For anyone interested in privacy and data usage in Hong Kong, here is an overview of current privacy and data protection rules in Hong Kong that apply to both local and multinational businesses, as well as proposed legislation that would alter those rules.
The Hong Kong Personal Data Ordinance and Proposed Amendments
Personal data privacy is protected and governed by six data protection principles contained in the Personal Data (Privacy) Ordinance (Personal Data Ordinance) together with codes and guidelines issued by the Office of the Privacy Commissioner for Personal Data. The Commissioner investigates complaints against data users and can serve an enforcement notice directing the data user to carry out remedial action if he believes that the data user has contravened legislative requirements and is likely to repeat such contravention.
The Personal Data (Privacy) (Amendment) Bill 2011 was introduced on July 13, 2011 which deals mainly with circumstances in which companies transfer personal data to third parties without the person’s knowledge.
Use, Transfer or Sale of Personal Data in Direct Marketing – To allow individuals to make an informed choice as to whether to provide their personal data for direct marketing purposes, the Bill would require the data user to provide individuals with certain data in writing, such as the nature of the personal data that would be used or provided and the classes of entities to which such data is to be provided.
Opt-Out – Under the Bill, data users would also be required to provide a response facility or tool through which the data subject may object to the intended use or provision, with reference to any specified kind of personal data or class of marketing subjects.
Transfer to Data Processor – The Bill also requires that the data user to adopt safeguards to prevent any personal data from being retained longer than is necessary for processing purposes and to prevent unauthorised and accidental access or use of such data.
Penalties for Non-Compliance – Disclosure without an individual’s consent for gain, causing monetary loss or psychological harm to the individual is an offence punishable by a HK$1 million fine and imprisonment for five years. Other penalties for non-compliance, for example, failure to inform individuals of their rights in direct marketing may attract a fine of HK$500,000 and imprisonment for three years. Contravention of the direct marketing provisions may result in a fine of HK$500,000 and imprisonment for three years.
Defenses – the only defence acceptable would be proof that all reasonable precautions had been taken and all due diligence had been exercised to avoid the commission of the offence.
Exemptions – exemptions available include transfer or disclosure in due diligence exercises in connection with mergers, acquisitions or transfer of business, property or shareholding interest, subject to certain conditions; personal data held by a court or a judicial officer in the course of performing judicial functions; use required or authorised by court order; transfer or disclosure of a minor’s personal data by the Police or the Customs and Excise Department; and transfer to government archives of data contained in records of historical, research, educational or cultural interest.
For a more detailed discussion of any of the points raised above see my article published by Bloomberg Finance L.P.