The first of these is the Personal Data (Privacy) (Amendment) Bill 2011 (the Bill). This introduces stricter rules on the use of personal data for direct marketing and cross marketing and, broadly speaking:
It also makes the unauthorised use or sale of personal data a criminal offence.
The new rules will affect all businesses engaged in direct marketing or who buy or sell personal data and will have a particular impact on large users of personal data like insurance companies.
Restrictions on direct marketing
Assuming the Bill becomes law in its current form, anyone engaging in direct marketing (a Direct Marketer) will have to provide the individuals they target with written details of:
This information must be presented in a way that is easy to read (no hiding the terms in small print) and easily understandable (written in plain language).
An “opt out” facility must also be included. This is a way for people to object to the use of their data for direct marketing. A simple example would be a check box on the data collection form which can be ticked if the recipient doesn’t want their data to be used for direct marketing. Individuals have 30 days after first being contacted to object, failing which the Direct Marketer is entitled to direct market to them - but only for the classes of goods or services set out in the notice. Even after this 30 day period, the individual can still object and if they do the Direct Marketer must cease using their data for direct marketing purposes.
Direct marketing with existing personal data
The new rules on direct marketing do not apply retrospectively. This means personal data collected before the Bill becomes law can still be used for this purpose. However, this is only if and to the extent this was permitted under the PDPO. For example, if a Direct Marketer is currently permitted under the PDPO to direct market its banking products to clients, it will still need to comply with the new rules before it can direct market its insurance products to the same clients.
Restrictions on cross marketing
"Cross marketing" means selling or otherwise making personal data available to a third party for the purpose of direct marketing. The Bill requires a business doing this (a Data Provider) to first provide the data subject with written details of:
-
The kinds of personal data to be used
-
The classes of persons to whom the data is to be provided
-
The classes of goods or services to be offered
The Privacy Commissioner also recommends that Data Providers do not use general references to data being transferred for cross marketing to "our partners" or "selected companies" but instead refer to specific classes of recipients, such as "financial service companies" or "telecommunications service providers".
As with direct marketing, there must be an "opt out" facility allowing an individual to object to the use of their data in this case for cross marketing. If an individual objects, the Data Provider must cease supplying their personal data and must also notify any third party to whom it has previously supplied that data to cease using that data.
Anyone purchasing personal data (a Data User) must obtain written confirmation from the Data Provider that the Data Provider has complied with these new cross marketing rules.
There is no retrospective exemption for cross marketing. A sale or supply of personal data for direct marketing purposes after the new rules comes into effect will need to comply with the new rules, even if the personal data was collected before they came into force. A business that sells personal data for direct marketing purposes will need to start preparing for the new rules well before they come into effect if it is to avoid any interruption to its business. There will probably also be a surge in the sale of marketing lists just before the new rules come into effect.
Penalties and legal assistance
One of the main reasons Data Providers and Data Users need to be aware of the new rules is that failure to comply is likely to be costly. In particular:
-
The unauthorised sale of personal data will be punishable by a fine of up to HK$1 million and five years imprisonment
-
Breach of the direct marketing rules will be punishable by a fine of up to HK$500,000 and three years imprisonment
The Bill also gives the Privacy Commissioner power to provide legal assistance to data subjects looking to seek compensation for breach of the PDPO. This is likely to lead to a significant increase in data privacy claims.
What should you do?
The Bill is expected to come into force by the end of 2012. If you are an organisation which engages in direct marketing or cross marketing in Hong Kong you should:
-
Review your marketing processes and identify whether you buy or sell contact lists from third parties
-
Prepare for the notification and "opt-out" requirements by preparing the relevant notices and updating your data collection forms
-
Identify which direct marketing activities you are permitted to continue with personal data you already hold and which will require notification to your customers under the new rules
-
Ensure you have systems in place to receive and process objections from individuals who do not want their personal data to be used for direct marketing or cross marketing and to notify third parties who you have passed personal data to of objections for the use of that data for cross marketing
-
If you sell personal data for cross marketing, you should start preparing for the new rules before they come into effect to avoid any interruption to your business
-
If you purchase personal data for cross marketing, seek confirmation from your data suppliers that they will comply with the new rules when these come into force