Renewed call to set up Hong Kong's do-not-call register caught between two bureaux
Allan Chiang Yam-wang
My publication on 5 August 2014 of the results of a public opinion survey regarding P2P (person to person) calls, together with my renewed call to the Administration for amending the Unsolicited Electronic Messages Ordinance (UEMO) to provide for the expansion of the existing DNC registers to include P2P calls, attracted a great deal of media and public attention. The registers, administered by the Office of the Communications Authority (OFCA), presently provide for telephone subscribers to register their telephone numbers to ward off unsolicited fax messages, short messages and pre-recorded telephone messages, but not P2P calls.
Compared with a similar survey conducted by OFCA in 2008 to evaluate the problem of inconvenience caused by P2P telemarketing calls, the 2014 survey revealed that there had been a growing preponderance of P2P calls, with more people responding negatively to the calls and fewer people reporting any gains from the calls. In keeping the survey findings that the bulk of the population has been inconvenienced by these calls and most of them treated the calls as nuisance, many have spoken against the calls subsequent to the publication of the 2014 survey report, quoting their bitter personal experiences. Some media have voiced support for the DNC register for P2P calls while expectedly the Hong Kong Call Centre Association has expressed reservation.
Importantly, the Commerce and Economic Development Bureau (CEDB), which has policy responsibility over UEMO and oversees OFCA, indicated they had an open mind on the proposal, but quickly pointed out that the effect on some 20,000 people employed in the telemarketing industry must be duly considered.
Against this background, I was a bit surprised to receive a letter dated 11 August 2014 from CEDB, (i) expressing their disappointment and frustration over the approach that I have taken in publication of the report on the 2014 survey results, (ii) making known their expectation of how my Office should have communicated with the Administration on this project, (iii) querying about the results of the survey, and (iv) indicating that they do not feel obliged to take forward the proposal.
Prior consultation with the Administration?
It appears that CEDB expects us to consult them before publication of the 2014 survey report so as to include their input, including "… comment on the conduct of the survey … (and) the draft findings." CEDB commented that without such prior consultation, we were in effect "keeping (the) Bureau in the dark", depriving them of a "fair hearing" and"… presenting a one-sided picture to the public." They were not happy that they received an advance copy of the 2014 survey report only a day before its publication.
To put things into perspective, the question of whether or not to regulate P2P telemarketing calls under the UEMO is a long standing one for the Administration. It was discussed at the meeting of the Legislative Council Panel on Information Technology and Broadcasting on 9 November 2009 and brought up again in the 2009-2010 public consultation on the review of the Personal Data (Privacy) Ordinance (PDPO). At that time, the Administration relied on the 2008 survey results and concluded that there was no "overwhelming support for regulation by legislation" and "establishing a DNC (register) for P2P calls appears disproportionate". In response to my specific appeal in 2011, CEDB expressed hope that self-regulation by the industry would suffice to address the problem but undertook to "… closely monitor the running of the self-regulatory scheme and review (the Administration's) way forward as and when appropriate."
Accordingly, by sending CEDB an advance copy of the survey report together with my renewed call to set up a DNC register for P2P calls, we were simply updating the Administration on the latest figures of a survey which they should be familiar with. We were just reiterating suggestions we made three years ago rather than making final decisions on the issue. In the circumstances, I do not see there is an issue of a "fair hearing".
We have not been undertaking a public consultation exercise to solicit the views of all stakeholders for inclusion in the survey report. As such, I do not see the need to keep CEDB informed of the survey and include their input in the report. I consider it is appropriate for us to simply provide to the Administration as the major stakeholder with an advance copy of the report. Although the report is a 77-page document, the salient findings and conclusions of the survey are all contained in the 3-page executive summary, based on which the press briefing on the following day was conducted. CEDB is at liberty to comment and follow up on the report and my suggestions as they deem fit and at any time after receipt of the report.
I see nothing inappropriate for us to restrict our role to just setting the scene to facilitate an open and transparent public discussion on a subject which affects the bulk of the population. As the advocate for personal data privacy, our suggestions to resolve privacy issues must necessarily centre on the protection of personal data privacy. We welcome feedback to our suggestions and are most prepared to enter into subsequent iterative discussions with parties concerned to explore win-win solutions.It is up to the Administration, as the decision-maker on public policies and initiator of legislative changes, to embark on public consultation as they see fit and to "… strike a careful balance between facilitating a legitimate commercial activity while minimising nuisance to the public."
Although we are largely funded by the Administration, we operate independently of the Administration. This independency status, provided under the PDPO, is a core value of this Office as it represents the corner-stone of the public trust on our regulatory work. We therefore strive to uphold this value in our day-to-day dealings with the Administration.
Validity and reliability of the 2014 survey results
CEDB expressed doubts at great length on the validity and reliability of the results of the 2014 survey we conducted.
It is relevant to note that the researcher we commissioned to conduct the 2014 survey is the same as the one commissioned by OFCA in 2008, namely, the Social Sciences Research Centre of the University of Hong Kong. The survey methodology, including the significance testing of the 2014 survey results and the difference between the 2008 and 2014 results are found in Chapters 2 and 5 of the full report respectively. The full report, with details of significance of results, has been made public since 5 August 2014 and is available on our website. This is in sharp contrast to the 2008 survey for which only summarised results were made public by the Administration and no details of the statistical tests and results can be found.
I am confident that I have in my written reply satisfied all the queries from CEDB and convinced them that the 2014 survey results are valid and reliable, and we have been perfectly honest in our reporting.
It is not entirely clear why CEDB grilled on the figures intemperately. I hope CEDB is still in agreement with me on the broad picture that the survey results have portrayed, namely, the P2P calls have successfully brought benefits (whether marginal or not) to a relatively small proportion of the population, but only at the expense of the majority who are caused nuisance in the process. I also hope they recognise the worsening trend and the aggravating problem which warrant the Administration's attention and follow-up.
DNC register for P2P calls a panacea?
CEDB pointed out and I agree that a number of difficulties will still be unresolved with the introduction of a DNC register for P2P calls. I have never suggested that this is a panacea. We need a basket of solutions and take a multi-pronged problem-solving approach.
First, some 20,000 plus employees are engaged in the local P2P telemarketing business. Their employment would be affected. This problem could be allayed by allowing a suitably long period for the transition. The register could even be implemented on a sector by sector basis rather than on a full-scale basis. Assistance could be provided to the employees affected to upskill themselves to take up higher value-added jobs.
Another problem is that the proposed DNC register would be ineffective to curb calls made outside Hong Kong. If these calls are made to sell products and services in Hong Kong, it is likely that a Hong Kong company is responsible for outsourcing the direct marketing activities to call centres outside Hong Kong. Where use of personal data is not involved in the calls, PDPO could not be applied. In the circumstances, I would suggest the local telemarketing industry institutes an accreditation system to raise the professional standards of its members and win the confidence of the consumers. Accredited callers could distinguish themselves from non-accredited callers (including those operating from outside Hong Kong) by using telephone lines bearing unique and readily-recognised first four digits.
Where use of personal data is involved in P2P calls made outside Hong Kong, sections 35 and 65 of the PDPO would be engaged and we have to rely on the Police to identify the Hong Kong company in their criminal investigation and bring charges against the company. In this regard, the Secretary for Justice has personally chaired a meeting with us and the Police in late June 2014 to discuss the new enforcement challenges we are facing. We all agreed that we will step up our efforts in our ongoing investigation and prosecution work.
On my part, educational and promotional efforts will be stepped up to promote compliance with the PDPO and understanding of individuals' privacy rights under the PDPO.
Unique advantages of DNC register for P2P calls
I must stress that the proposed DNC register for P2P calls has unique features that cannot be replaced by the present provisions under the PDPO regulating direct marketing activities.
First, the DNC register can be used for P2P calls, regardless of whether use of personal data is involved. By contrast, PDPD is engaged only when collection and use of personal data is involved.
Further, the DNC register is a one-stop-shop that enables the consumer to opt out of all unwanted telemarketing calls at one go. Under the PDPO, consent from the target customer has to be sought before a direct marketing approach is made. After giving consent, the customer can at any time revoke the consent and ask the direct marketer not to approach him again. However, the exercise of this opt-out right has to be made on a company by company basis.
How the DNC register for P2P calls should be set up
Reading between the lines of CEDB's letter, I gather that they are not against the proposal of a DNC register for P2P calls but they feel strongly that the facility should be set up under the PDPO (not UEMO), with a steer from the Constitutional and Mainland Affairs Bureau ("CMAB") rather than CEDB.
I note that this updated view on how the DNC register should be set up is a departure from the open-minded approach CEDB have indicated to the Legislative Council Panel on Information Technology and Broadcasting in November 2009, and repeated in their recent briefing to the media. It clearly differs from the pledge made by the Administration when the Bill for UEMO was examined by the Bills Committee in 2007 :"… the Administration has undertaken to continue to monitor the problem of (P2P) interactive telemarketing calls to assess if they warrant regulation in future."
Indeed, to reflect this legislative intent, UEMO as it now stands is structured so that if it is decided in future to bring P2P calls into the ambit of this ordinance, such decision could be effected expeditiously by way of an amendment notice published in the Gazette under section 7. On this basis, it is difficult for me to appreciate CEDB's remarks that the proposed DNC register can be set up "… without reference to the regime under UEMO, which is designed for different targets and problems."
CEDB's present position is apparently at odds with that held by CMAB in 2011 when concluding the public consultation on the review of the PDPO: "If measures are to be introduced to regulate these (P2P) calls, they should cover all such calls, including those that do not involve the recipients' personal data, so as to make the regulation more comprehensive and effective, and to avoid confusion and dispute over whether the use of personal data is involved. This goes beyond the ambit of the PDPO. "
As the 2014 survey report shows, only 27.4% respondents reported that over half of the calls they received specified their names. On this basis, one may conclude thatthe problem of P2P calls is due more to cold calls not involving use of personal data, than to calls involving use of personal data. This conclusion does not lend support to CEDB's suggestion to set up the DNC register under the PDPO rather than UEMO.
I should add that administering different DNC registers by two organisations (OFCA and my Office), as suggested by CEDB, is not conducive to the efficient use of public funds. Also, the public would certainly find the arrangement confusing and less than customer-friendly.
The omission of P2P calls in the DNC registers presently administered by OFCA is an anomaly not found in other parts of the world. To operate the full range of DNC registers by two separate organisations would be another anomaly. However, we are addressing an issue of public interest here. If both the Administration and the Legislature decide in the end that the proposed DNC register for P2P calls should be administered by my Office under the PDPO and sufficient resources are provided, I am prepared to bend over backwards to assume that added responsibility.
I reckon that as the next step, CMAB and CEDB will need to resolve between themselves on which Bureau will take forward the proposal. I stand ready to assist.
The author is the Privacy Commissioner of Hong Kong. This commentary was originally published as a blog on the website of the Office of the Privacy Commissioner for Personal Data on August 21, 2014 and republished here with the permission of the Commission.