Following is a question by the Hon James To and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Raymond Tam, in the Legislative Council today (April 17):
The Personal Data (Privacy) (Amendment) Ordinance 2012 (Amendment Ordinance) has come into full operation with effect from April 1 this year. One of the new requirements therein is that before using personal data in direct marketing or providing personal data to another person for use in direct marketing, the data user must notify the data subject of its intention of so doing and receive an indication of no objection from the data subject. Under the grandfathering arrangement provided under the Amendment Ordinance, if an organisation has, prior to the coming into effect of the aforesaid requirement, informed customers of the purpose of collecting and using their personal data as well as approached customers in its direct marketing activities, and the customers have never raised objection to such activities, the organisation concerned may continue to use the relevant personal data in direct marketing after the requirement has come into effect. Therefore, quite a number of organisations, such as banks and telecommunications service companies, etc., issued letters to their existing customers before April 1, notifying them that the organisations would use their personal data in direct marketing, and if the customers did not agree to such practice, they might notify the organisations that they exercise their opt-out rights against direct marketing. In this connection, will the Government inform this Council:
(a) given that quite a number of data subjects are not aware that their ignoring of such notification letters is tantamount to agreeing to the continued use of their personal data in direct marketing by the organisations concerned, whether the authorities know if the Office of the Privacy Commissioner for Personal Data (PCPD) has assessed whether the aforesaid requirement will thus fail to effectively prevent the personal data of the existing customers of these organisations from being used in direct marketing continuously without their knowledge;
(b) whether it knows if the arrangements (including whether customers are able to download reply forms from the organisations' websites) provided by various banks and telecommunications service companies facilitate their customers to respond to the aforesaid notification letters received before April 1 to indicate their objection to the use of their personal data in direct marketing, or to raise requests for ceasing such use in future, and whether the contents of the reply forms provided by these organisations have violated the New Guidance on Direct Marketing issued by PCPD in January this year; if these organisations have not provided such facilitating arrangements or the contents of their reply forms have violated the New Guidance, whether PCPD will request these organisations to make improvement;
(c) whether it knows if most of the organisations have allowed their customers to choose separately in the reply forms whether they agree to receive direct marketing messages sent via various channels (e.g. mails, person-to-person telemarketing calls, mobile phone messages and emails, etc.);
(d) whether it knows if most of the organisations have allowed their customers to specify separately in the reply forms whether they agree to the organisations (i) using their personal data in the direct marketing of the organisations' products and services; and (ii) providing their personal data to another person for use in direct marketing; if such options have not been provided, whether PCPD will request the organisations to make improvement;
(e) whether it knows if most of the banks have allowed their customers to choose separately in the reply forms whether they agree to receive direct marketing messages in respect of various kinds of products (e.g. bank deposits, mortgage loans, personal loans, credit cards, investments, insurance and Mandatory Provident Fund products, etc.); if such options have not been provided to the customers, whether PCPD will request the banks to make improvement; and
(f) whether it knows when PCPD will review the implementation of the aforesaid requirement with a view to safeguarding personal data from being used in direct marketing without the express consent of the data subjects?
Under the amended Personal Data (Privacy) Ordinance (the Ordinance), unless relevant exemptions apply, if a data user intends to use a data subject's personal data in direct marketing, he must inform the data subject that: (1) he intends to so use the data subject's personal data; (2) the kinds of personal data to be used; (3) the classes of marketing subjects in relation to which the data is to be used; and (4) he may not so use the data unless with the data subject's consent. The data user must also provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject's consent or no objection to the intended use. The above information must be presented in a manner that is easily understandable and, if in written form, easily readable.
The exemptions in the Ordinance allow an organisation to continue to use customers' personal data collected before April 1, 2013 in direct marketing without complying with the new requirements if all four conditions below are met. The four conditions are: (1) the data subject had been explicitly informed by the data user, in an easily understandable and, if informed in writing, easily readable manner, of the intended use or use of the data subject's personal data in direct marketing in relation to the class of marketing subjects; (2) the data user had so used any of the data; (3) the data subject had not required the data user to cease to use any of the data; and (4) the data user had not, in relation to such use, contravened any provision of the Ordinance as in force as at the time of the use.
In addition, whether before of after the Ordinance was amended, a data subject may at any time require a data user to cease to use his personal data in direct marketing, and the data user must not so use the personal data. Failure to do so would render the data user liable to a criminal offence. With the commencement of the amendments to the Ordinance, a data user who does not comply with the above requirement is liable on conviction to a fine of $500,000 and to imprisonment for three years.
The reply to different parts of the question is as follows:
(a) As set out in the preamble above, it is unlikely a data subject's personal data is used in direct marketing without his knowledge. In any case, however, even if a data subject has never requested a data user to cease to use his personal data in direct marketing, he can still exercise his right to opt-out at any time, and the data user must comply with the request.
(b)-(f) The Ordinance has not prescribed a format for the reply form in relation to parts (b) to (e) of the question. However, the Office of the Privacy Commissioner for Personal Data (PCPD) has issued leaflets with the titles New Guidance on Direct Marketing and Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance for organisations and members of the public respectively. It is suggested therein that organisations provide customers with choices in respect of: (1) the kinds of personal data to be used by the organisation in direct marketing; (2) consent to the use of personal data by the organisation itself or the provision of personal data to others for use in direct marketing; and (3) the classes of goods/facilities/services to be marketed. If a data user does not offer such choices, a data subject may choose to object to the use of his personal data in direct marketing or the provision of his personal data to others for use in direct marketing.
As regards the organisations' arrangements in relation to the reply forms, since the new requirements have been implemented for a short period only, PCPD is closely monitoring the practices of the organisations on the basis of enquiries and complaints received.
Ends/Wednesday, April 17, 2013