Passage of the Personal Data (Privacy) (Amendment) Bill 2011 by the Legislative Council
1. The Privacy Commissioner for Personal Data (“PCPD”), Mr. Allan Chiang, welcomes the passage of the Personal Data (Privacy) (Amendment) Bill 2011 by the Legislative Council last night (27 June).
2. “Although the Bill has not incorporated all our recommendations to amend the Personal Data (Privacy) Ordinance (“PDPO”), it does represent a significant step forward in enhancing the protection of privacy rights in relation to personal data. We will continue to engage the stakeholders and monitor international developments and technology changes, and press for further amendments to the PDPO as necessary to ensure that the new regulatory regime will remain sufficient and relevant,” said Mr. Chiang.
3. The new provisions will commence operation in phases. The Office of the PCPD will embark on an education programme to raise public awareness of the new provisions and promote compliance by corporate data users. Seminars will be organized and information leaflets as well as guidance notes will be issued.
4. “We are pleased that under the new regulatory regime, we will be empowered to provide legal assistance in meritorious cases to aggrieved data subjects to seek compensation from the data user for damage suffered by reason of any contravention of a requirement under the PDPO. This arrangement, which is expected to commence in early 2013, should be a great help to some aggrieved parties who might be inhibited to file a lawsuit due to cost considerations, despite the merits of their cases,” said Mr. Chiang.
5. The new provisions will provide tighter regulation of corporate data users on the use of customers’ personal data in direct marketing and the transfer/sale of the data to third parties. This regime is also expected to commence in 2013 (“the commencement date”), allowing time for PCPD to prepare relevant guidance notes and for the corporate data users to prepare for the transition. Under a grandfathering arrangement, the new requirements will not apply to the personal data that has been collected and used in direct marketing before the commencement date. In other words, the data user can continue to use such personal data after the commencement date without complying with the new requirements as long as it is used for direct marketing its own products/services which belongs to the same class of products/services as before.
6. “I am worried that from now till the commencement date, some data users may carry out massive direct marketing activities principally for the purpose of avoiding as far as possible compliance with the new requirements after the commencement date. In order to prevent this happening, I have proposed to the Bills Committee to specify a cut-off date (a date as soon as possible after passing of the Bill) after which the data user cannot seek cover under the grandfathering arrangement. However, this was not accepted. I shall keep a close watch of the developments. I also appeal to all direct marketers not to take unfair advantage of the grandfathering arrangement,” Mr. Chiang added.