News
News //
Law Alert - Personal Data (Privacy) Ordinance ("PDPO") - October 2015
Submitted by // K Bowers, Partner
20 October 2015


First convictions under Hong Kong's direct marketing regime

Introduction

The provisions on direct marketing under the Personal Data (Privacy) Ordinance (Cap. 486 of the laws of Hong Kong) ("PDPO") came into force on 1 April 2013. Since its implementation, no individual or organisation has been convicted for acting in breach of the provisions on direct marketing in the PDPO, until now.

Failure to comply with opt-out request (PDPO Section 35G(3))

On 9 September 2015, Hong Kong Broadband Network Limited ("HK Broadband") was convicted of acting in breach of section 35G(3) of the PDPO, which provides that a data user who receives a request for cessation of using the data subject's personal data in direct marketing must, without charge to the data subject, comply with the request. It has also been recommended that companies should maintain an "opt-out" list for keeping a record of any requests. Any data user which acts in contravention to section 35G(3) of the PDPO commits an offence and is subject to a maximum fine of HK$500,000 and imprisonment for 3 years.

HK Broadband's conviction relates to an incident which occurred during April 2013, when a customer of HK Broadband sent an opt-out request to HK Broadband by email and by post. HK Broadband subsequently acknowledged receipt of the request in writing. Despite this however, the customer received a voice message on his mobile telephone from an employee of HK Broadband in May 2013, to inform him of the expiration of his service contract, and also to promote other services of HK Broadband. As a result of the voice message, the customer made a complaint to the Office of the Privacy Commissions for Personal Data during May 2013 ("PCPD").

The complaint was subsequently referred to prosecution, and HK Broadband was charged for acting in breach of section 35G(3) of the PDPO. The case was heard in the Tsuen Wan Magistrates Court on 9 September 2015.

At the hearing, the presiding Magistrate rejected HK Broadband's defence that the telephone call was simply a reminder to the customer that his contract would soon expire. The Magistrate found that the true purpose of the telephone call was to promote HK Broadband's services, and that the 'reminder' to the customer about the end of his contract was an opener to direct marketing. Additionally, the Magistrate found that the call was made more than half a year before the customer's contract was due to expire, and that if HK Broadband's real intent was to remind its customer of the end of his service contract, a written reminder notice or text message sent to the complainant would have been sufficient. The Magistrate therefore found that HK Broadband had committed an offence under section 35G(3) of the PDPO, and ordered HK Broadband to pay a fine of HK$30,000. It has been reported that HK Broadband intends to appeal the conviction.

Failure to take specified steps and obtaining consent before using personal data (PDPO - Section 35C)

The second conviction under the direct marketing provisions of the PDPO concerned Links International Relocation Limited ("Links"), which was charged with the offence of using personal data of a customer in direct marketing without taking specified action, contrary to section 35C of the PDPO. In particular, section 35C of the PDPO stipulates that a data user must inform the data subject:-

(a) that the data user intends to use his/her personal data for direct marketing;
(b) that the data user will not use his/her personal data unless the data user has received the data subject's consent to the intended use;
(c) the kinds of personal data to be used;
(d) the classes of marketing subjects (i.e. for certain goods, facilities or services) in relation to which the personal data is to be used; and
(e) the response channel through which the data subject may, without charge, communicate the data subject's consent to the intended use.

Under the PDPO, a data user who provides personal data of a data subject to another person for use by that other person in direct marketing without informing the data subject of the above information and without obtaining his/her consent, commits an offence and is liable on conviction to a fine of HK$500,000 and to imprisonment for 3 years.

In the Links case, an individual provided his personal data (which included his mobile telephone number, company email address and residential address) to a company which provided storage services. This company subsequently ceased business in Hong Kong and was taken over by Links, which also provided similar storage services. During August 2013, Links sent a direct marketing email to the same individual, identifying him, and providing storage service quotations and terms and conditions.

Seeing as the individual never had any prior dealings with Links, nor had he ever been informed or given his consent to Links in relation to the use of his personal data for direct marketing, it was unclear to him why his personal information was accessible by Links. He therefore made a complaint to the PDPC, and the case was referred to the Police for criminal investigation.

Links was eventually charged for acting in breach of section 35C of the PDPO on 7 September 2015 at the Eastern Magistrates' Court, and on 14 September 2015, Links pleaded guilty and was fined HK$10,000.

Comments

The two cases relate to complaints made shortly after the implementation of the direct marketing regime during May 2013. It has taken more than two years to see the first convictions relating to the new direct marketing regime, with more to be expected in the near future. Although these two convictions resulted in relatively minor sanctions imposed against two companies, they have undoubtedly sent a strong message to organisations engaging in direct marketing activities in Hong Kong. The fact that there is now greater transparency and public awareness relating to breaches of the PDPO committed by any organisation, means that organisations risk serious reputational damage to their brand, name and profile.

Any organisation engaging in direct marketing activities should therefore carefully review their existing personal data and direct marketing policies and seek legal advice to ensure their compliance with the PDPO. In addition to updating its personal privacy statement and personal information collection statement, organisations should, for example, ensure that the 'opt-out’ list is regularly updated and that internal procedures are in place such that it complies with any opt-out requests from data subjects.


About Us

Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.

Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; intellectual property and financial services/corporate regulatory and compliance.

As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.

Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice.  Please contact pr@hwbhk.com if you have any questions about the article.