Table of Contents Table of Contents
Previous Page  94 / 192 Next Page
Show Menu
Previous Page 94 / 192 Next Page
Page Background

Is Sale of Personal Data a Directly Related Purpose of Use?


In this electronic age, it is easy and inexpensive for large quantities of personal data to

be collected, amassed and commercially exploited, e.g. for use in direct marketing. The

proliferation of the use of personal data by data users for gain has raised grave privacy

concerns. Unlike other commodities, personal data can often be used without the

knowledge of the data subjects.


The provision of personal data by a data user to another party for monetary gain was

examined in AAB No. 38/2009. The case concerned the transfer of the personal data of

a credit card account holder by the bank to an insurance company for promoting the

insurance products of the latter and in return, the bank received monetary gain. In

upholding the Commissioner’s finding that such use of the personal data contravened

DPP3, the chairman of the AAB made the following comments:

…We failed to see how such kind of commercial activity is something that [the customer] can

be said to have already given her prescribed consent …. Such use of [the customer’s] data is

not the purpose for which it was first collected and its use by the Bank cannot be said to relate

directly to the original purpose the data was collected, namely, the purpose was quite simply

the application for a credit card and vetting of the applicant for the purpose of considering

the application.


The Octopus Card case is the landmark case handled by the Commissioner prior to the

Amendment Ordinance relating to the transfer of customers’ personal data by Octopus

Rewards Limited (“ORL”) to third parties for gain.


In this case, ORL entered into

contracts with its business partners, including insurance companies and market research

companies, for the sharing of Octopus card members’ personal data. Monetary benefits,

in the form of set up fees, bonuses and commissions were received in return. The

transactions in essence involved the sale of personal data.


Although the sale of personal data by ORL was not, per se, an act prohibited under the

Ordinance, the Commissioner took the view that it could not be regarded as the original

purpose or a directly related purpose of the collection of customers’ personal data. The

members would have expected the Octopus Rewards Programme to operate as a

customer loyalty scheme but not as an arrangement for ORL to sell their personal data.

The sale of personal data was not stated in the Terms and Conditions of the Programme

and members’ signatures to the application form could not be construed as consent for

the sale of personal data. For these reasons, ORL was found to have contravened DPP3.


In another case involving a bank’s provision of personal data of its credit card account

customers to an insurance company for promotion of its insurance products, the

insurance company had to pay a list rental fee to the bank and if the customers

purchased any product, the insurance company had to pay the bank a service fee. The

Commissioner considered that the bank’s action was in substance a sale of customers’

personal data to the insurance company, which fell outside the reasonable expectation


See also paragraphs 5.18, 5.73, 5.80 and 5.85 in Chapter 5 for discussion on this case.