The Personal Data (Privacy) Ordinance (PDPO) contains a number of sections providing for criminal liability: Section 35E provides that a fine of up to HK$500,000 and up to three years’ imprisonment may be imposed if personal information of an individual is used for direct marketing purposes without that individual’s informed consent, and section 64 further provides a fine of up to HK$1,000,000 and up to five years’ imprisonment for disclosing personal data obtained without consent from data users.
The Hong Kong Privacy Commissioner for Personal Data (PCPD) recently announced the first prison sentence for a violation of the PDPO for another such section; section 50B (1)(c)(i), which states that anyone who makes to the privacy commissioner (or one of its officers) a statement that the person knows to be false or does not believe to be true or knowingly misleads the privacy commissioner (or one of its officers) commits an offence and is liable upon conviction to a fine of up to HK$10,000 and imprisonment of 6 months.
The case arose following a 2012 complaint by an individual who claimed she shared her personal information with an agent of an insurance company who subsequently moved to another insurance company. According to the complainant, the agent then used the information obtained while working for the first company to issue the woman a policy through the new company without disclosing the change of company. The complainant alleged that the insurance agent had misled her and thereby obtained her personal data by unfair means. In response to inquiries from the PCPD, the insurance agent claimed that he was assigned to work with the complainant during his employment with his first employer, but this allegation was denied by the first employer.
Because the PCPD found that the insurance agent gave false statements during its investigation of the complaint, the case was referred to the Tuen Mun Magistrates’ Court for criminal enforcement under the PDPO. Under section 50B (1)(c)(i) the PDPO, In this case, the insurance agent was sentenced to 4 weeks’ imprisonment.
Although this case specifically deals with the lack of cooperation with an investigation from the PCPD, it is particularly interesting because it is the first time that a jail sentence has been imposed pursuant to the PDPO. It is of course necessary to be truthful and to fully cooperate with an investigation from the PCPD, and providing false or misleading information is an offence under the PDPO. Nevertheless, this case also demonstrates more generally the willingness of the PCPD to trigger criminal liability for breaches of the PDPO.
As indicated in the PCPD press release, all organizations and individuals need to "treat data privacy seriously," and as this case shows, the courts will also be taking privacy matters very seriously, including enforcing imprisonment sentences where appropriate.