1. Under the Personal Data (Privacy) (Amendment) Ordinance 2012, which will come into effect on 1 October 2012, it is an offence for a person to disclose any personal data of a data subject obtained from a data user without the latter’s consent and with an intent to (i) obtain gain for himself or another person, or (ii) cause loss to the data subject. It is also an offence if the unauthorized disclosure, irrespective of its intent, causes psychological harm to the data subject. The maximum penalty for these two new offences is a fine of $1,000,000 and imprisonment for 5 years.
2.The Privacy Commissioner for Personal Data Mr. Allan Chiang today (27 September) published an Information Leaflet entitled “Offence for Disclosing Personal Data Obtained without Consent from Data User” (“the Leaflet”) to explain the scope of the new offences and the types of defences recognized under the Amendment Ordinance.
3.Mr. Chiang said, “With the rapid advancement in information technology and the widespread use of the Internet, the collection (otherwise than from the data subject directly) and dissemination of personal data have become much easier to carry out. Grave harm can be caused to a data subject if a person obtains his personal data without the data user’s consent and discloses it in flagrant disregard of his personal data privacy. Examples of such act which happened in the past include:-
(a)sale by an employee of a company of customers’ personal data without the company’s consent, and for which he received payment from the purchaser;
(b)disclosure by a hospital staff of a celebrity’s health records, which he obtained without the hospital’s consent and the disclosure caused psychological harm to the celebrity; and
(c)unauthorized retrieval of a celebrity’s intimate photos by a staff of a laptop repair company from that celebrity’s laptop whilst undergoing repair and subsequent uploading of the photos to the Internet, thus causing psychological harm to the celebrity.
In view of the seriousness of the intrusion into personal data privacy and the gravity of harm that may be caused to the data subjects, these blatant acts are subject to criminal sanction under the Amendment Ordinance.”
4. The Leaflet, written in a Q&A format, includes the following topics:-
i)What kind of acts will be caught under the offence?
ii)Is monetary “gain” or “loss” required for the offence?
iii)What if the act is not intended to lead to “gain” or “loss” but the data subject is humiliated as a result of the disclosure of his personal data?
iv)Will normal journalistic activities be affected by the offence?
v)Will normal and innocuous browsing activities of web-users be affected?
5.The Leaflet can be obtained from the Office of the Privacy Commissioner for Personal Data at 12/F., Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong or downloaded from its website at http://www.pcpd.org.hk/english/resources_centre/publications/files/offence_disclosing_e.pdf.