1. The Privacy Commissioner for Personal Data (“the Commissioner”)Mr. Allan Chiang published four investigation reports today (11 October) on the collection and use of customers’ personal data under the following prominent customer loyalty schemes:-
(a) the “Fun Fun Card” program1 operated by China Resources Vanguard (Hong Kong) Company Limited (“CRV”);
(b) the “Mann Card Program” operated by The Dairy Farm Company Limited (“DFC”);
(c) the “MoneyBack Program” operated by A.S. Watson Group (HK) Limited (“ASW”) through PARKnSHOP and Watsons.
Background
2. These customer loyalty programs, which are very common in Hong Kong, are open for application by consumers aged 18 or above. Members who have successfully enrolled in the programs can accumulate reward points for purchases made at specified retail outlets which can be redeemed as cash vouchers for payment in further purchases. Members also receive special purchase discounts at the specified retail outlets and promotional offers made by the program operators.
3. The Commissioner investigated the programs to ascertain if the collection of the program applicants’ personal data and its subsequent use was in compliance with the Data Protection Principle (“DPP”) 1 and DPP3 respectively under the Personal Data (Privacy) Ordinance (the “Ordinance”).
The Commissioner’s Findings
4. The Commissioner found the following common contraventions among the program operators:-
(a) They had collected the applicants’ Hong Kong Identity Card or passport number (“ID no.”) (complete or partial number) for the purpose of providing them with a default log-in password for using the program’s online service. This amounted to unnecessary and excessive collection and thereby contravened DPP1(1), as any set of alpha-numerals will suffice for the same purpose.
(b) They also contravened DPP1(3) for having failed to take all reasonably practicable steps to ensure that program applicants were notified of the matters required under DPP1(3) such as the purpose of use of the data and the classes of persons to whom the data might be transferred.
5. Details of the all the contraventions are listed in the Annex according to the programs.
6. In particular, the program operators have either not defined or ill-defined the purpose of use of the data and/or class of data transferees with the result that it would not be practicable for the program applicants to ascertain with a reasonable degree of certainty how their personal data could be used and who could have the use of the data. Despite these contraventions, the program operators confirmed that in practice, the use and transfer of the data were restricted and directly related to the program objectives. The Commissioner has found no evidence to the contrary and hence there was no contravention of DPP3.
Enforcement Action
7. Pursuant to section 50(1) of the Ordinance and in consequence of an investigation, if the Commissioner is of the opinion that the relevant data user is contravening or has contravened a requirement under the Ordinance, the Commissioner may serve on the data user an enforcement notice, directing the data user to remedy and, if appropriate, prevent any recurrence of the contravention.
8. The Commissioner has not served an enforcement notice on CRV as, based on the following, he is satisfied that CRV has taken adequate steps to remedy the contraventions:-
(a) During the course of investigation, it had ceased the collection of the program applicants’ ID no. and year of birth.
(b) It has provided the Commissioner with a formal undertaking to complete the erasure of ID no. and year of birth previously collected under the program.
(c) It has incorporated into the application form a notice which provides details on the data collection purposes, classes of transferees who might receive the data and CRV’s practice in handling data access as well as data correction requests. It is still refining the notice to improve the program’s compliance with the Ordinance.
9.Similarly, the Commissioner has not served an enforcement notice on DFC as, based on the following, he is satisfied that DFC has taken adequate steps to remedy the contraventions:-
(a) During the course of investigation, it had redesigned the application form and revised the terms and conditions as well as the privacy policy for the program. As a result, the partial ID no. and the year of birthare no longer collected and the classes of data transferee are clearly defined.
(b) It had completely erased the partial ID no. and the year of birth previously collected from the program applicants, and this exercise was performed and certified by a third party service provider.
10. Nevertheless, the Commissioner has put both CRV and DFC on warning that if they fail to observe the relevant requirements of the Ordinance in similar situations in future, he may consider taking enforcement action against them, including the serving of an enforcement notice.
11.Meanwhile, the Commissioner has served an enforcement notice on ASW as the contraventions are still continuing at the conclusion of the investigation. Among other things, the notice directs ASW to:-
(a)cease collection of the program applicants’ partial ID no.;
(b)erase completely the partial ID no. of program applicants and members that ASW has previously collected; and
(c)revise the program terms and conditions to
(i)remove ill-defined purposes of use of the data such as “other related purposes”,
(ii)define the nature of business of “partners”, “subsidiaries”, and “affiliates”, and to ensure they are related to the program objectives, and
(iii)remove classes of data transferees which are unrelated to the program objectives, in particular, “any other persons under a duty of confidentiality to (ASW)” and “any company within Hutchison Whampoa Limited, Cheung Kong (Holdings) Limited, their respective subsidiaries and any company in which the same has an interest”.
The Commissioner’s Comments
12.“After the Octopus incident in 2010, public awareness of the collection and use of personal data in direct marketing activities has significantly raised. I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations. In this regard, I am glad to see that CRV and DFC had on their own initiative taken steps to comply with the requirements of the Ordinance during the investigation. This sets a good example of a responsible data user taking prompt remedial actions for its non-compliant practice so that I do not have to resort to enforcement action,” said Mr. Chiang.
13.“On the other hand, it is disappointing to note that notwithstanding the efforts made by ASW to revise its terms and conditions of the MoneyBack Program, the revision is a half-hearted exercise. It falls short of learning from the Octopus incident by repeating some of the mistakes made. Instead of being prompted to rectify the mistakes during the investigation, ASW was evasive and slow in responding to my enquiries, and displayed a lack of sensitivity to privacy and data protection. This is out of keeping with the community aspirations and is particularly unacceptable in view of the high penetration of the MoneyBack Program among the Hong Kong public and the large number of members (about 1.6 million) enrolled in the program,” added Mr. Chiang.
14.“With the enactment of the Personal Data (Privacy) (Amendment) Ordinance 2012, a tighter regulatory regime will be introduced in 2013 for the collection and use of personal data for direct marketing. The consequences of contravening the new requirements are dire. For example, if a data user fails to inform a data subject in an easily readable and understandable manner of its intention to use the personal data for direct marketing before it engages in the direct marketing activities, or if a data user fails to specify, in an easily readable and understandable manner, the classes of persons to which the data will be transferred for direct marketing before the data transfer, the data user commits an offence and is liable on conviction to a fine of $500,000 and to imprisonment for 3 years. I would like to remind all organizational data users in Hong Kong to seriously review their privacy policies, personal information collection statements and data protection procedures to ensure compliance with the new provisions of the Amendment Ordinance,”Mr. Chiang concluded.
Access to Investigation Reports
15.For details of the case background, findings, the Commissioner’s recommendations and other comments, please refer to the four investigation reports, copies of which can be obtained from the Office of the Privacy Commissioner for Personal Data at 12/F., Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong or downloaded from its website (http://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/invest_report.html).
1 now known as "Vanguard Rewards Card" program
END