1. The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Allan CHIANG, made a submission today to the Administration and the Legislative Council’s Panel on Constitutional Affairs in response to the Government’s Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance issued on 18 April 2011.
2. Mr. Chiang said, “As the regulator for personal data protection, I look forward to an early implementation of the various amendment proposals which will lead to enhanced protection. There are, however, a significant number of proposals made by us which the Administration has decided not to pursue. These include proposals to increase the sanctioning powers of this Office, tighten the regulation on data processors and afford sensitive personal data greater protection. On these shelved proposals, our position remains unchanged as we believe they are meeting rising public expectations to deter privacy contraventions more vigorously.”
3. Mr. Chiang further said, “The Administration has made detailed implementation proposals in its recent report. These will need to be looked at with caution. We note with particular concern several crucial flaws in the Administration’s implementation proposals regarding collection and use of personal data in direct marketing as well as unauthorized sale of personal data by data user.”
4. “Firstly, as regards sale of personal data by the data user for a monetary gain or in kind gains, the Administration has proposed to permit the data user to inform the data subject any time after collecting the data that the data are to be sold. This is out of keeping with Data Protection Principle (“DPP”) 1(3) in Schedule 1 of the Personal Data (Privacy) Ordinance (“the Ordinance”) which requires the purpose of use of the data to be made known to the data subject on or before collecting the data. With this delay approach, the data user’s notification that the data would be sold can take place at any un-predetermined time after data collection. In addition, it would be incumbent on the data subject to make a specific opt-out request in response to the notification. If the data subject does not respond within 30 days, he would be deemed to have not opted out and the data user may proceed to sell the data to third parties. As such, data users are likely to make more use of delayed notification rather than giving notification on or before collecting the data.”
5. “Secondly, there are conceivable difficulties in coming up with a fair and effective system of delayed notification by the data users. They may not have updated contact particulars of the data subjects and the means of notification may fail for one reason or another. As such, failure of the data subject to exercise the opt-out option may be due to non-receipt of the data user’s notification and the application of the deeming rule would be unfair to the data subject. To address this imbalance against the data subject, the data user may be asked to maintain documentary proof of the correct issue of the notification but the cost of doing so may be disproportionately high.”
6. “Thirdly, if a data subject does not opt-out at the first opportunity (that is, within 30 days after the data user gave the notification) and only exercises this option later, the difficulties he faces could well be insurmountable. At this late stage, he may be dealing with the transferee(s) of his personal data rather than the data user making the data transfer. He may not even be able to identify the original data source and tackle the problem at its root. Instead he may have to deal with individual data transferees as they make direct marketing approaches. To assist the data subject in this uphill struggle, we have earlier proposed to give the data subject a legal right to demand the data transferee to trace the source of the data but regrettably the Administration has chosen not to pursue this proposal.”
7. “Fourthly, in most if not all cases where the data subject is not informed before or at the time of data collection that the data would be sold, sale of data as the purpose of use would fall outside the reasonable expectation of the data subject and therefore not consistent with or directly related to the original purpose of use of the data. In the circumstances, DPP 3 in Schedule 1 of the Ordinance requires the data user to obtain the prescribed consent of the data subject before the data could be sold. Prescribed consent of an individual means express consent given voluntarily, and it cannot be inferred or implied from conduct or silence. Hence, under the current regime, unless the data user receives a positive indication from the data subject, the data user cannot sell the personal data of the data subject. In contrast, the Administration’s deeming rule as laid down in its current proposal in effect obviates the requirement for prescribed consent and legalizes sale of personal data by data users without seeking the data subject’s prior consent: an act which is not permissible under DPP 3. In sum, it falls short of the strong public expectation revealed in the Octopus incident and represents a retrograde step in tightening up control over the sale of personal data by data users. ”
8. “As regards collection and use of personal data in direct marketing, the Administration has proposed to provide for delayed notification of use of data for direct marketing, and to apply also the opt-out mechanism and deeming rule. The proposal is therefore beset with the same flaws pointed out above for sale of personal data. Specifically, they give rise to concern about deliberate delay in notification, which must be addressed by the Administration when drafting the amendment bill. ”
9. Mr. Chiang added, “We hope that our submission will be duly considered by the Administration and the Legislature so that the amendment bill to the Ordinance will best meet the public aspirations for protecting personal data privacy.”
10. A full version of the Commissioner’s submission can be accessed from the website of the Office of the Privacy Commissioner for Personal Data at: http://www.pcpd.org.hk/english/files/infocentre/legco_paper_20110531_e.pdf.