Cautionary tale: Hong Kong courts take a serious approach for data privacy enforcement
Recent cases have demonstrated a rise of penalty level of the data privacy offences in Hong Kong. The Privacy Commissioner announced that an insurance agent was sentenced to a community service order for breaching direct marketing provisions.
An insurance agent has been ordered by the Hong Kong courts to serve 80 hours of community service for committing each of the two direct marketing offences under Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). This case stemmed from the agent’s failure to obtain the data subject’s consent for direct marketing purposes and the failure to inform the data subject of his right to opt-out of direct marketing without charge.
In this case, the complainant had purchased an insurance policy from an insurance company. Subsequently, he received a letter from the insurance agent who worked for a different insurance company. In that letter, the agent sought to promote financial services of his insurance company in the letter to the complainant. The agent did not obtain the complainant’s consent for direct marketing purposes, nor did the agent notify the complainant of his opt-out rights before using the individual’s personal data for direct marketing for the first time.
Why does it matter to you?
This is not the first time where an individual was held accountable for contraventions of the PDPO, highlighting that individuals (and not only organisations) may be subject to criminal liabilities. Similarly in December 2015, a real estate agent was fined for obtaining personal data in a social function and transferring that data to an insurance agent for direct marketing purposes. The insurance agent used the personal data for direct marketing but was fortunate to be acquitted due to evidential reasons.
Nevertheless, this is the first case where the court has imposed a Community Service Order instead of a fine and it perhaps demonstrates that a harder line is being taken on marketing related breaches. In 2015, the Privacy Commissioner referred 53 cases relating to contraventions involving the use of personal data for direct marketing to the police for criminal investigation and prosecution, resulting in a total of four convictions with fines. This case further demonstrates that direct marketing offences are being taken even more seriously and the court will exercise its powers to take appropriate enforcement measures.
Both organisations and individuals should err on the side of caution when reviewing and formulating their direct marketing communications and practices. The Privacy Commissioner has taken this opportunity to remind data users that “even if the data subject has given his consent, the data user is still required to inform the data subject of his opt-out right, when using his personal data in direct marketing for the first time.” Data subjects should also be reminded of their right to require organisations to cease to use their personal data at any time without incurring any charges.
For a summary of previous important cases and implications in relation to direct marketing offences, please see our articles Landmark decision on Hong Kong’s direct marketing rules and Second conviction of Hong Kong’s direct marketing offences.
