| Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance published |
|
The Government published today (April 18) the Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance (further public discussions report) setting out legislative proposals to strengthen personal data privacy protection. "On direct marketing, we will introduce specific requirements to require the data user to inform the data subject of the classes of goods, facilities or services to be offered or advertised and/or the purposes for which donations or contributions may be solicited; the classes of persons to whom the data may be transferred; and the kinds of personal data to be transferred. "The layout and presentation of such information, if in written form, should be easily readable to individuals with normal eyesight and the language easily understandable. The data user should also provide an option for the data subject to choose not to agree (i.e. an opt-out mechanism) to the use of his personal data for direct marketing.
"A data user who uses personal data for direct marketing purposes without complying with the requirements or against the wish of the data subject will be liable, on conviction, to a fine of $500,000 and imprisonment for three years. "If, after the provision of the information and option required, the data subject provides a response to the data user indicating that he does not wish to opt out, the data user may proceed to use and/or transfer the personal data for the direct marketing activities stated by him. If the data subject does not respond to the data user, the data user may deem that the data subject has not opted out if no opt-out request is received within 30 days after the information and option are given to the data subject. "Currently, under the Personal Data (Privacy) Ordinance (PDPO), a data subject may opt out at any time and if he so requests, the data user consequently must cease to use his personal data for direct marketing. We propose an additional requirement that, if a data subject does not opt out originally but subsequently exercises the opt-out option, he may request the data user to notify the classes of persons to whom his personal data have been transferred for direct marketing to cease to so use the data. Upon receipt of the notification, the transferees have to cease to so use the data and failure to do so will be an offence. This will enhance protection to data subjects," the spokesman said. "We will introduce specific requirements so that, before the sale of personal data by a data user, the data user should inform the data subject in writing of the kinds of personal data to be sold and to which classes of persons the personal data may be sold. The layout and presentation of such information should be easily readable to individuals with normal eyesight and the language easily understandable. The data user should also provide an option for the data subject to choose not to agree to the sale i.e. an opt-out mechanism. "A data user who sells personal data without complying with the requirements or against the wish of the data subject will be liable, on conviction, to a fine of $1,000,000 and imprisonment for five years," he added. "As with the use of personal data for direct marketing, the deeming arrangement in cases where no opt-out request is received within 30 days will similarly apply. We also propose to stipulate that a data subject may opt out any time and if he opts out, the data user has to cease to sell his personal data. Furthermore, if a data subject does not opt out originally but subsequently exercises the opt-out option, he may request the data user to notify the classes of persons to whom his personal data have been sold to cease using the data. Upon receipt of the notification, the buyers have to cease using the data and failure to do so will be an offence," he said. "We will take forward the proposal to criminalise the disclosure of personal data which a person obtained from a data user without the latter's consent with a view to gaining or causing loss or psychological harm to the data subject. Penalty will be set at a fine of $1,000,000 and imprisonment for five years. "In addition, we intend to empower the Privacy Commissioner for Personal Data (PCPD) to provide legal assistance to an aggrieved data subject who intends to institute legal proceedings against a data user to seek compensation. "The further public discussions report also sets out other proposals that we intend to implement," he said. The PDPO was enacted in 1995. Having regard to developments over the last decade, the Government has reviewed the PDPO with the support of the PCPD and consulted the public from August to November 2009 on proposals arising from the review. The Government published the Report on Public Consultation on Review of the PDPO and further discussed the legislative proposals with the public from October to December 2010. The further public discussions report can be obtained from the Public Enquiry Service Centres of District Offices or downloaded from the website of the Constitutional and Mainland Affairs Bureau at www.cmab.gov.hk/doc/issues/Report_on_FPD_en.pdf. Ends/Monday, April 18, 2011 |