Privacy & Information Security Law Blog

On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.

The amendment establishes a number of changes and new requirements, but the principal changes include provisions imposing increased notification and consent requirements for data users that seek to:

• sell personal data;
• use personal data for their own direct marketing purposes; or
• provide personal data to another person for that other person’s direct marketing purposes.

In addition, the amendment imposes potentially significant criminal penalties for data users that violate these requirements.

Other key changes include a provision increasing criminal penalties for obtaining personal data from a data user without the data subject’s consent, then subsequently disclosing the information for gain or to cause psychological harm to the data subject; and a provision which empowers the Hong Kong Privacy Commissioner for Personal Data (the “Privacy Commissioner”) to provide legal assistance to aggrieved persons who may institute proceedings to seek compensation.

The amendment also implemented a great many other changes. The changes do not fall into any particular pattern, but instead each individually reflect an effort to update the Ordinance based on practical experience. The following are a few of the many revisions:

• The Privacy Commissioner may impose reasonable charges for its promotional or educational activities, services and materials.
• After completing of an investigation, the Privacy Commissioner may serve an enforcement notice on a data user at the same time he notifies the data user of the result of the investigation.
• Repeated noncompliance with enforcement notices will result in penalties including fines and two years of imprisonment.
• The duty to erase personal data would be considered satisfied if a data user has taken all practicable steps to erase obsolete personal data.
• A data user may provide the job title or the name of the individual tasked with handling data access or correction requests it receives from data subjects.
• The time limit for filing charges for a violation of the Ordinance is now two years from the date of the commission of the offense.

Generally speaking, the amendment does not represent a fundamental restructuring of the Ordinance. Rather, it seems primarily aimed at reforming the Ordinance to promote a more effective and rational approach to enforcement based on actual experience over the years. The amendment does, however, impose potentially significant new criminal penalties for violations that may occur in the course of the commercial use of personal data. Accordingly, businesses in Hong Kong must be sensitive to new compliance requirements and ensure that personal data is handled properly when engaging in direct marketing activities.

In October 2011, the Privacy Commissioner published three “Guidance Notes” to help data users comply with the Ordinance.