-DATA PROTECTION AND PRIVACY-
Major Credit Agency Passes Test of Privacy Commissioner But Deficiencies Noted
In Hong Kong, the Privacy Commissioner for Personal Data recently exercised his rights under Section 36 of the Personal Data (Privacy) Ordinance and conducted an inspection of the data system of TransUnion Limited, Hong Kong’s major credit reference agency. While the inspection did not reveal any major data breaches or issues, the Commissioner has reported deficiencies in TransUnion’s personal data system and made a number of recommendations for improvement.
Hong Kong Introduces a New Personal Data (Privacy) Amendment Bill
The Personal Data (Privacy) Amendment Bill (the “Bill“) was introduced into the Legislative Council on 13 July 2011. The Bill is the culmination of a lengthy consultation process into the reform of the Personal Data (Privacy) Ordinance (the “Ordinance“) which commenced in 2009. The Bill aims to bring the Ordinance in line with technological and other advancements that have occurred since the Ordinance was enacted 15 years ago, and is in part a response to the mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong.
The most significant amendments relate to direct marketing and the sale of personal information, data processing and the powers of the Privacy Commissioner for Personal Data (the “Privacy Commissioner“). The Bill also introduces increased penalties for breaches of the Ordinance. These key amendments are discussed below.
There is no precise timeframe for the implementation of the Bill at this stage (as the Bill still has to be debated further by the Legislative Council after the summer recess, before passing to the committee stage and undergoing a final reading).
Big Changes Ahead for Companies Handling Personal Data
On 8 July 2011, the Government of the Hong Kong Special Administrative Region published the Personal Data (Privacy) Amendment Bill 2011 (the “Bill“) in the Government Gazette. This marks the beginning of the Bill’s passage through the Legislative Council (“LegCo“).
The Bill amends the Personal Data (Privacy) Ordinance (“PDPO“), which has remained unchanged since it came into force in 1996. It addresses key areas that have been the subject of recent high profile investigations, such as the Octopus case last summer, which brought the use of personal data in direct marketing into the spotlight.
The Bill introduces a number of new offences with heavy penalties at a level previously unseen under the PDPO – the highest being HK$1 million plus 5 years imprisonment for both sale and disclosure of personal data without consent. This represents a significant increase from the current penalties which peak at HK$10,000 and 2 years imprisonment.
Hong Kong Privacy Commissioner Publishes Guidance on the Handling of Data Access Requests and the Charging of Access Fees
The Hong Kong Privacy Commissioner for Personal Data recently issued a guidance note to provide data users with assistance on how to comply with data access requests, as well as how to calculate the fees to be charged in connection with such Access Requests. The Guidance Note was in part a response to the increasing number of complaints received by the Commissioner relating to Access Requests in recent years, approximately 10% of which concerned excessive Access Fees. Organizations may wish to establish detailed guidelines and procedures for the handling of Access Requests (including calculating Access Fees), to ensure that such requests are dealt with promptly and efficiently, and in accordance with the Ordinance. Failure to comply with the requirements in the Ordinance may constitute an offence and render the data user liable to a maximum fine of HK$10,000 (roughly 1,300 U.S. dollars).