The Personal Data (Privacy) (Amendment) Ordinance 2012
(the “Amendment”) was published on the Government
Gazette on 6 July 2012. The Amendment has imposed a
more stringent regulatory regime than under the Personal
Data (Privacy) Ordinance (“PDPO”) including:
requirements for use and provision (i.e. sale/ transfer) of personal data for
introduction of a new offence for the disclosure of personal data;
implementation of a data user return scheme;
powers to the Privacy Commissioner (the '"Commissioner") to issue enforcement
empowering the Commissioner to provide legal assistance to aggrieved data
What does this mean for your business?
It is now far easier for data subjects (i.e. customers etc) to take action
against users (i.e. companies). Corporate data users are recommended to take
the following preparatory actions:
- Audit whether existing data
subjects have properly consented to the use of their data for direct marketing.
- Review whether proper consent has
been given for any personal data provided by third parties.
- Investigate whether any
free-of-charge channel for data subjects to communicate consent is currently in
- Ensure proper systems are in place
to record consents and to send written confirmation to data subjects if verbal
consents are obtained.
- Review data processing and
contractual arrangements with third party service providers to ensure the data
processors comply with the Amendment, e.g. telemarketers and email blasting.
- Review sales & marketing contracts
to reflect the Amendment.
- Assess scope of existing marketing
activities and review/ update the Personal Information Collection Statement to
ensure compliance with the Amendment.
- Prepare for DURS - review
record-keeping practices regarding the collection, use and transfer of personal
data to ensure compliance with the requirements under DURS.
- Update/prepare the internal data
protection manual to educate employees (in particular the sales & marketing
business) on new compliance requirements.
We would be happy to assist you with any of these areas.
The Amendment will come into operation on 1 October 2012 except for the
provisions regarding direct marketing, legal assistance and court jurisdiction.
The new changes relating to direct marketing are expected to commence in 2013
(“DM Commencement Date”) to allow time for corporate data users to prepare for
The Amendment has introduced new concepts and it is also expected that the
Commissioner will publish guidance notes on the practical implementation of the
new direct marketing provisions.
Use of Personal Data for Direct Marketing
The major changes under the Amendment relate to direct marketing. The Amendment
has introduced new requirements for data users to give data subjects an informed
choice as to whether to allow the use of their personal data in direct
marketing. Data users are required to comply with more onerous notification
requirements prior to the use of personal data for direct marketing purposes
- informing the data subjects (1) as
to the intention of the data users to use the personal data for direct marketing
purposes and (2) the data users may not use the personal data unless it has
received the data subject’s consent to do so;
- providing information on the kinds
of personal data to be used and the classes of marketing subjects in relation to
which the data is to be used; and
- notifying the data subjects when
using personal data in direct marketing for the first time.
Data users who use a data subject’s personal data without taking the above
actions will be liable upon conviction to a fine of HK$500,000 and 3 years’
Grandfathering and Third Party exceptions
The ‘grandfathering’ provisions are helpful but contain significant limitations.
Two exceptions to the new direct marketing requirements are introduced under
the so-called grandfathering arrangement and the third party exception. The
grandfathering arrangement provides that a data user can continue to use the
personal data after the DM Commencement Date without taking any actions in
relation to the new direct marketing consent requirements provided that certain
conditions are fulfilled.
The third party exception permits a data user to use personal data which is
provided by a third party without fulfilling the new consent obligations
provided that the third party has provided certain notifications to the data
Provision (i.e. transfer / sale) of Personal Data to Third Parties for Use in
Where data users intend to provide (i.e. transfer or sell) personal data to a
third party, they must inform the data subjects in writing that they intend to
so use the personal data and they may not provide the data unless they received
the data subjects’ written consent to the intended provision (note that unlike
the restrictions on using personal data for direct marketing, oral consent will
not suffice). Consent, for the purposes of the new requirements, includes an
“indication of no objection” to the use or provision of personal data. Data
users must also provide written information if the data is to be provided for
Failure to comply with each of the above requirements constitutes an offence,
and the data user is liable on conviction - (i) if the data is provided for
gain, to a fine of HK$1 million and imprisonment for 5 years; (ii) if the data
is provided otherwise than for gain, to a fine of HK$500,000 and imprisonment
for 3 years.
Employee Disclosure without Consent from Data User
The Amendment introduces a new offence where a person (e.g. an employee of a
data user) discloses personal data of a data subject that was obtained from a
data user without the data user's consent: (i) with an intent for gain, or to
cause loss to the data subject; or (ii) where the disclosure results in
psychological harm to the data subject. These offences shall attract fines of
HK$1 million and 5 years' imprisonment.
Data User Return Scheme
The Amendment provides for the implementation of a Data User Return Scheme (“DURS”).
Under DURS data users will be required to submit an annual return detailing the
personal data they control and the purposes of collection or processing of such
data. Data users will be liable to a fine of HK$10,000 and imprisonment for up
to 6 months.
The Commissioner will keep a Register of Data Users, which is a database that
contains all the information submitted annually by data users. The register
will be available to the public for inspection and will give data subjects an
opportunity to understand data users' privacy practices and compare them with
the practices of other data users. It was proposed that DURS will be rolled out
in three consecutive phases, covering: i) firstly, the public sector; ii)
secondly, three large regulated industries (banking, telecommunications and
insurance) and iii) thirdly, organizations with a large database of members
(such as customer loyalty schemes). However, it is not clear how the third
category is to be determined and the exact timeframe for the implementation of
DURS has yet to be announced.
The Amendment empowers the Commissioner to issue an enforcement notice where an
investigation reveals that the data user has breached the PDPO. This removes
the current requirement under the PDPO whereby the PCPD is empowered to issue an
enforcement notice for breaches of PDPO only in circumstances where the breach
is continuing, likely to continue or be repeated.
The enforcement notice would specify steps that the data user must take to
remedy, and if appropriate, prevent any recurrence of the contravention.
Failure to abide by the enforcement notice is liable on first conviction to (i)
fine of HK$50, 000 and 2 years’ imprisonment; and (ii) daily penalty of HK$1,
000 for each day the offence continues after conviction. On second or
subsequent convictions failure to abide by the enforcement notice is liable to
(i) fine of HK$100, 000 and 2 years’ imprisonment; and (ii) daily penalty of
HK$2, 000 for each day the offence continues after conviction.
Additionally, a data user who, having complied with a enforcement notice,
intentionally does the same act or makes the same omission in violation of the
of the PDPO, as specified in the enforcement notice, is liable on conviction to
(i) fine of HK$50, 000 and 2 years’ imprisonment; and (ii) daily penalty of
HK$1, 000 for each day the offence continues after conviction.
The Amendment empowers the Commissioner to provide legal assistance to aggrieved
data subjects who intend to institute legal proceedings against a data user to
seek compensation under the PDPO, including providing advice to the aggrieved
data subject or arranging for legal representation. This can
potentially open the floodgate for questionable data privacy claims.
The Amendment does not introduce direct regulation of data processors, but
rather requires data users to use contractual and other means to ensure that
personal data is protected from unauthorized or accidental access, processing,
erasure or loss, and is not retained for longer than necessary for the purpose
of processing the data.
For more information please contact: