Recently there have been two convictions under the direct marketing sections of the Personal Data (Privacy) Ordinance (“Ordinance”). Interestingly, in both cases, the data users did not obtain the personal data directly from the data subject but obtained the personal data from other parties. The organization that originally obtained the personal data from the data subject were not prosecuted in both cases.
Case 1 – Insurance agent found guilty of breaching the Direct Marketing provisions of the Ordinance (Section 35C of the Ordinance)
In April 2016, an insurance agent (“Defendant”) faced two charges under Ordinance. The first charge relates to the offence of using the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, contrary to section 35C of the Ordinance. The second charge relates to the offence of failing to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge, contrary to section 35F of the Ordinance.
This case was referred to the police by the Privacy Commissioner for Personal Data after a complaint was filed against the Defendant. The defendant is an insurance agent. The complainant had previously bought an insurance policy with an insurance company (“Company A”) and received the letter from the Defendant (an insurance agent of another company) after knowing the suspension of services of Company A. The defendant pleaded guilty to both charges and the court imposed a community service order of 80 hours in respect of each charge.
Case 2 – Marketing company fined for using personal data in direct marketing without customer’s consent and failing to comply with Opt-Out Request
In May 2016, a marketing company was found guilty of two charges under the Ordinance. The first charge relates to the offence of using the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, contrary to section 35C of the Ordinance. The other charge relates to the offence of failing to comply with the requirement from the data subject to cease to use his personal data in direct marketing, contrary to section 35G of the Ordinance.
The case originated from a complaint received by the Privacy Commissioner for Personal Data ("PCPD") in May 2014. The complainant once made a reservation with a restaurant of a hotel in Hong Kong and provided his surname and mobile number for that purpose. The complainant claimed that he had never given any written or verbal consent for using his personal data for direct marketing.
After making reservations with the hotel, the complainant received calls promoting the membership and services of the hotel. In April 2014, the complainant received a call from a marketing company, promoting membership of the hotel to him. The complainant immediately informed the caller that he was not interested and requested the caller not to call him again, and the caller agreed. However, in May 2014, the complainant received another call from the marketing company promoting the membership of the hotel, in which the caller indicated the marketing company was outsourced by the hotel to promote its services.
The marketing company admitted that it had received the opt-out request from the complainant. It stated that it had already notified its information technology department to place the telephone number of the complainant in the opt-out list on the same day it received the opt-out request. The call to the complainant might be due to some part-time promoters who had not received the updated opt-out list, or they had overlooked the list.
The marketing company pleaded guilty to the two charges and was fined HK$16,000 in total (HK$8,000 in respect of each charge).
Relevant sections of the Ordinance
- Section 35C of the Ordinance provides that a data user (e.g. a company or an organisation) must provide the following information to the data subject (e.g. individual consumer) orally or in writing before using his personal data in direct marketing:
(a) the data user intends to so use the personal data;
(b) the data user may not so use the data unless with the consent of the data subject;
(c) the kinds of personal data to be used;
(d) the classes of goods, facilities or services offered/advertised; and
(e) a channel through which the data subject may, without charge, communicate his consent to the intended use.
- Section 35F is about the requirement for the data user to notify data subject when using personal data in direct marketing for first time:
(a) A data user must, when using a data subject’s personal data in direct marketing for the first time, inform the data subject that the data user must, without charge to the data subject, cease to use the data in direct marketing if the data subject so requires.
(b) Subsection (1) applies irrespective of whether the personal data is collected from the data subject by the data user.
(c) A data user who contravenes subsection (1) commits an offence and is liable on conviction to a fine of $500000 and to imprisonment for 3 years.
(d) In any proceedings for an offence under subsection (3), it is a defence for the data user charged to prove that the data user took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
- Section 35G is about the data subject’s right to require data user to cease to use personal data in direct marketing. The section states that:
(a) A data subject may, at any time, require a data user to cease to use the data subject’s personal data in direct marketing.
(b) Subsection (1) applies irrespective of whether the data subject— (a) has received from the data user the information required to be provided in relation to the use of personal data under section 35C(2); or (b) has earlier given consent to the data user or a third person to the use.
(c) A data user who receives a requirement from a data subject under subsection (1) must, without charge to the data subject, comply with the requirement.
(d) A data user who contravenes subsection (3) commits an offence and is liable on conviction to a fine of $500000 and to imprisonment for 3 years.
Marketing companies may obtain personal data from their customers instead of obtaining the personal data directly from the data subjects. Even though the marketers did not obtain the personal data directly from the data subjects, they would still be subject to the direct marketing provisions of the Ordinance. Since they are in possession of personal data, they are also required to comply with the privacy principles. Marketers should provide guidelines and policies to their staff on privacy issues and to ensure that valid consents have been obtained as well as informing data subjects about their right to opt-out and to have the an updated list of the requests from data subjects.
The direct marketing provisions of the Ordinance are not to be ignored, the above two cases show that the courts takes a serious view in respect of the contraventions.