LEGAL INFORMATION AND UPDATE
法律快訊

7th Issue (November 2018)

第七期 (2018年12月)

e55a27ae91fe5dc1a136c37d2619bf7dcf77d831
Certain Aspects about Collection and Use of Personal Data – A Reminder
有关收集及使用个人资料的几点提示

Introduction

The recent Cathay Pacific Airways’ data breach, in which personal data of 9.4 million passengers were leaked, has raised grave public concern about personal data protection again. In the wake of this incident, the European Union’s General Data Protection Regulation, came into force on 25 May 2018, has also gained widespread attention.

 

In Hong Kong, privacy rights of a person in relation to personal data are protected by the Personal Data (Privacy) Ordinance (Chapter 486, Laws of Hong Kong) (“PDPO”). The PDPO is a principle-based legislation in that its core provisions regulating the collection, use, transfer and processing of personal data are encapsulated in its six data protection principles (“DPPs”) which can be found in Schedule 1 to the PDPO. This newsletter shall focus on the collection and use of personal data and elaborate on the relevant DPPs. In respect of the use of personal data, it shall address two main areas that are frequently discussed, namely “direct marketing” and “transfer of data inside and outside of Hong Kong”.

 

 

1. Definition of “Personal Data”

Prior to discussing the legal framework, “personal data” must first be defined. According to Section 2(1) of the PDPO, “personal data” means any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.

 

2. Collection of Personal Data

The legal obligations in collecting personal data are set out in DPP1, which states that the data so collected must be for a lawful purpose directly related to a function or activity of the data user. Furthermore, the data collected must be necessary but not excessive in relation to the purpose of collection. It is therefore a good practice for data users to consider whether there are any less privacy-intrusive alternatives when collecting personal information.

 

DPP1(3) also sets out certain notification requirements in relation to collection of personal data. For the purpose of complying with this provision, data user should provide a Personal Information Collection Statement (“PICS”) to the data subject on or before collecting his personal data. A PICS should include statement of purpose for collection, statement as to whether it is obligatory or voluntary for the data subject to supply his personal data, the consequences for him if he fails to supply the data (if it is obligatory for him to supply the data), potential classes of persons to whom the data may be transferred or disclosed, the rights to request access to and correction of his personal data, and the name/job title and address of the individual to whom any such request may be made.

 

3. Use of Personal Data

According to DPP3, personal data collected must be used only for the purpose for which data is collected or for a directly related purpose, unless prescribed consent is obtained. In assessing whether data is being used for purposes directly related to the original purpose of collection, the Privacy Commissioner for Personal Data (“Commissioner”) will take into account a number of factors, including the nature of the transaction giving rise to the need for using the personal data, and the reasonable expectation of the data subject.

 

Direct Marketing

One common business practice involving the use of personal data is direct marketing. Under Part 6A of PDPO, a data user, before using personal data for direct marketing, must notify the data subject of the kinds of data to be used and the classes of goods or services that will be marketed, and provide a response channel through which the data subject can communicate consent. However, if the data subject does not consent to the intended use, the data user must not so use his personal data. It should be noted that data subject may at any time require cessation of using his personal data for direct marketing and the data user must comply with such request.

 

Transfer of data inside and outside of Hong Kong

For transfer of personal data inside Hong Kong, the aforementioned DPP3 will apply as the term “use of personal data” covers “transfer of personal data” in the context of PDPO. If the purpose of transfer is for the third party’s use in direct marketing, data user must notify the data subject of the above information and obtain his written consent.

 

Transfer of personal data outside Hong Kong is to be regulated under Section 33 of the PDPO which is yet to take effect. Under that provision, data users shall not transfer personal data to a place outside Hong Kong unless one of the following conditions is satisfied:

 

  1. the place is a part of a “white list” of jurisdictions which the Commissioner specified by notice in the Gazette that there is law to protect personal data to a level commensurate with the PDPO;

  2. the data user has reasonable grounds to believe that there is in force any law in that place which is substantially similar to, or serves the same purpose as the PDPO;

  3. the data subject has consent in writing to the transfer;

  4. the data user has reasonable grounds to believe that (i) the transfer is for the avoidance or mitigation of any adverse action against the data subject, and (ii) it is not practicable to obtain the data subject’s written consent, (iii) but if it was practicable to obtain such consent, then the data subject would give it;

  5. the personal data is exempt from DPP3 of the PDPO by virtue of an exemption under Part VIII of the PDPO; or

  6. the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be collected, held, processed or used in a manner that would constitute a contravention of the PDPO.

 

Although Section 33 of the PDPO is not effective yet, data users are recommended to follow the requirements thereunder.

 

4. Practical Takeaways

  1. Data users should comply with the relevant legal obligations set out in the PDPO on or before collecting and using personal data.

  2. Where the data users intend to use the personal data for direct marketing or transfer the data outside Hong Kong, special attention should be paid to the additional statutory requirements.

  3. Data subject may, at any time, require cessation of using his personal data for direct marketing.

 

IMPORTANT

Please note that the information above is a preliminary overview of this specialized area of law. As every case depends on its facts, it is imperative to state that the above does not constitute formal legal advice. We do not accept any responsibility whatsoever in respect of this publication. Should you wish to seek our advice or assistance, please do not hesitate to contact us. If you wish to unsubscribe, please inform us by email at mail@allawyers.com.hk.

简介

较早前国泰航空公司外泄940万名客户个人资料的事件令保护个人资料的议题再次备受公众广泛重视。事件亦令于2018年5月25日生效的《欧盟一般资料保护规范》引起大众关注。

 

 

在香港,个人资料方面的私隐权受《个人资料(私隐)条例》( 香港法例第486章)(下称「该条例」)保障。该条例属原则性法律,其负责规管收集、使用、转移及处理个人资料的主要条文包含在该条例附表一中六项保障资料原则中。本文将集中讨论收集及使用个人资料时的注意事项,并详述相关保障资料原则。就使用个人资料,本文将针对探讨「直接促销」和「香港境内及跨境资料转移」两个商业常用范畴。

 

 

 

一、「个人资料」之定义

在讨论法律框架前,「个人资料」的定义必须先被厘清。根据该条例第2(1)条,「个人资料」是指(1)直接或间接与一名在世人的个人有关的;(2)从该资料直接或间接地确定有关的个人的身分是切实可行的;及(3)该资料的存在形式令予以查阅及处理均是切实可行的。

二、收集个人资料

保障资料第1原则列明在收集个人资料时,个人资料必须是为了直接与将会使用该资料的资料使用者的职能或活动有关的合法目的而收集,而且收集的资料就该目的而言是有实际需要,而不超乎适度的。因此,当收集个人资料时,资料使用者应考虑使用较不侵犯私隐的替代方案。

 

另外,保障资料第1(3)原则列出资料使用者在收集资料时须告知资料当事人的事项。为确保符合此原则的要求,资料使用者在收集个人资料之时或之前,应向资料当事人提供《收集个人资料声明》(下称「该声明」)。该声明需包括收集目的、个人是否有责任或可自愿提供其个人资料、不提供其个人资料的后果(如属有责任提供)、该资料可能被转移或披露予甚么类别的人士、资料当事人要求查阅及要求改正该资料的权利、及处理有关要求的人士之姓名(或职衔)及其地址。

 

 

三、使用个人资料

根据保障资料第3原则,如无资料当事人的订明同意,个人资料只能用于在原本收集该资料时的目的或直接有关的目的。当衡量个人资料是否用于以上目的时,个人资料私隐专员(下称「专员」)会考虑以下因素,包括导致需要使用有关个人资料的交易性质及资料当事人的合理期望。

 

 

直接促销

使用个人资料于直接促销是其中一个常见的商业惯例。该条例第6A部下指出,资料使用者在使用个人资料于直接促销用途前,须告知有关资料当事人拟使用的个人资料种类、拟进行促销的产品或服务类别,及向该当事人提供一个可表示或传达同意的途径。但若资料当事人不同意相关用途,资料使用者不得使用该资料。值得注意的是,资料当事人可随时要求资料使用者停止将该当事人的个人资料用于直接促销,而资料使用者必须依从该要求。

 

香港境内及跨境资料转移

由于在该条例定义「使用个人资料」包含「转移个人资料」,故上述的保障资料第3原则适用于有关香港境内的资料转移。如转移的目的是给予第三者作直销,资料使用者必须先告知资料当事人有关资讯,并须取得其书面同意。

 

 

而除非符合以下的例外情况,否则该条例尚未实施的第33条规定禁止资料使用者将个人资料转移至香港以外的地方:

 

 

  1. 该地方属专员于宪报指明「白名单」上的司法管辖区,即该地方有与该条例相当的法律以保护个人资料;

  2. 该资料使用者有合理理由相信在该地方有与该条例大体上相似或达致与条例目的相同之目的之法律正在生效;

  3. 有关的资料当事人以书面同意该项转移;

  4. 该资料使用者有合理理由相信(i)该项转移是为避免针对资料当事人的不利行动或减轻该等行动的影响而作出的;(ii)获取资料当事人对该项转移的书面同意为不切实可行的;(iii)及如获取书面同意是切实可行的,则资料当事人会给予同意;

  5. 该资料凭借该条例第8部获豁免而不受保障资料第3原则所管限;或

  6. 该使用者已采取所有合理的预防措施及已作出所有应作出的努力,以确保该资料不会在该地方以违反该条例规定的方式被收集、持有、处理或使用。

 

 

虽然该条例第33条尚未实施,本所仍建议资料使用者遵从其列明之规定。

 

四、本文要点

1.    资料使用者在收集及使用个人资料之时或之前,应遵从该条例下规定的相关要求。

 

2.  当资料使用者拟使用个人资料作直接促销用途,或将个人资料转移至香港以外的地方时,应特别注意额外的法律规限及要求。

3.  资料当事人可随时要求资料使用者停止使用该当事人的个人资料于直接促销。

重要提示

本文内容仅为此专门的法律领域提供初步概览。由于个案的事实会有所不同,本所务必提醒阁下以上的数据不构成本所提供的正式法律意见。本所亦不就本文的刊登承担任何法律责任。如需本所的专业意见或协助,请与本所联络。如阁下将来不希望收到本所的法律快讯,请通过电邮方式通知本所(mail@allawyers.com.hk)。