| LC: Speech by SCMA in moving the Second Reading of the Personal Data (Privacy) (Amendment) Bill 2011 |
|
Following is the speech (English translation) by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in moving the Second Reading of the Personal Data (Privacy) (Amendment) Bill 2011 in the Legislative Council meeting today (July 13): President, I move the Second Reading of the Personal Data (Privacy) (Amendment) Bill 2011 (the Bill). The Bill seeks to implement the proposals in the "Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance" (further public discussions report) released in April 2011. The Personal Data (Privacy) Ordinance (PDPO) has been in force since 1996. Having regard to developments over the last decade or so, the Government has reviewed the PDPO with the support of the Privacy Commissioner for Personal Data (Privacy Commissioner), and proposed a number of measures to strengthen the protection of personal data privacy, and enhance the effectiveness and improve the operation of the PDPO. Moreover, in recent years, cases of transfer of customer personal data by some enterprises to others for direct marketing purposes without explicitly and specifically informing the customers of the purpose of the transfer and the identity of the transferees and seeking the customer's consent, some of which involved monetary gains, have aroused widespread community concerns. To address these concerns, we have proposed various amendments to the PDPO. In the following, I will highlight some key proposals in the Bill. First, on direct marketing, to provide data subjects with an informed choice as to whether to allow the use of their personal data in direct marketing, the Bill requires a data user who intends to use personal data in direct marketing or provide personal data to other persons for use in direct marketing to provide the data subject with written information on the kinds of personal data to be used or provided, the classes of persons to which the data is to be provided, and the classes of goods, facilities or services to be offered or advertised or the purposes for which donations or contributions may be solicited. The Bill also requires the data user to provide the data subject with a response facility through which the data subject may, without charge from the data user, indicate in writing to the data user whether the data subject objects to the intended use or provision. The written information and the response facility provided by the data user must be presented in a manner that is easily readable and easily understandable. The above arrangement strikes a balance between the protection of personal data privacy and allowing room for businesses to operate while providing data subjects with an informed choice as to whether to allow the use of their personal data in direct marketing. If, after the provision of the information and response facility required, the data subject sends a reply to the data user indicating that he does not object, the data user may proceed to use or provide the data for use in direct marketing. If no reply indicating objection is sent within 30 days after the information and response facility are presented to the data subject or after the data is collected, the data subject will be taken not to object. A data user who uses personal data in direct marketing or provides personal data to other persons for use in direct marketing without complying with the requirements or against the wish of the data subject will be liable, on conviction, to a fine of $500,000 and imprisonment for three years. The Bill further provides that, irrespective of whether a data subject has, within the 30-day response period, sent any written reply to the data user indicating no objection, the data subject may subsequently, at any time, object in writing to the use or provision of his personal data and the data user will then have to cease to use or provide the data subject's personal data for use in direct marketing. The data subject may also require the data user to notify the persons to whom his personal data has been provided for use in direct marketing to cease to so use the data. Upon receipt of the notification, the persons to whom the personal data has been provided have to cease to so use the data. It will be an offence for the data user or the person to whom the data has been provided not to comply with the data subject's above requests. The penalty will be a fine of $500,000 and imprisonment for three years. This will further enhance protection to data subjects. Regarding sale of personal data, the Bill also introduces specific requirements. A data user who intends to sell personal data must, before the sale, provide the data subject with written information on the kinds of personal data to be sold and the classes of persons to which the data is to be sold. The data user is also required to provide the data subject with a response facility through which the data subject may, without charge from the data user, indicate whether he objects to the intended sale. The abovementioned written information and response facility must be presented in a manner that is easily readable and easily understandable. As with the requirement on providing personal data to other persons for use in direct marketing, if no reply indicating objection to the sale is sent within the 30-day response period, the data subject will be taken not to object. A data user who sells personal data without complying with the requirements or against the wish of the data subject will be liable, on conviction, to a fine of $1 million and imprisonment for five years. The Bill also provides that, irrespective of whether a data subject has, within the 30-day response period, sent any written reply to the data user indicating no objection, the data subject may subsequently, at any time, object in writing to the sale of his personal data and the data user will then have to cease to sell the data subject's personal data. Furthermore, the data subject may also require the data user to notify the persons to whom his personal data has been sold to cease using the data. Upon receipt of the notification, the buyers have to cease using the data. It will be an offence for the data user or buyer not to comply with the data subject's above requests. The penalty will be a fine of $1 million and imprisonment for five years. It will also be an offence for a person who obtains personal data from a data user without the data user's consent, and subsequently discloses the personal data with an intent to obtain gain in money or other property, whether for the benefit of the person or another person; with an intent to cause loss in money or other property to the data subject; or causing psychological harm to the data subject. The penalty will be a fine of $1 million and imprisonment for five years. In addition, the Bill also includes various amendment proposals, including empowering the Privacy Commissioner to provide legal assistance to data subjects who intend to bring proceedings under the PDPO to seek compensation from data users; imposing a heavier penalty for repeated contravention of enforcement notices; creating a new offence for intentional and repeated contravention of the requirements under the PDPO for which enforcement notices have been served; introducing new exemptions in respect of certain requirements under the PDPO; and making new provisions relating to data protection principles. The Bill also makes technical amendments to improve the operation and presentation of the PDPO. The Government has drawn up the proposals in the Bill after considering the views received during the public consultation on the review of the PDPO from August to November 2009 and the further public discussions from October to December 2010. During this time, we briefed the Legislative Council Panel on Constitutional Affairs on our proposals a number of times and sought Members' views. On April 18, 2011, the Panel also discussed the legislative proposals in the further public discussions report. After the First and Second Readings of the Bill at the Legislative Council today, we will explain our proposals in detail at the meetings of the Bills Committee and listen to the views of Members, interested organisations and the public. I hope that the Bill will receive the support of Members and that it will be passed as soon as possible. Thank you, President. Ends/Wednesday, July 13, 2011 |