Legal

Comments on Proposed Legislation by the PCPD

Unsolicited Electronic Messages ("UEM") Bill

In the course of discharging the duty to examine the Bill, the PCPD gave the following comments to the Secretary for Commerce, Industry and Technology Bureau ("the Secretary"):

1. The opt-out regime

It was proposed under the Bill that senders of UEM would be obliged to give clear and conspicuous statements to enable the recipients to send unsubscribe requests to refuse further UEM from being sent and that the person to whom the unsubscribe request was sent should keep proper record of the request for at least 7 years. The Secretary was reminded of the retention requirement under Data Protection Principle ("DPP") 2(2) and that the type and kind of information to be so retained should as far as practicable be narrowed down under the Bill.

2. Consent for using electronic address

The Bill recognized the right of a registered user to give consent to the use of his electronic address by the sender of UEM. The definition of "consent" under the Bill included a consent given by a person on behalf of the registered user. This would give rise to personal data privacy concern. The Privacy Commissioner suggested that it would be preferable that consent should only be given by the data subject, unless there were valid grounds justifying the otherwise.

3. The do-not-call register

It was proposed under the Bill that the Telecommunications Authority ("the Authority") should keep and maintain a do-not-call register. The Bill sought to set out the purpose statement for maintaining the register and the sanction to be imposed in the event of non-compliance. The Privacy Commissioner reminded the Secretary of the requirement of giving Personal Information Collection Statement under DPP 1(3) where personal data were collected.

4. The Authority's power to disclose information to third parties

It was proposed under the Bill that the Authority be conferred with extensive powers to request supply of information and document when investigating possible contravention of the requirements of the Bill. Wide scope of disclosure by the Authority was proposed in the Bill including where disclosure was made in the public interest. Given the fluid concept of "public interest", the Privacy Commissioner raised his concern to the Secretary as to possible indiscriminate transfer or disclosure of information or document containing personal data by the Authority.

5. The Authority's powers to search and seize

It was proposed under the Bill that the Authority be conferred with powers to enter premises, to search and seize evidence and to require the production of information. As the evidence so obtained might contain personal data, the Secretary was reminded by the Privacy Commissioner of the data security requirement under DPP4. Further, the Authority should establish proper administrative measures to cover the period of retention and to ensure safe erasure of the personal data.

6. Immunity of the Authority and its authorized officers

The Bill sought to grant to the Authority and its authorized officers acting in good faith a general immunity for any civil liability and claim in respect of any act done or default made in the performance of any function of the Authority. The immunity so conferred to the Authority and its authorized officers would affect the operation of other statutory provisions where liability attached, such as section 66 of the Ordinance. The Privacy Commissioner had therefore advised the Secretary to reconsider the need for an immunity clause.

There has been no further development during the period under review.

Draft Companies (Revision of Accounts and Reports) Regulation

During the drafting stage, the Secretary for Financial Services and the Treasury ("the Secretary") consulted the PCPD on the draft provisions of the Companies (Revision of Accounts and Reports) Regulation ("the Regulation"), which would complement the implementation of the Financial Reporting Council Ordinance Cap. 588 enacted by the Legislative Council on 13 July 2006.

The objective for the introduction of the Regulation was to give recognition to the new regime enabling company directors to voluntarily revise accounts where the original account did not comply with the Companies Ordinance, Cap. 32.

The Privacy Commissioner commented that in situations where the revision of the account canvassed the accuracy of personal data contained in the original account, the company directors as data user should take all reasonably practicable steps to ensure compliance with DPP2(1) of the Ordinance, i.e. the duty to maintain accuracy of the personal data collected and disclosed. Further, where it was practicable to know that personal data disclosed to a third party were materially inaccurate having regard to the purpose for which the data are used by a third party, the third party should be so informed and to be provided with such particulars as to enable the third party to rectify the data having regard to that purpose.

In relation to the proposed Regulation 14 which permitted the revised accounts or reports of listed companies to be sent to recipients by use of computer network, the Privacy Commissioner informed the Secretary of the security requirement under DPP4 should there be personal data contained in those revised accounts or reports.

Meanwhile, there has been no development in respect of the proposed Regulation during the period under review.