Pdpo in Hong Kong

In the 21st century, we are living in the digital world. Personal information and data can be easily collected, accessed and transferred. It is important to safeguard the usage and collection of personal data as the business and technologies have been changing over time. In Hong Kong, Article 30 of the Basic Law states that ‘the freedom and privacy of communication of Hong Kong residents shall be protected by law.’ Furthermore, the Hong Kong Personal Data (Privacy) Ordinance (Cap 486) (PDPO) is the essential law that protects the privacy of the individuals regarding to personal data. It was enacted in 1995 and based upon the United Kingdom’s Data Protection Act 1984. Nevertheless, the PDPO came into force for more than 17 years, it is being overhauled that the inadequacy to deal with many privacy issues created by the development of the technology. In 2009, the government realised that there was a need for reform of the PDPO and conducted the public consultation. In 2010, due to the strong public reaction with regards to the incident involving Octopus Holding Limited for its unauthorized sale of the personal data of its customers, it reflected the necessity for the reform of the Ordinance. In June 2012, the Legislative Council passed the Personal Data (Privacy) (Amendment) Ordinance which tried ‘to balance the enhancement of data subject’s rights on the one hand and the data user’s effective use of personal data on the other.’ In this paper, I am discussing whether the amendment of the PDPO has effectively addressed the current problems as the use and transfer of personal data is easier in the digital world today.

Direct Marketing
Due to the public uproar over the sale by the Octopus Card management company of the personal data of millions of its clients to business partners through current technologies, a great portion of the amendments have targeted with this specific types of transfer of personal data and implemented stricter control regarding the sale of personal data for direct marketing. Section 34 of the PDPO was replaced by new Part VIA which states that ‘data users intending to use personal data for direct marketing purpose must provide an opt-out to data subjects at the time of the first use of such data for direct marketing.’ Although the opt-out right of data subject remains the same, the replacement of section 34 imposed some mandatory requirements which personal data is to be transferred for direct marketing purposes. The amendments have included the timing of data subject’s right to opt-out at any time which was not specified before. In addition, the data users are required to specific actions to inform and acquire consent from the data subjects for the intended use of personal data for direct marketing that were not specifically required before the amendment. Furthermore, the penalty for non-compliance of the ‘opt-out’ right of data subject has increased from HK$10,000 to HK$ 500,000 and three years imprisonment. These newly added requirements comply with the Data Protection Principle 1 (DPP1) which requires the data subject must be given reasons for the collection of the data and Data Protection Principle 3 (DPP3) that requires the need of consent to the use of personal data. I understand the increment of the penalty as the previous fine did not serve a effective deterred effect, especially to big companies for which such a penalty is a mere trifle.
However, I do not perceive the more liberal approach in Part VIA which provides ‘consent, in relation to the use of personal data in direct marketing or a provision of personal data for use in direct marketing, includes an indication of no objection to the use or provision.’ It is unreasonable to treat silence as consent as it is stipulated in the fundamental contract law principle which ‘the general rule is that silence does not amount to an acceptance.’ It is unfair and burdensome for the data subject to take the positive action against the use of their personal data by the data user that they do not wanted to be used at the beginning. Therefore, I would definitely advocate the use of the ‘opt-in’ method e.g. consent of usage of personal data when doing online transactions. In Innovations (mail Order) Ltd v Data Protection Registrar, it was held that the purpose was not obvious and required express consent as an ‘opt-in’ instead of ‘opt-out’. Similarly, British Gas Trading v Data Protection Registrar had put the burden to the consumers again and it was held that the customers had to positively inform British Gas if their consent to the significant change of use in relation to their personal data. It has proven that express consent as an ‘opt-in’ fell within the scope of DPP3 which personal data may only be used for the purpose when it was collected. Legislator James To said many people did not have time to read the small print on forms or ignored direct mail and emails. He further questioned if it is fair to presume we are very pleased to allow company to use our personal data. However, the undersecretary for constitutional and mainland affairs, Adeline Wong said if the ‘opt-in’ system is adopted, the opt-in percentage will be extremely low and this could kill the direct marketing industry. I do not agree on Wong’s comment, as there are other channels to do marketing in the digital world e.g. advertisement on digital TV and radio.

Powers of the Privacy Commissioner and new offences
Before the amendment of the Ordinance, it has always been criticised that it has no teeth and there was not much power by the Privacy Commissioner. The Commissioner was only empowered to investigate and issue enforcement notices when parties had breach the data protection principles. The former Commissioner, Roderick Woo, had pointed out that the powers of the Commissioner needed to be strengthen that would allow the Commissioner to carry out criminal investigation and prosecution. He also raised the point of providing legal assistance to the grieved data subjects. The amendment had incorporated his suggestions in s 64 and s 66 of PDPO. Moreover, the period of time for laying information before the court has been increased from six months to two years which allows the Commissioner to have sufficient time to investigate and refer cases for prosecution if suitable. Significantly, the amendment allows the Commissioner to ‘serve an enforcement notice irrespective of whether the contravention will continue or repeated.’ This amendment is to counteract the Octopus incident which despite of the Commissioner’s finding on Octopus had violated three data protection principles, including collecting more data than needed to verify its customers’ identity and selling it for monetary gain; the commissioner was unable to serve an enforcement notice as Octopus had responded that it would destroy and erase its member’s identity card numbers and birth dates from its data base within two months.
Apart from authorizing greater power to the Privacy Commissioner, the penalties for the amended Ordinance have generally been raised. The new s 64 of the PDPO stipulates that anyone who discloses personal data of a data subject obtained from a data user without its consent and with intent to obtain gain from it, or loss to the data subject is an offence. It is also an offence if the unauthorized disclosure causes psychological harm to the data subject. The maximum penalty has increased to a fine of $1,000,000 and imprisonment for 5 years.
The new power of the Privacy Commissioner and the new offences will definitely serve a sufficient deterrence especially to the big companies that had breached the data protection principles before by the use and transfer of personal data in the digital world.

Data Processor and Cross Jurisdiction
According to the amendment, the new DPP2(3) imposed new obligation that requires data user who ‘engages a data processor, whether within or outside Hong Kong, to process personal data on its behalf, the data user must adopt contractual or other means to prevent the personal data from being kept longer than necessary.’ It brings out two issues, i) the cross-jurisdiction issue, and ii) the enforcement issue against data processor. Since s 33 of the PDPO is not yet in force, the data processors who are operating outside of Hong Kong and received the data via the digital platform are not specifically regulated under the PDPO. Similar to DPP2(3), DPP4(2) states that when the ‘data users engage a data processor to process personal data on its behalf, it shall adopt contractual or other means to prevent the unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the date processor.’ The use of contractual means is not practicable as the words ‘other means’ were not defined in the amendment. It is more like a self-regulating requirement. The incidents of leaking or losing personal data during transfer of data by various government departments, either from the internet or lose of USB have been continued to occur. However, the Commissioner was unable to do much to the data processors. It is more efficient if there are specific guidelines or policies to be introduced in the PDPO to deal with these problems.

Conclusion
In conclusion, the amendments of the PDPO have generally targeted to control the abuse use and transfer of personal data in the direct marketing industry especially when it is easier to transfer and obtain data in the digital world today. By introducing more requirements to the use and transfer of personal data and allowing more power to the Privacy Commissioner, it will logically reduce the breach of the PDPO by the data user. Also, the raise of penalties and new offences will significantly serve the deterrent effect of the breach of the PDPO. However, I think a more stringent approach can be adopted i.e. by applying the ‘opt-in system’. Furthermore, the cross-jurisdiction transfer of personal data has not been addressed in the amendment. Finally, the enforcement and monitor against the ‘data processor’ is still vague in the amended PDPO. In the fast growing digital world, it is important that the PDPO keeps up with the change of the technologies in order to protect the privacy of the individuals.