Personal data law's selling point is much tighter rules on privacy

Mark Parsons, of Freshfields Bruckhaus Deringer, looks at how new regulations affect business use of consumers' personal details

PUBLISHED : Wednesday, 17 October, 2012, 12:00am
UPDATED : Wednesday, 17 October, 2012, 2:56am

The Octopus Rewards affair in summer 2010 brought the issue of data privacy home to Hong Kong. The follow-on from Octopus Rewards is Hong Kong's long-awaited data privacy reforms, which took effect on October 1 this year.

How does the new law affect marketing using personal data?

Much of the legislative reforms have focused on tightening the rules around using personal data for marketing purposes, a clear response to revelations that Octopus Rewards' loyalty scheme sold personal data for marketing purposes.

The new law will significantly step up compliance requirements in this area, forcing businesses to be much more explicit than they have been in the past about how they intend to make use of personal data.

The Privacy Commissioner for Personal Data, who oversees administration of privacy regulation in Hong Kong, expects to see a "tick box" approach in which consumers can opt not to receive e-mails, telephone calls and other kinds of marketing.

Businesses will have to fully inform individuals of the nature of the personal data that will be used in the marketing and the type of products and services that will be marketed. Where these are not the same or directly related to products or services previously bought by the individuals, the nature of the products and services must be specifically referred to, for example "financial services" or "insurance" rather than generic terms like "our other products".

In the case of sales of personal data from one business to another - the cross-marketing that was in issue in the Octopus Rewards case - businesses transferring the data must make specific reference to the nature of the transferee's business - for example, "financial service companies" or "telecommunications service providers" - and expressly indicate whether or not the data is being transferred for money or other commercial gain.

Although most of the provisions of the new law came into effect on October 1, the requirements relating to direct marketing and cross-marketing will come into force at a later date not yet fixed by the government but expected to be no later than April 1 next year.

What marketing can organisations do with their existing databases of personal data?

Hong Kong businesses will be keen to understand what these reforms mean for their existing customer data, which in most cases will not have been collected in a manner compliant with these new, stringent requirements.

No further cross-marketing with personal data is permitted until the new requirements have been met. There is an exemption for direct marketing with existing holdings of personal data to the extent that the marketing is compliant with the law as it stood before the reforms.

However, this exception might have limited use in practice given that the privacy commissioner's official guidance on marketing, which predates the legislative reforms, already included a number of the new requirements.

Are there any new offences under the new law?

The reforms will significantly step up the consequences of not complying with Hong Kong's privacy law.

New offences are established, including ones that cover disclosing personal data with the intention to benefit or cause loss to an individual and disclosing personal data without consent in circumstances that cause psychological harm to the individual.

These new offences will attract fines of up to HK$1 million and up to five years' imprisonment.

What do the reforms mean for the collection of personal data from the internet and the use of "cookies"?

The privacy commissioner has just issued new guidance on how websites must comply with privacy laws, including requirements directed at the online tracking carried out through the use of "cookies", those small data files stored on your internet browser.

Such tracking must be carried out in a lawful and fair manner consistent with the website privacy policy, the information collected should not be excessive and the purpose of the tracking should be related to a function or activity of the business.