Hong Kong regulators step up enforcement on personal data protection

Over the past month, Hong Kong Courts and the Securities and Futures Commission (“SFC”) have taken action under the Personal Data (Privacy) Ordinance (“PDPO”) against an insurance agent, a marketing company and a licensed individual for improper handling of personal data, resulting in a Community Service Order, a fine, and an SFC disciplinary action. These cases demonstrate increased citizen awareness of privacy rights, industry focus on the PDPO, and foreshadow further enforcement activity.

Insurance agent case

• An insurance agent, knowing that an insurance company had suspended services provided to an individual, sent a letter to the individual that promoted the services of another insurance company. That individual filed a complaint with the Office of the Privacy Commissioner for Personal Data (“PCPD”), claiming that the insurance agent had used personal data for direct marketing purposes in contravention of the PDPO. The PCPD referred the complaint to the police for criminal investigation.
  
  
• The insurance agent was charged and convicted of two offences under the PDPO: using personal data in direct marketing without taking actions required by law and obtaining consent (contrary to section 35C of the PDPO), and failing to inform the individual of his right to opt-out of direct marketing without charge (contrary to section 35F of the PDPO).
  
  
• The Court imposed a Community Service Order of 80 hours on the insurance agent.
  
  

Marketing company case

• After an individual had made an opt-out request, a marketing company, used by a hotel to promote its membership and services, continued to call the individual. The individual complained to the PCPD, which referred the complaint to the police for criminal investigation.
  
  
• The marketing company admitted that it had received the individual’s opt-out request, but had failed to distribute an updated opt-out list to its staff in a timely manner, resulting in further marketing calls being made to the individual.
  
  
• The marketing company was charged and convicted of two offences under the PDPO: using personal data in direct marketing without taking actions required by law and obtaining consent (contrary to section 35C of the PDPO), and continuing to use the individual’s personal data in direct marketing after he opted-out (contrary to section 35G of the PDPO).
  
  
• The marketing company was fined HK$16,000 (approximately US$2,100).
  
  

SFC case

• A portfolio manager at a Hong Kong bank, who was registered under the Securities and Futures Ordinance to carry on Type 1 & Type 4 regulated activities, sent information regarding 1,540 customers to his personal email address on his last day of work. After starting a job at another bank, the portfolio manager sent the customers’ data to his new work email address. Upon discovery, the new employer deleted the emails with the customers’ data and terminated the portfolio manager’s employment.
  
  
• The case was referred to the SFC by the Hong Kong Monetary Authority (“HKMA”). The SFC found that the portfolio manager had breached the Code of Conduct for Persons Licensed by or Registered with the SFC and the PDPO by transferring the customer data for purposes other than that for which the data was collected.
  
  
• As the activity called into question whether he was fit and proper to be licensed, the SFC has banned the portfolio manager from re-entering the industry for 12 months. No action has been taken against the bank from which the emails were sent.
  
  

Our take:

• Increased privacy awareness among citizens. The direct marketing cases marked the fifth and sixth direct marketing convictions handed down by the Hong Kong Courts since September 2015. Like the previous four convictions, both cases arose out of a single complaint by a data subject to the PCPD. The growing sensitivity of the public to data protection and the decrease in their tolerance for unwanted marketing indicates a higher risk of complaint and subsequent action. Companies and individuals who wish to use personal data for direct marketing purposes must ensure that their personal data handling practices are compliant with the PDPO.
  
  
• Industry focus on the PDPO. The PCPD is responsible for compliance with the PDPO. However, in recent years, industry regulators, such as the HKMA and the SFC, have focused more on data protection. Recent examples include the HKMA revising its circular on  “Customer Data Protection” in 2014, and the SFC issuing  a circular on “Cybersecurity” in March 2016. Data protection is high on the agenda of industry regulators, and they are paying more attention as to whether their licensees (including both companies and individuals) are handling personal data in accordance with the law.
  
  
•  More to come? All three cases stemmed from complaints and incidents back in 2013 and 2014. With the more hardline approach to data protection taken by the regulators illustrated above, we anticipate there will be more disciplinary actions in the future.