ANALYSIS: Hong Kong’s Newly Amended Data Protection Law: What The Changes Mean In Practice
By Anna Gamvros, Aaron Bleasdale, and Jacqueline Wong, of Baker & McKenzie, Hong Kong.
Since its enactment in 1996, Hong Kong’s data privacy legislation, the Personal Data (Privacy) Ordinance (“PDPO”), has remained largely unchanged. However, following public consultation which commenced in 2009, Hong Kong’s Legislative Council recently amended the PDPO by dramatically increasing penalties, introducing new offences particularly focused on direct marketing and unauthorised disclosure of personal data and introducing other changes to strengthen the law.
The Personal Data (Privacy) (Amendment) Ordinance (“Amendment Ordinance”) was passed into law on June 27, 2012. Most of its provisions will come into effect on October 1, 2012. However, a number of provisions, most notably the direct marketing regime, will come into effect at a later date. The delayed commencement of these provisions will allow the Privacy Commissioner’s Office (“PCO”) to issue practical guidance on compliance with the new regime and will provide data users with the opportunity to take compliance measures before commencement.
Although the new penalties will attract the attention of many Hong Kong companies and organisations collecting, using and/or storing personal data (“data users”), the changes introduced by the Amendment Ordinance are of particular relevance to data users that engage in direct marketing or that provide or acquire personal data for direct marketing purposes. The changes will require that data users in Hong Kong review their collection practices and privacy notices as well as ensuring that usage of data for direct marketing is in accordance with the data subject’s consent.
Direct Marketing: The New Regime
The PDPO currently has limited provisions with respect to the use of personal data for direct marketing supplemented by non-binding practical guidance, the “Guidance on Collection and Use of Personal Data in Direct Marketing,” issued by the PCO in October 2010 following its Octopus investigation, which involved the sharing of large amounts of personal data for direct marketing purposes (see report by Anna Gamvros and Paolo Sbuttoni, of Baker & McKenzie, Hong Kong, at WDPR, November 2010, page 19). The Amendment Ordinance adds to the PDPO numerous provisions specifying a data user’s obligations in respect of using or providing personal data to a third party for direct marketing purposes…