Hong Kong Broadband Network Limited (HKBN) pleaded guilty to six charges under the Personal Data (Privacy) Ordinance (PDPO) last Wednesday (20 May 2020) at the West Kowloon Magistrates’ Courts, relating to the offences under sections 35E(1) (three charges) and 35G(3) (three charges) of the PDPO for using the personal data of a data subject in direct marketing without obtaining the data subject’s consent, and failing to comply with the requirement from a data subject to cease to use his personal data in direct marketing. HKBN was fined HK$12,000 in total (HK$2,000 in respect of each charge).
The case concerned a complaint received by the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) in 2018.
The complainant had subscribed broadband service with HKBN since September 2014, and opted out the use of his personal data in direct marketing in November 2016. However, the complainant received a total of three direct marketing calls from HKBN in March and July 2018 promoting a new service plan. He then complained to the PCPD. After processing the complaint, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) was of the view that HKBN had failed to obtain the complainant’s consent for using his personal data in direct marketing, and to comply with the complainant’s opt-out request. Contravention of the legal provisions on direct marketing is a criminal offence. Since the PCPD does not have criminal investigation and prosecution powers, the case was therefore referred to the Police for follow-up actions.
Relevant Statutory Provisions
Section 35E(1) of the PDPO provides that a data user who has complied with section 35C by taking the specified actions (such as informing the data subject of his rights and the requisite information) must not use the data subject’s personal data in direct marketing without obtaining his consent.
Pursuant to section 35G(3) of the PDPO, a data user who has received a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge.
Failure to comply with any of the requirements above is a criminal offence, which is punishable by a maximum fine of HK$500,000 and maximum imprisonment for 3 years for both offences.
The Privacy Commissioner Mr Stephen Kai-yi WONG said, “The case has demonstrated the importance of developing and implementing relevant privacy policies, procedures and guidelines, as well as providing proper training to employees handling customers’ personal data. Organisations should never ignore customers’ opt-out requests.” The Privacy Commissioner also stressed that privacy is a fundamental right of an individual and is protected by laws. Organisations should abide by higher ethical standards and adopt the three management values (i.e. respectful, beneficial and fair) in handling customers’ data so as to protect customers’ dignity, and respect their rights in deciding on use of their personal data. By doing so, organisations can meet customers’ expectations, and at the same time meet the requirements of laws and regulations.
The Privacy Commissioner also reminded consumers that if they still receive direct marketing messages after making opt-out requests, they should make a record and gather as many details of the direct marketing messages as possible so as to enable themselves to formulate a valid complaint to the PCPD.
The PCPD has published the following publications for organisations and consumers: