Information Centre

Media Statement

 


Date: 26 April 2012

Privacy Commissioner raised major concerns on specific clauses of the Personal Data (Privacy) (Amendment) Bill 2011

1.    The Privacy Commissioner for Personal Data (“Privacy Commissioner”) Mr. Allan Chiang expressed concerns on specific clauses of the Personal Data (Privacy) (Amendment) Bill 2011 (“the Bill”) at the Bills Committee meeting on 23 April 2012.

2.    The Privacy Commissioner’s concerns are predominantly related to the regulation of the use of personal data for direct marketing and transfer/sale to third parties. The Bill specifically requires the data user to notify the data subject the kinds of personal data to be used/transferred/sold, the classes of products/services to be marketed and the classes of persons to which the data is to be transferred/sold. These requirements are nothing new as they are included in the Guidance on Collection and Use of Personal Data in Direct Marketing issued by the Privacy Commissioner in October 2010. The new requirements in the Bill, which significantly enhance the data subject’s right of self-determination over his personal data, are (i) the need for the data user to provide a response channel for the data subject to indicate that he has no objection to the intended use/transfer/sale of the personal data, and (ii) the data user cannot use/transfer/sell the personal data before the data subject’s indication of no objection is received.

Grandfathering arrangement
3.    The Bill also provides a grandfathering arrangement under which these new requirements will not apply to the personal data that has been used in direct marketing before the entry into force of the new requirements (“the commencement date”). In other words, the data user can continue to use such personal data after the commencement date without complying with the new requirements as long as it is used for direct marketing its own products/services which belongs to the same class of products/services as before.

4.    “I envisage that the commencement date will not be a date immediately following the passage of the Bill because sufficient time has to be allowed for data users to prepare for the documentation and procedural changes and IT system enhancement, and for us to draw up the new guidance for data users’ compliance and to undertake other promotion and education activities to introduce the new legislative provisions. The Hong Kong Association of Banks has suggested a lead time of not less than 10 months. My worry is that some data users may during this intervening period carry out massive direct marketing activities principally for the purpose of avoiding as far as possible compliance with the new requirements after the commencement date. In order to prevent this happening, I have proposed to the Bills Committee to specify a cut-off date (a date as soon as possible after passing of the Bill) after which the data user cannot seek cover under the grandfathering arrangement,” Mr. Chiang commented.   

5.    “I am also concerned that the wordings of the provisions in the Bill do not spell out clearly if and how future updates of the personal data held by a data user before the commencement date is covered by the grandfathering arrangement. I would suggest that a simple updating of the pre-existing data such as contact personal particulars should be covered but acquisition of new data through (i) updating of the data subject’s personal profile and (ii) new business deals with the data subject should not be covered,” Mr. Chiang added.

Written/oral indication of no objection
6.    In view of the prevalence of telemarketing, the Administration proposes to permit (i) a data user’s notification to the data subject as regards use of his personal data for direct marketing and transfer/sale to third parties, and (ii) the data subject’s indication of no objection to such use, to be concluded orally.

7.    “This is a water-downed proposal compared with notifying the data subject in writing and obtaining from him a written response. I would insist on the written approach for the sale or transfer of personal data to third parties. This reduces or eliminates the chances of miscommunication between the two parties,” Mr. Chiang commented.

8.    “As for the data user’s direct marketing of its own products/services, I can accept the verbal arrangement if it is accompanied by additional safeguards such as requiring the data user (i) to send a written confirmation to the data subject within 14 days of the latter’s response of no objection, and (ii) not to use the personal data until 14 days have lapsed after issue of the written confirmation and no adverse comment is received,” Mr. Chiang added.

Tracing the source of personal data
9.    When personal data are transferred or sold to third parties under either the existing or the proposed regulatory regime, the data users need only inform the data subjects of the classes of persons to which the data is to be transferred/sold, not individual transferees. As such, the data subject would experience extreme difficulties in tracing the culpable parties who improperly transfer or sell his personal data. He would have to make an opt-out against the direct marketing approach of each and every transferee as it arises, instead of the more effective alternative of tackling the problem at its root.
 
10.    “I have repeatedly urged the Administration to confer on the data subjects a right to be informed of the source of their personal data by direct marketers, but to no avail. Noting there is support or no objection from the major industries engaged in direct marketing, I urge the Administration to favorably re-consider the proposal,” Mr. Chiang remarked.

Details of submission to the Bills Committee
11.    Full details of the Privacy Commissioner’s concerns and his comments on the Administration’s response at the Bills Committee meeting on 23 April 2012 are found in the Annex. It is expected that they will be discussed at the next Bills Committee meeting scheduled on 2 May 2012.
 
 
 
END
 

Back to top

End of Page


[Media Statement] [Speeches, Articles & Papers] [Exhibition Materials] [Other Related Websites] [Archive] [Other Resources] [On-line Self Training] [Submissions to Public Consultation] [Privacy Commissioner's response following former Deputy Commissioner's conviction] [Response to the loss of medical data by Department of Health] [Privacy Commissioner commits himself to securing patients' data] [Privacy Commissioner commences inspection against Hospital Authority] [Response to data leakage by Immigration Department] [Response to data loss by HSBC] [Privacy is Your Business International Privacy Video Competition] [Privacy Commissioner strives to promote protection of personal data privacy] [Response following former Deputy Commissioner's conviction] [The Privacy Commissioner's clarification on criminalizing data leakage] [The Privacy Commissioner responds to media report today that] [Response to data leakage by the Police] [Progress of Inspection Against Hospital Authority] [The Director of Immigration Department signed formal undertaking] [Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs] [Response to data loss incidents by The Hongkong and Shanghai Banking Corporation Limited] [The Privacy Commissioner completes the Inspection of the Hospital Authority's Personal Data System] [Privacy Commissioner Publishes Inspection Report on Hospital Authority] [Privacy Commissioner explains recommendations on the protection of patients' data privacy] [Privacy Commissioner accepts an Undertaking by HSBC] [Privacy is Your Business International Privacy Video Competition Prize Presentation Ceremony] [Response to Judgment of judicial review application by Cathay Pacific] [Privacy Commissioner welcomes HA's effort to enhance patient data privacy] [Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008] [PCPD received a letter from CX Flight Attendants Union] [Impact of Technology on Data Privacy] [Privacy Commissioner responds to taxi industry's proposal of installing CCTVs in taxis] [United Christian Hospital's loss of patients' data] [Privacy Commissioner hosts the 31st APPA Forum] [Privacy Commissioner urges job seekers to be careful when providing personal data] [Launch of a booklet on protection of personal data] [Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose] [The Recruitment of Deputy Privacy Commissioner (DPC)] [Response to Media Report on the Use of Fingerprint Recognition System by a School] [Privacy Commissioner Responds to Public Enquiries about the Issue of] [Investigation Report: Tutorial Centre Using a Student's Results Notice for Promotion without the Student's Consent] [Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data] [Investigation Report: Food Company Collecting Participants' Personal Data in Lucky Draw Activity] [Privacy Commissioner Responds to] [The need to ensure that individuals are identified by the correct personal identifiers: the case of identification of new born babies] [Public Consultation on Ordinance Review] [] [Response to Media Report on Searching for Others' Personal Data on the Internet] [Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners] [Response to Media Enquiries] [The "Value-for-money" Audit Report on PCPD issued by the Director of AuditThe] [Protective measures taken by the Hospital Authority which enhance the protection of new born babies and the accuracy of their personal data] [The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency] [A personal statement by Roderick Woo, the Privacy Commissioner] [Office of the Privacy Commissioner for Personal Data's Annual Report won international awards for three consecutive years] [Privacy Commissioner Launches Privacy Awareness Week 2010] [Response to recent discussion about third parties' requests for patients data] [Opinion Survey: Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy] [Public Seminar on] [Privacy Campaign for Insurers] [Google collected Wi-Fi data] [Google collected Wi-Fi data in Hong Kong] [Google collected Wi-Fi data in Hong Kong] [Privacy Commissioner attended the 33rd Asia Pacific Privacy Authorities Forum] [Privacy Commissioner responds to a local magazine's editorial on privacy issues] [Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications] [Privacy Commissioner responds to an opinion survey report on Octopus cards and privacy issues] [Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board] [The Personal Data (Privacy) Ordinance and Octopus Card System] [Privacy Commissioner initiates investigation on the Octopus] [Privacy Commissioner Publishes Information Leaflet on Privacy Impact Assessment] [Privacy Commissioner published new revised edition of a book to provide in-depth interpretation] [The Privacy Commissioner gives interim report on the investigation of Octopus] [The Privacy Commissioner Completed the Compliance Check on Google's Collection of Wi-Fi Payload Data] [The Privacy Commissioner has completed a Privacy Compliance Assessment Report on the Smart Identity Card System] [Collection of Visitors' Fingerprint Data by a Theme Park] [Investigation Report: Beauty Centre Transferring a Client's Personal Data to a Third Party without the Client's Consent] [Hong Kong Letter - Roderick Woo, Privacy Commissioner for Personal Data] [Mr. Allan Chiang took office as Privacy Commissioner] [A short video introducing the Personal Data (Privacy) Ordinance] [Privacy Commissioner reminds data users of the requirements of the Ordinance when engaging direct marketing activities] [PCPD joined APEC Cross-border Privacy Enforcement Arrangement] [Privacy Commissioner discussed organizations’ collection and use of personal data for direct marketing with a political commentary group] [Amended Data Access Request Form takes effect] [Response to media reports on the attendance records of the Personal Data (Privacy) Advisory Committee] [Privacy Commissioner completed investigation on Octopus Holdings Ltd] [Multi-media Information] [Investigation Report – Octopus Rewards Program] [Privacy Commissioner publishes Guidance on the Collection and Use of Personal Data in Direct Marketing] [Privacy Commissioner responds to Government's proposals on Review of the Personal Data (Privacy) Ordinance] [PCPD's Statement regarding investigations into the Octopus Group of Companies] [Hong Kong Letter - Allan Chiang, Privacy Commissioner for Personal Data] [Investigation Report: A Telecommunications Company Authorized Another Company to Conduct Telemarketing] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of a personal data privacy case when he was Postmaster General in 2005] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of personal data privacy cases when he was Postmaster General from 2003 to 2006] [Online Survey of the] [PCPD's Submission in response to Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance] [The Sharing of Mortgage Data for Credit Assessment] [Public Forum on Proposed Revisions to the Code of Practice on Consumer Credit Data] [Privacy concerns about resumption of Google Street View car operation] [Public Consultation on the Sharing of Mortgage Data for Credit Assessment Ended] [Consumer Roadshow on Protection of Personal Data] [Consultation Report on the Sharing of Mortgage Data for Credit Assessment] [Amendments to Code of Practice on Consumer Credit Data To Take Effect]


[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Personal Data Privacy Liberal Studies] [Privacy Zone for Youngsters]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]


Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer