Earlier this year, I had noted that companies are not required to send data breach notifications to Hong Kong residents. However, it appears that the Hong Kong legislature is not unaware or unresponsive to the need for personal data protections: Hong Kong has a bill (“Personal Data (Privacy)(Amendment) Bill 2011” — also referred to as the “PDP Amendment Bill”) that addresses Hong Kong residents’ concerns on the misuse of personal data. The amendment is to be implemented sometime in 2012.
Granted, personal data privacy is not quite entirely personal data protection: there is no requirement to protect data under the former, such as with the use of laptop encryption software like AlertBoot. However, it contributes to data security overall and should be a welcome addition for Hong Kong residents who want more control over their personal data.
(Supposedly, a big force behind the law was the revelation that there was substantial cross-marketing going on between Octopus Rewards and local HK banks. Octopus is a stored-value card that is used in the Hong Kong metro system and also accepted at numerous retailers.)
At lexology.com, the contents of the new bill have been divided into three areas: direct marketing, sale of personal data; and disclosure of personal data obtained without the data user’s consent. This is not a bad way to divide the contents of “Personal Data (Privacy)(Amendment) Bill 2011”.
The transfer of customer data from one company to another must be disclosed to data subjects (i.e., the people whose data is being recorded and exchanged). If data subjects do not object to the transfer of data within 30 days, it’s taken as a sign of acquiescence.
The data subject, however, can later object via mail. Contravention of this provision could result in a maximum fine of HK$500,000 ($64,000 US dollars) and a three-year jail term.
Personal Data Sale
Similar requirements to the above, except the transfer of data is in exchange for money or other remuneration. Contravention can result in a maximum fine of HK$1,000,000 ($128,000 US dollars) and a five-year jail term.
Disclosure of Data Without Consent
In cases where personal data is stolen (essentially) and:
It’s used to gain money or property
Is used to cause loss or money or property to data subjects (think fraud)
Is used to cause psychological harm (regardless of whether that was the purpose)
Penalties are the same as found under personal data sales.
An analysis of the new bill was carried out by Freshfields Bruckhaus Deringer. Their conclusion: Hong Kong businesses need to review their procedures and contracts with customers and suppliers and more specifically should do the following.
Review terms and conditions regarding customer marketing activities.
Review direct and cross-marketing activities (especially those involving third-parties)
Create internal procedures to prevent becoming afoul of the new law
Ensure that data processors you’ve hired are in compliance with the law
The bill also includes other provisions:
Legal assistance is given to data subjects by the Privacy Commissioner
Enforcement notices can be issued by the Privacy Commissioner if a data user breaches the law
Related Articles and Sites: