct marketing unless certain requirements are complied with. Maximum liability upon conviction for certain offences involving such provision of data to another is a $1,000,000 fine and imprisonment for five years, if that data is provided for gain.
The PDPO provides certain general statutory exemptions from the above provisions. So long as personal data is not provided to a third party for gain, neither of the restrictions apply where the services being directly marketed are (i) social services run or financially supported by the Hong Kong Social Welfare Department, (ii) health care services provided by the Hong Kong Hospital Authority or Department of Health, or (iii) any other social or health care services the deprivation of which would be likely to cause serious harm to physical or mental health.
The Guidance advises that the Hong Kong Privacy Commissioner “would generally take the view that it would not be appropriate to enforce” the above provisions of the PDPO in those “clear-cut” cases where:
- the content directly marketed to a data subject is “clearly” intended for the use of the corporation for which the data subject works and not for the data subject’s personal use; and
- the data subject’s personal data used in the marketing was collected in the data subject’s “official capacity” (e.g. the personal data comprises contact details for the purpose of receiving communications in the individual’s professional role, not their personal capacity).
However, it is important to note that marketing to individuals in reliance on these exemptions is not without risk, as the Guidance is purely advisory, and does not offer a statutory exemption.
This post was prepared with the assistance of Scarlett Jennings in the Hong Kong office of Latham & Watkins.