Make illegal sale of data an offence, privacy chief says

PUBLISHED : Thursday, 29 July, 2010, 12:00am
UPDATED : Thursday, 29 July, 2010, 12:00am

The Privacy Commissioner has urged the government to give serious consideration to making unauthorised sales of personal data a criminal offence.

Roderick Woo Bun, who is investigating the HK$44 million sale of the details of 1.9 million Octopus Card holders, said it should do this as part of a review of the privacy law, which is now under way.

Under the law as it stands, the sale of personal data by data users for profit without the consent of the subject is not a criminal offence and there is no penalty for misuse of personal data in direct marketing.

An offence is committed only if a person does not comply with an enforcement notice issued by the privacy watchdog after investigation.

But in Britain, unlawful obtaining, disclosure or sale of personal data is an offence under the Data Protection Act.

'The government should consider introducing a law to regulate transfer of personal data for sale,' Woo said at a media lunch yesterday. 'The Octopus incident has [shown] that personal data has become a valuable commodity in the market, about which the public has great concern,' he said.

Woo, who will finish his five-year term on Saturday, said he hoped his successor would encourage and assist the government in reviewing the privacy law.

His views were backed by lawmaker Wong Kwok-hing who said there was a pressing need for such a law. 'It is very clear that there are too many grey areas and loopholes in the existing privacy law, and the penalties that exist are not stiff enough to deal with contravention of data protection principles,' he said.

Wong will move a motion in the Legislative Council in October calling for stiff laws and regulation on the transfer of personal data on Octopus Cards or other stored-value travel and shopping cards. He said the government should not delay in submitting new legislation to plug the loopholes.

A three-month public consultation on the review of the Personal Data (Privacy) Ordinance was completed eight months ago but there have still been no reports or recommendations.

The Constitutional and Mainland Affairs Bureau said it was analysing and consolidating views received in about 170 written submissions.

'When we have general directions on the way forward, we will arrange for further public discussions on possible legislative proposals,' a spokeswoman said.

The consultation invited views on whether contraventions of data protection principles should be an offence, whether the privacy commissioner should have the power to fine offenders, and whether there should be a penalty for misuse of personal data in direct marketing.

The privacy commissioner has also proposed that he should be able to provide legal assistance to help people seek compensation for such breaches.

Human Rights Monitor director Law Yuk-kai said it was very important that the watchdog should provide legal assistance. 'This can help in the pursuit of justice through bringing test cases to court,' Law said

While the present law allows people to seek compensation in civil cases, there have been no court awards for privacy breaches since the law was enacted in 1996.

Meanwhile, Wong said he was helping several complainants to apply for aid from the Consumer Council's legal action fund, to seek compensation from the Octopus card issuer for the sale of personal data to its merchant partners such as insurance companies.

But the council said yesterday that it had so far received no such application.

Octopus has come under heavy criticism since Octopus Holdings chief executive Prudence Chan Bik-wah disclosed on Monday that the card issuer had not only been passing personal details of holders to its partners in a rewards scheme but had made HK$44 million in the past 41/2 years from selling the data.

Who do you turn to?

What to do if your personal data has been misused

At the Privacy Commissioner's office

- file a complaint

- seek resolution through mediation

- if that fails, a formal investigation is begun

- enforcement notice may be issued; failure to comply may lead to HK$50,000 fine and two years in jail

Seek redress through civil proceedings

- sue for compensation if you suffer any damage, including emotional distress

- results of the privacy commissioner's investigation cannot be used as evidence

- privacy commissioner is not empowered to provide legal assistance

Commissioner's proposed changes to privacy law in 2009

- criminalise unauthorised collection of, disclosure and sale of personal data

- increase penalty for misuse of personal data

- offer legal assistance to help victim seek compensation

- impose heavy fines for serious data violations