HONG KONG—Amendments to Hong Kong Personal Data (Privacy) Ordinance

After two rounds of public consultations in 2009 and 2010, the Personal Data (Privacy) (Amendment) Ordinance 2012 was gazetted in July, finalizing the amendments to the Personal Data (Privacy) Ordinance (PDPO). PDPO is the main data privacy legislation in Hong Kong. Major amendments include heightened requirements on use of personal data in direct marketing, requirements on supervision of data processors, enhanced enforcement powers for the privacy commissioner and the legal assistance scheme to aggrieved individuals. Most amendments will take effect from 1 October, while the amendments relating to direct marketing and the legal assistance scheme will take effect from a later date to be specified by the Hong Kong government. Data users will have to review and update their existing data protection policies and procedures and relevant contracts and forms with clients, employees and data processors in compliance with the new or revised requirements.

A data user is required to take additional steps before using data in direct marketing or providing data to another person for that person to use it in direct marketing. In essence, a data user must inform—in a manner that is easily understandable and easily readable—an individual of its intention to use his data, or provide his data to another person for that person to use, in direct marketing, specifying the kinds of data to be used and the kinds of services and products to be marketed; must provide a response channel through which the individual may communicate his consent, which includes an indication of no objection, and is not permitted to so use or provide the data unless it has received the individual's consent or indication of no objection. Further, an individual is entitled to opt out from direct marketing at any time irrespective of having given his consent previously.

makes available a "grandfathering arrangement" whereby a data user need not comply with the above requirements with respect to the data actually used by it in direct marketing before the effective date of those requirements provided that certain conditions are satisfied. However, the grandfathering arrangement is not available where a data user provides data to another person for use in direct marketing.

The Amendment Ordinance imposes express obligations on a data user to supervise—through contractual and other means—its data processors to ensure that they comply with the applicable requirements under PDPO.

Before the amendment, the privacy commissioner is empowered to issue enforcement notice against an offending data user to impose remedial measures if the offending act is likely to continue or repeat. That condition is removed by the Amendment Ordinance. In addition, increased penalties, including monetary fine and imprisonment, are imposed on a data user breaching multiple enforcement notices or breaching an enforcement notice after initial compliance.

The Amendment Ordinance expressly empowers the privacy commissioner to provide various forms of legal assistance to aggrieved individuals, making it more practicable for them to pursue against offending data users. Such legal assistance includes giving advice by the privacy commissioner himself, arranging for advice or assistance to be given by a lawyer and arranging for legal representation in or in anticipation of legal proceedings or in facilitating compromise to avoid or end the proceedings.