Collecting Personal Data Whilst Socialising: The Individual Data User in Shanghai
In the case of HKSAR vs Leung Jun Kit, an individual was convicted at the Eastern Magistrates’ Court for breach of the direct marketing provisions under Section 35J of the Personal Data (Privacy) Ordinance (“PDPO”) in December 2015. The conviction was upheld by the Court of First Instance on 2 June 2017. The judgment draws attention to the legal position of individuals as data users under the PDPO.
Background of the Case
The defendant obtained an individual’s name and mobile number (the “Complainant”) through the exchange of name cards at a social event. After a few months, the Complainant received a telephone call from an insurance agent who claimed to have obtained the Complainant’s mobile number from the defendant and offered financial planning services to the Complainant. The Complainant, however, expressed his disinterest and ended the telephone call. He later complained to the Office of the Privacy Commissioner for Personal Data.
The defendant was later charged and convicted of the offence of providing personal data to a third party for use in direct marketing contrary to Section 35J of the PDPO and was ordered to pay a fine of HK$5,000.
The insurance agent was charged with the offence of using personal data in direct marketing contrary to Section 35C of the PDPO. However, the insurance agent was not convicted as the Court could not rule out the possibility that she would have complied with the PDPO had the Complainant not ended the telephone call.
What the PDPO and Court of First Instance Say
Under the PDPO, ‘data user’ means a person who controls the collection, holding, processing or use of the data. The person is not restricted to a corporate entity and the defendant (an individual) is the data user in this case.
Further, Section 35 J of the PDPO provides that if a data user intends to provide an individual’s personal data to a third party for direct marketing, the data user must take the following actions :-
(a) inform the individual that the data user intends to provide the personal data to a third party for direct marketing purposes and he obtains the individual’s written consent to do so;
(b) provide the individual with the following written information including (i) if the personal data is to be provided for gain, e.g. monetary gain; (ii) the kinds of personal data that are to be provided to the third party e.g. name, telephone number, email address etc.; (iii) the third parties to whom the personal data is to be provided to; (iv) the kinds of goods and / or services that the third parties intend to market; and
(c) inform him of the response channel through which the individual may, without charge, communicate the consent in writing.
The Court of First Instance held that it is irrelevant if the insurance agent in fact used the personal data (and, if used, how the personal data was used) for direct marketing purposes. However, it is relevant that the defendant intentionally provided the personal data to the insurance agent for use in direct marketing without first taking the specified steps (as summarised in (a) to (c) above) and without the individual’s prior consent.
Penalty for Breach of PDPO
An offence contrary to Section 35J of the PDPO, if found to be liable, is a fine of up to HK$1,000,000 and an imprisonment of up to 5 years.
The judgment of the conviction of the defendant and the acquittal of the insurance agent suggests that, an individual becomes a data user as defined in the PDPO even when the personal data is obtained through an informal or social event or online social platform. The specified actions stated in the PDPO must be complied with or, at least, have to be complied with before the data user can provide the data to a third party and / or use the personal data for direct marketing purposes. No consent of the data subject can be implied under Section 35J of the PDPO and the consent must be written.
This is the first time where an individual is convicted for an offence contrary to the PDPO. It is important to note that not only corporations who collect personal data as part of the ordinary course of business are at risk in breaching the PDPO but also small-medium enterprises, start-ups and even individuals. A single incident could cause the Privacy Commissioner of Hong Kong to conduct investigations and / or start prosecution.
When the public is now more aware of protecting their own personal data or privacy, it is important to have good practice policies and guidelines in place within your organisation to ensure compliance with the law on data privacy in Hong Kong.
AUTHOR: Angela Wang & Co
Copyright Angela Wang & Co.
More information about Angela Wang & Co.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.