LEGAL INFORMATION AND UPDATE
7th Issue (November 2018)
Certain Aspects about Collection and Use of Personal Data – A Reminder
The recent Cathay Pacific Airways’ data breach, in which personal data of 9.4 million passengers were leaked, has raised grave public concern about personal data protection again. In the wake of this incident, the European Union’s General Data Protection Regulation, came into force on 25 May 2018, has also gained widespread attention.
In Hong Kong, privacy rights of a person in relation to personal data are protected by the Personal Data (Privacy) Ordinance (Chapter 486, Laws of Hong Kong) (“PDPO”). The PDPO is a principle-based legislation in that its core provisions regulating the collection, use, transfer and processing of personal data are encapsulated in its six data protection principles (“DPPs”) which can be found in Schedule 1 to the PDPO. This newsletter shall focus on the collection and use of personal data and elaborate on the relevant DPPs. In respect of the use of personal data, it shall address two main areas that are frequently discussed, namely “direct marketing” and “transfer of data inside and outside of Hong Kong”.
1. Definition of “Personal Data”
Prior to discussing the legal framework, “personal data” must first be defined. According to Section 2(1) of the PDPO, “personal data” means any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.
2. Collection of Personal Data
The legal obligations in collecting personal data are set out in DPP1, which states that the data so collected must be for a lawful purpose directly related to a function or activity of the data user. Furthermore, the data collected must be necessary but not excessive in relation to the purpose of collection. It is therefore a good practice for data users to consider whether there are any less privacy-intrusive alternatives when collecting personal information.
DPP1(3) also sets out certain notification requirements in relation to collection of personal data. For the purpose of complying with this provision, data user should provide a Personal Information Collection Statement (“PICS”) to the data subject on or before collecting his personal data. A PICS should include statement of purpose for collection, statement as to whether it is obligatory or voluntary for the data subject to supply his personal data, the consequences for him if he fails to supply the data (if it is obligatory for him to supply the data), potential classes of persons to whom the data may be transferred or disclosed, the rights to request access to and correction of his personal data, and the name/job title and address of the individual to whom any such request may be made.
3. Use of Personal Data
According to DPP3, personal data collected must be used only for the purpose for which data is collected or for a directly related purpose, unless prescribed consent is obtained. In assessing whether data is being used for purposes directly related to the original purpose of collection, the Privacy Commissioner for Personal Data (“Commissioner”) will take into account a number of factors, including the nature of the transaction giving rise to the need for using the personal data, and the reasonable expectation of the data subject.
One common business practice involving the use of personal data is direct marketing. Under Part 6A of PDPO, a data user, before using personal data for direct marketing, must notify the data subject of the kinds of data to be used and the classes of goods or services that will be marketed, and provide a response channel through which the data subject can communicate consent. However, if the data subject does not consent to the intended use, the data user must not so use his personal data. It should be noted that data subject may at any time require cessation of using his personal data for direct marketing and the data user must comply with such request.
Transfer of data inside and outside of Hong Kong
For transfer of personal data inside Hong Kong, the aforementioned DPP3 will apply as the term “use of personal data” covers “transfer of personal data” in the context of PDPO. If the purpose of transfer is for the third party’s use in direct marketing, data user must notify the data subject of the above information and obtain his written consent.
Transfer of personal data outside Hong Kong is to be regulated under Section 33 of the PDPO which is yet to take effect. Under that provision, data users shall not transfer personal data to a place outside Hong Kong unless one of the following conditions is satisfied:
the place is a part of a “white list” of jurisdictions which the Commissioner specified by notice in the Gazette that there is law to protect personal data to a level commensurate with the PDPO;
the data user has reasonable grounds to believe that there is in force any law in that place which is substantially similar to, or serves the same purpose as the PDPO;
the data subject has consent in writing to the transfer;
the data user has reasonable grounds to believe that (i) the transfer is for the avoidance or mitigation of any adverse action against the data subject, and (ii) it is not practicable to obtain the data subject’s written consent, (iii) but if it was practicable to obtain such consent, then the data subject would give it;
the personal data is exempt from DPP3 of the PDPO by virtue of an exemption under Part VIII of the PDPO; or
the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be collected, held, processed or used in a manner that would constitute a contravention of the PDPO.
Although Section 33 of the PDPO is not effective yet, data users are recommended to follow the requirements thereunder.
4. Practical Takeaways
Data users should comply with the relevant legal obligations set out in the PDPO on or before collecting and using personal data.
Where the data users intend to use the personal data for direct marketing or transfer the data outside Hong Kong, special attention should be paid to the additional statutory requirements.
Data subject may, at any time, require cessation of using his personal data for direct marketing.
Please note that the information above is a preliminary overview of this specialized area of law. As every case depends on its facts, it is imperative to state that the above does not constitute formal legal advice. We do not accept any responsibility whatsoever in respect of this publication. Should you wish to seek our advice or assistance, please do not hesitate to contact us. If you wish to unsubscribe, please inform us by email at firstname.lastname@example.org.