1. The Privacy Commissioner for Personal Data (“Privacy Commissioner”) Mr. Allan Chiang expressed concerns on specific clauses of the Personal Data (Privacy) (Amendment) Bill 2011 (“the Bill”) at the Bills Committee meeting on 23 April 2012.
2. The Privacy Commissioner’s concerns are predominantly related to the regulation of the use of personal data for direct marketing and transfer/sale to third parties. The Bill specifically requires the data user to notify the data subject the kinds of personal data to be used/transferred/sold, the classes of products/services to be marketed and the classes of persons to which the data is to be transferred/sold. These requirements are nothing new as they are included in the Guidance on Collection and Use of Personal Data in Direct Marketing issued by the Privacy Commissioner in October 2010. The new requirements in the Bill, which significantly enhance the data subject’s right of self-determination over his personal data, are (i) the need for the data user to provide a response channel for the data subject to indicate that he has no objection to the intended use/transfer/sale of the personal data, and (ii) the data user cannot use/transfer/sell the personal data before the data subject’s indication of no objection is received.
3. The Bill also provides a grandfathering arrangement under which these new requirements will not apply to the personal data that has been used in direct marketing before the entry into force of the new requirements (“the commencement date”). In other words, the data user can continue to use such personal data after the commencement date without complying with the new requirements as long as it is used for direct marketing its own products/services which belongs to the same class of products/services as before.
4. “I envisage that the commencement date will not be a date immediately following the passage of the Bill because sufficient time has to be allowed for data users to prepare for the documentation and procedural changes and IT system enhancement, and for us to draw up the new guidance for data users’ compliance and to undertake other promotion and education activities to introduce the new legislative provisions. The Hong Kong Association of Banks has suggested a lead time of not less than 10 months. My worry is that some data users may during this intervening period carry out massive direct marketing activities principally for the purpose of avoiding as far as possible compliance with the new requirements after the commencement date. In order to prevent this happening, I have proposed to the Bills Committee to specify a cut-off date (a date as soon as possible after passing of the Bill) after which the data user cannot seek cover under the grandfathering arrangement,” Mr. Chiang commented.
5. “I am also concerned that the wordings of the provisions in the Bill do not spell out clearly if and how future updates of the personal data held by a data user before the commencement date is covered by the grandfathering arrangement. I would suggest that a simple updating of the pre-existing data such as contact personal particulars should be covered but acquisition of new data through (i) updating of the data subject’s personal profile and (ii) new business deals with the data subject should not be covered,” Mr. Chiang added.
Written/oral indication of no objection
6. In view of the prevalence of telemarketing, the Administration proposes to permit (i) a data user’s notification to the data subject as regards use of his personal data for direct marketing and transfer/sale to third parties, and (ii) the data subject’s indication of no objection to such use, to be concluded orally.
7. “This is a water-downed proposal compared with notifying the data subject in writing and obtaining from him a written response. I would insist on the written approach for the sale or transfer of personal data to third parties. This reduces or eliminates the chances of miscommunication between the two parties,” Mr. Chiang commented.
8. “As for the data user’s direct marketing of its own products/services, I can accept the verbal arrangement if it is accompanied by additional safeguards such as requiring the data user (i) to send a written confirmation to the data subject within 14 days of the latter’s response of no objection, and (ii) not to use the personal data until 14 days have lapsed after issue of the written confirmation and no adverse comment is received,” Mr. Chiang added.
Tracing the source of personal data
9. When personal data are transferred or sold to third parties under either the existing or the proposed regulatory regime, the data users need only inform the data subjects of the classes of persons to which the data is to be transferred/sold, not individual transferees. As such, the data subject would experience extreme difficulties in tracing the culpable parties who improperly transfer or sell his personal data. He would have to make an opt-out against the direct marketing approach of each and every transferee as it arises, instead of the more effective alternative of tackling the problem at its root.
10. “I have repeatedly urged the Administration to confer on the data subjects a right to be informed of the source of their personal data by direct marketers, but to no avail. Noting there is support or no objection from the major industries engaged in direct marketing, I urge the Administration to favorably re-consider the proposal,” Mr. Chiang remarked.
Details of submission to the Bills Committee
11. Full details of the Privacy Commissioner’s concerns and his comments on the Administration’s response at the Bills Committee meeting on 23 April 2012 are found in the Annex. It is expected that they will be discussed at the next Bills Committee meeting scheduled on 2 May 2012.