Privacy and Data Usage in Hong Kong: Implications for Multinational Corporations, Contributed by Julianne Doe and Rebecca Lai, Brandt Chan & Partners, in association with SNR Denton HK LLP
As business activities grow increasingly global, and personal information and data cross national boundaries on a daily basis, companies need to ensure that they are aware of local privacy and data protection regulations and pending legislation that would impose more stringent privacy and security requirements. This article provides an overview of current privacy and data protection rules in Hong Kong that apply to both local and multinational businesses, as well as proposed legislation that would alter those rules.
The Hong Kong Personal Data Ordinance
The collection, use, transfer and retention of personal data are governed by six data protection principles contained in the Personal Data (Privacy) Ordinance (referred to as the “Personal Data Ordinance”1) and a number of codes and guidelines issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong.2
Under the current data protection principles, a data user must—either before or at the time of the collection of personal information—notify individuals of the purpose of the collection of their data and obtain their express consent before transferring any such data. Thereafter, the individual has the right to ascertain the accuracy of any personal data held by the data user and may obtain access to that data upon reasonable notice and payment of a fee to the data user. The Personal Data Ordinance also imposes restrictions and obligations on the data user with respect to any use and/or transfer of personal data.
The Privacy Commissioner may investigate complaints against data users and can serve an enforcement notice directing the data user to carry out remedial action if the commissioner believes that the data user has contravened legislative requirements and is likely to repeat such contravention.
Proposed Amendments to the Hong Kong Ordinance
A Personal Data (Privacy) (Amendment) Bill 2011 (referred to as the “Bill”) to amend the Personal Data Ordinance was introduced on July 13, 2011, for consideration by the legislature.3
The proposals under the Bill deal mainly with circumstances in which companies transfer personal data to third parties without the person’s knowledge. These situations include mass marketing exercises, but could have wider applications.
Use, Transfer or Sale of Personal Data in Direct Marketing
To allow individuals to make an informed choice as to whether to provide their personal data for direct marketing purposes, the Bill would require the data user to provide individuals with the following information, in writing:
- the nature of the personal data that would be used or provided.
- the classes of entities, such as financial services companies or telecommunications services providers, to which such data is to be provided.
- the classes of goods, facilities or services, such as beauty products or financial services, to which such data is to be offered or advertised or the purposes, such as charitable, cultural or recreational initiatives, for which donations or contributions are to be solicited.
Under the Bill, data users would also be required to provide a response facility or tool through which the data subject may, at no cost and within a 30-day time limit, easily object to the intended use or provision, with reference to any specified kind of personal data or class of marketing subjects. The opt-out request would be required in writing, and the absence of such a request within the time limit would be treated as consent by the data subject to such use or provision. Sellers of personal data would be subject to similar constraints.
— Transfer to Data Processor
If a data user wishes to engage a data processor to carry out data processing on its behalf, the Bill would require the data user to adopt safeguards to prevent any personal data from being retained longer than is necessary for processing purposes and to prevent unauthorised and accidental access, processing, erasure, loss or use of the data.
Penalties for Non-Compliance
— Disclosure Without Consent
In view of the potential gravity of harm, the Bill would make disclosure without individual’s consent an offence punishable by a HK$1 million fine and imprisonment for five years to disclose personal data for gain, causing monetary loss or psychological harm to the individual.
The Bill would impose more graduated punishments for contravention of the proposed legal requirements in the following ways.
Failure to inform individuals of their rights in direct marketing for the first time. The Bill would increase the penalty from a fine of HK$10,000 to a HK$500,000 fine and imprisonment for three years.
Contravention of provisions connected with the use or provision of personal data in direct marketing. The Bill would increase the penalty from a fine of HK$10,000 to a HK$500,000 fine and imprisonment for three years.
Contravention of provisions connected with the sale of personal data. The Bill would increase the penalty from a fine of HK$10,000 to a HK$1 million fine and imprisonment for five years – this will also apply to a buyer if it fails to comply with a data subject’s request to cease to use the personal data
Repeated non-compliance with an enforcement notice. The Bill would increase the penalty from a fine of HK$50,000 to a HK$100,000 fine (with a daily fine increased from HK$1,000 to HK$2,000 for continuing offence after conviction), but the term of imprisonment would remain at two years.
Repeated violation the Personal Data Ordinance with intention. The Bill would make it an offence punishable by a HK$50,000 fine and imprisonment for two years (with a daily fine of HK$1,000 for continuing offence after conviction).
Under the Bill, the only defence acceptable would be proof that all reasonable precautions had been taken and all due diligence had been exercised to avoid the commission of the offence.
The Bill empowers the privacy commissioner, in the absence of any evidence showing possible repeated contravention, to issue an enforcement notice to a data user when the data user has violated the law.
New exemptions from compliance with the existing data protection principles on use of personal data include the following:
- Transfer or disclosure in due diligence exercises in connection with mergers, acquisitions or transfer of business, property or shareholding interest, subject to certain conditions.
- Personal data held by a court or a judicial officer in the course of performing judicial functions. Use required or authorised by court order or in connection with any legal proceedings in Hong Kong, or otherwise, for establishing, exercising or defending legal rights in Hong Kong.
- Transfer or disclosure of a minor’s personal data by the Police or the Customs and Excise Department in relation to care and guardianship of the minor.
- Transfer to government archives of data contained in records of historical, research, educational or cultural interest.
Julianne Doe is a Hong-Kong-based partner at Brandt Chan & Partners, which is associated with SNR Denton. She practices in the areas of capital markets, corporate finance, securities and China investment. She can be reached at firstname.lastname@example.org.
Rebecca Lai is an associate with Brandt Chan & Partners, which is associated with SNR Denton. Rebecca’s practice primarily focuses on employment matters, mergers and acquisitions, corporate restructurings, corporate finance, and banking and general commercial advisory work. She can be reached at email@example.com.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2011 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.