Case Notes

(AAB Appeal No. 46 of 2022)

Use of personal data – cross-brand access to and use of personal data of clients post-acquisition – due diligence exemption under section 63B of the PDPO – defence under section 65(3) of the PDPO – procedural irregularities – discretion to issue enforcement notice duly exercised

Coram:
Mr Jenkin SUEN, SC (Deputy Chairman)
Mr Ernest CHAN Ho-sing (Member)
Ms Christine YUNG Wai-chi (Member)

Date of Decision: 26 February 2025

The Complaint

The appeal arose from two complaints against brands acquired by the Appellant. In one complaint, the complainant took her daughter to Brand A to consult a doctor. She was later informed that her daughter’s personal data had been transferred to another brand under the Appellant when the doctor switched to work for that brand. In another complaint, the complainant provided his personal data to Brand B and discovered later that the staff from another brand under the Appellant had accessed his personal data.

The Privacy Commissioner’s Decision

Upon investigation, the Privacy Commissioner found that, after acquiring Brand A and Brand B, the Appellant stored the personal data of the clients of these two brands in its integrated system (System) and shared parts of the personal data among the 28 brands of the Appellant via the System. This arrangement enabled the frontline staff of various brands to have access to the relevant personal data, despite no prescribed consent being sought by the Appellant from the clients for such an arrangement. The Appellant also never informed the existing clients of the acquired brands of the relevant acquisition by any means, nor had it provided those clients with its privacy policy.

The Privacy Commissioner found that the Appellant had contravened the requirements of DPP 3, as the aforementioned arrangement was inconsistent with the original purpose of collection of the complainants’ personal data. The Privacy Commissioner issued an enforcement notice, directing the Appellant to remedy and prevent recurrence of the relevant contraventions. Dissatisfied with the Privacy Commissioner’s decision, the Appellant lodged an appeal to the Administrative Appeals Board (AAB).

The Appeal

The AAB confirmed the Privacy Commissioner’s decision and dismissed the appeal on the following grounds:

1. The AAB agreed with the Privacy Commissioner’s finding that frontline staff of the Appellant’s brands were able to use and make cross-brand access to the clients’ personal data in the System.
2. The AAB stressed that the personal data collected by Brand A or Brand B was intended for the provision of services by those brands only, not by other brands within the same field of services or within the same group company. Furthermore, since access to personal data by other brands did not facilitate the provision of services by Brand A or Brand B, the sharing of personal data was not directly related to the original purpose of collection. The Personal Information Collection Statement (Statement) of the Appellant, which permitted access to personal data across different brands, would only apply to new customers who consented to the Statement, but not to personal data collected by the brands concerned before they were acquired by the Appellant.
3. Section 63B of the PDPO did not apply since this case did not involve a due diligence exercise but rather the post-acquisition use of personal data. Section 65(3) was also not applicable, as the underlying problem stemmed not from the acts or practices of employees per se, but the design and features of the System.
4. The AAB rejected the Appellant’s allegations of procedural irregularities. It was observed that the Privacy Commissioner is not under a statutory duty to disclose enforcement actions and recommendations in advance. Furthermore, the Privacy Commissioner had already provided the Appellant with a draft of the relevant parts of the investigation report setting out her findings and reasoning in great detail. The AAB affirmed that the Privacy Commissioner has a flexible and wide discretion as to the conduct of investigations and how she may be furnished with information, and can make such inquiries as she thinks fit.

The AAB’s Decision

The appeal was dismissed.

(Uploaded in May 2025)