Legal change after Octopus scandal leaves loophole, says privacy chief
Legal changes proposed in the wake of last year's scandal over the sale of personal data by the issuer of the Octopus smartcards leave what critics - including the privacy commissioner - say is a big loophole that still leaves consumers' data at risk.
In amending the privacy law, the government has backed away from an 'opt-in' approach outlawing the use of data without a customer's clear consent, saying so few would give this permission that it could kill off the direct-marketing industry.
It has chosen an opt-out approach where a consumer would be deemed to have consented unless stated within a specified period.
Privacy Commissioner Allan Chiang Yam-wang said this 'would in effect legalise the sale of personal data'.
'The commissioner considers that an opt-out approach is out of keeping with the strong public distaste expressed after the Octopus incident against the sale of personal data without the data subjects' consent,' his office said in a statement.
Democratic Party legislator James To Kun-sun said many people did not have time to read the small print on forms or ignored direct mail.
'So, in such circumstances, is it fair to presume we are very pleased to allow the company to use our personal data?'
The proposed changes seek to tighten regulations to protect privacy and make sales of personal data a criminal offence, with a maximum penalty of a HK$1 million fine and five years in prison.
Explaining the opt-out approach, the report says: 'If the data subject does not respond to the data user, the data user may deem that the data subject has not opted out if no opt-out request is received within 30 days after the information and option are given to the data subject.'
The undersecretary for constitutional and mainland affairs, Adeline Wong Ching-man, said this was aimed at striking a balance between the protection of privacy and allowing room for businesses to operate.
'If the opt-in system is adopted, the opt-in percentage will be extremely low and this could kill the direct marketing industry, which has been creating employment opportunities and contributing much to the Hong Kong economy,' she said.
The review of the privacy ordinance, which was enacted in 1996, was triggered after public uproar over the sale by management company Octopus Cards of the personal information of millions of its clients to business partners.
Octopus Cards at first denied the sale but later admitted it had made HK$44 million by selling cardholders' data. A later inquiry found some of the company's business partners had resold the information.
There were calls to give the privacy commissioner more power to investigate complaints and launch prosecutions. But such views were rejected by the government.
Meanwhile, the Legislative Council secretariat said it had now put up notices after eight surveillance cameras were discovered to have been installed on and around the council building.
Two other temporary cameras installed by police to monitor anti-budget protests have been removed.