Media release from the Office of the Privacy Commissioner for Personal Data, Hong Kong:
The Office of the Privacy Commissioner for Personal Data (“PCPD”) received 1,792 complaints in 2013, of which 538 complaints (nearly 30% ) were related to the new provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012 (“Amendment Ordinance”) governing the use of personal data in direct marketing, which took effect from 1 April 2013.
Mr Allan Chiang, Privacy Commissioner for Personal Data (“Commissioner”) commented at today’s media briefing on the achievements of the PCPD in 2013, “This is a record high. It reflects the public’s growing concern for privacy and data protection and calls for the need of all organisations to treat the subject seriously. Top management should get involved and embrace it as part of their corporate governance responsibilities. They should implement holistic and encompassing privacy management programmes which ensure that robust privacy policies and procedures are in place and applied throughout the organisation.”
The PCPD’s 2013 year in review has the following highlights:
In 2013, the PCPD received a total of 24,161 enquiries, representing a record high and an increase of 27% compared with 2012. They are mainly concerned with the use of personal data in direct marketing (55%), employment (10%), data access requests (8%), collection of Hong Kong identity card numbers or copies (5%), and workplace surveillance (2%).
In particular, 13,203 enquiries (55% of the total) are related to the new provisions of the Amendment Ordinance governing direct marketing. Most of them were made in April and May 2013.
In 2013, the PCPD received a total of 1,792 complaints, which represented a record high and an increase of 48% compared with 2012. The PCPD was able to handle this huge influx of complaints by streamlining working procedures and enhancing staff productivity.
Of these complaints, 78% were made against the private sector (1,404 cases), 13% against the public sector/government departments (227 cases) and 9% against individuals (161 cases).
Among the private sector organisations, the sector which received the most complaints was the financial sector (356 cases), followed by telecommunications (153 cases) and property management (125 cases).
As regards the nature of the complaints, 38% of the 1,792 complaints received concerned the use of personal data without the consent of data subjects (673 cases), 36% were about the purpose and manner of data collection (643 cases), 9% were related to data security (169 cases) and 9% were about data access /correction requests (161 cases).
A substantial number (538 cases) of the complaints were related to the implementation of the new provisions governing direct marketing. Specifically, they were responses to the sending of a massive amount of customer notifications in late March 2013 and early April 2013 by many organisations concerning the use of personal data for direct marketing. The notifications were sent for various reasons such as:-
(a) to ensure the fulfilment of one of the pre-requisite requirements of the grandfathering arrangement, namely, that the customers had to be explicitly informed, in a easily understandable and readable manner, of their intended use of their personal data for direct marketing;
(b) to include as many classes of products and services as possible for grandfathering coverage when in fact only those classes for which a direct marketing approach has actually been made previously could be covered; and
(c) to carry out data cleansing by reminding customers of their right to opt out from direct marketing approaches.
The ensuing complaints can be categorised as follows:-
(a) the communication erroneously created a perceived need on the part of the customers to respond promptly or else their position as regards the right to opt out from direct marketing approaches would be jeopardised;
(b) the opt-out channels stipulated by the organisations were fully engaged, not user-friendly or invalid; and
(c) some recipients queried why their personal data were held by the organisations which sent out the notifications since according to them, they had no prior dealings with the organisations.
Further, a total of 93 complaints (compared with 50 complaints in 2012) were related to the use of new information and communications technologies (“ICT”). Of these, 40 related to the unwanted disclosure of individuals’ personal data on social networking sites and 12 concerned the receipt of unsolicited direct marketing messages through WhatsApp. These cases could not be pursued meaningfully. For the former cases, the person responsible for the data could not be traced. For the latter cases, the calls were made to randomly selected telephone numbers without the use of personal data.
Compliance Checks and Self-initiated Investigations
The year 2013 saw 61 known data breach incidents (compared with 50 incidents in 2012), affecting 90,000 individuals. The PCPD was made aware of these incidents through voluntary notifications from the data users concerned as well as reports from the media and the general public. The nature of these incidents ranged from unauthorised disclosure of personal data through hacking to inadvertent circulation of lists of personal data to unrelated third parties.
With a view to promoting compliance with the requirements under the Personal Data (Privacy) Ordinance (“the Ordinance”), the PCPD completed 208 compliance checks and 19 self-initiated investigations in 2013, compared with 161 such checks and 9 such investigations respectively in 2012.
In 2013, the PCPD issued 32 warnings and 25 enforcement notices to organisations, compared with 27 warnings and 11 enforcement notices in 2012. The more than double increase in the number of enforcement notices issued to direct organisations to remedy contraventions was a reflection of the enhanced power of the Commissioner to take such enforcement power under the Amendment Ordinance.
The Commissioner published 6 investigation reports in 2013 (compared with 8 published reports in 2012). These reports covered the privacy practices of 3 companies, one government department and one public body, and pointed out contraventions of Data Protection Principle (“DPP”) 1 concerning data collection, DPP 3 concerning data use and DPP4 concerning data security.
The reports received widespread media coverage and entailed serious public discussion. They served to invoke the sanction and discipline of public scrutiny and discourage non-compliant behaviour on the part of the organisations concerned as well as other data users facing similar data-protection issues.
In 2013, the PCPD referred 20 cases to the Police for consideration of prosecution, an increase of 33% compared to 2012. As many as 14 cases were related to suspected contraventions of the new provisions governing direct marketing, for example, the making of repeated telemarketing calls by organisations despite the complainants’ request to opt out from such marketing approach and the failure of organisations to take specified steps before making use of individuals’ personal data for direct marketing.
Most of the referred cases are still under Police investigation, and no conviction was recorded in 2013.
Legal Assistance Scheme
The Legal Assistance Scheme commenced on 1 April 2013 under the Amendment Ordinance. Under the scheme, the PCPD may provide assistance to a person who has suffered damage by reason of a contravention under the Ordinance and intends to institute proceedings to seek compensation from the organisation at fault. After 9 months of operation, the PCPD has received 16 applications. Of these applications, one has been granted assistance; 5 were rejected and 2 had been withdrawn by the applicants.
Data User Returns Scheme (“DURS”)
Part IV of the Ordinance provides for a DURS under which specified organisations are obliged to notify to the Commissioner “prescribed information” which includes the kinds of personal data they control and the purposes for which the personal data are collected, held, processed or used .
The PCPD issued a consultation document in July 2011 which sets out the operational framework and implementation plan of the DURS. It was envisaged that the initial phase of implementing the DURS would cover the public sector, banking, telecommunications and insurance.
PCPD gathered from the consultation exercise that while there was no dispute over the objective of DURS to promote a higher standard in the protection of personal data privacy, there was much scepticism from the consultees towards the adoption of the scheme to achieve this objective. At the same time, PCPD has learned that the European Union (“EU”) data protection system, upon which the Hong Kong model is based, is undergoing reform. Among other things, the EU is considering replacing the notification requirement with new and improved systems which emphasize accountability and transparency in the collection and use of personal data, including the mandatory appointment of a data protection officer in (a) public authorities and bodies, as well as (b) private enterprises that process data of more than 5,000 persons in any consecutive 12 months.
In the absence of general support from the four sectors identified for implementing the DURS and in light of the EU developments, PCPD plans to put the project on hold until the reforms in the EU have been finalised and useful lessons can be learnt from the exercise.
Mr Chiang commented further, “Meanwhile, to meet the high public expectation for protection of personal data privacy in the four sectors concerned, I have advocated to these sectors in the past 12 months to adopt a strategic shift from compliance to accountability. Specifically, I have encouraged individual organisations to embrace privacy and data protection as part of corporate governance and implement holistic and encompassing privacy management programmes which ensure that robust privacy policies and procedures are in place and applied throughout the organisation. At the minimum, the outcome of this proactive approach is a demonstrable capacity to comply with the Ordinance. Executed well, it is conducive to building trustful relationships with customers or citizens, employees, shareholders and regulators, and thus serves the same purpose as DURS. I am happy to report that I have secured significant buy-in from these sectors and will issue a ‘Privacy Management Programme: a Best Practice Guide‘ for the reference by all organisations next month.”
Regulating Cross-border Flows of Personal Data
Section 33 of the Ordinance provides a very stringent and comprehensive regulation of the transfer of data outside Hong Kong. It expressly prohibits all transfers of personal data ‘to a place outside Hong Kong’ except in specified circumstances such as:-
(a) the place is specified by the Commissioner as one which has in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance [section 33(2)(a)]; and
(b) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be handled in a manner tantamount to a contravention of a requirement under the Ordinance [section 33(2)(f)].
The only problem is that section 33 has not been brought into force since its enactment in 1995 and the Government has no timetable for its implementation in future. As a result, the current protection for personal data transferred overseas is weak and far from comprehensive.
Mr Chiang commented, “The situation of global data flows is markedly different today than in the 1990s when the Ordinance was enacted. Advances in technology, along with changes in organisation’s business models and practices have turned personal data transfers into personal data flows. Data is moving across borders, continuously and in greater scales. Organisations, including small and medium enterprises, are enhancing their efficiency, improving user convenience and introducing new products by practices which have implications for global data flows. They vary from storing data in different jurisdictions via the ‘cloud’ to outsourcing activities to contractors around the world. Electronic international data transfers in areas such as human resources, financial services, education, e-commerce, public safety, and health research are now an integral part of the global economy.
Countries worldwide are adopting a range of mechanisms to protect the personal data privacy of individuals in the context of cross-border data flows. For example, section 26(1) of Singapore’s Personal Data Protection Act, which will come into force in July this year, provides that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the Act.
Against this background, it is high time for the Government to have a renewed focus on section 33 of the Ordinance to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved.
To assist the Government in this area, we have completed in 2013 a survey of 50 jurisdictions and come up with a white list of places which has in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance. A copy of the report has been forwarded to the Government.”
Promotion and Public Education
In 2013, the PCPD continued to step up its promotion and public education efforts to promote the awareness and understanding of privacy and data protection. A total of 279 seminars were conducted (compared with 238 in 2012), with a total audience of 20,898 (compared with 16,321 in 2012). These included free introductory seminars on personal data protection, free IT seminars educating the public on the smart use of communication technologies and professional workshops for data protection practitioners. An added subject of these events in 2013 was the new provisions of the Amendment Ordinance governing direct marketing.
The major themes of the promotion and education activities in 2013 were Online Privacy Protection and Smart Use of Smartphones. Special efforts were focussed on the young people through the Student Ambassador for Privacy Protection Programme (with participation of 4,800 secondary school students, representing an increase of 142% over 2012) and the University Privacy Campaign (with participation of 33,299 students and staff, representing an eleven-fold increase over 2,570 participants in 2012).
In running its various promotion and education activities, the PCPD partnered with various trade associations and professional bodies. It also engaged the public through multi-channels including exhibition roadshow, the mass media, and for the first time in 2013, dedicated YouTube Channel, Facebook page and the PCPD’s thematic websites (Youth Privacy and Think Privacy! Be Smart Online). The PCPD website had a facelift of its landing page during the year, and it received an average of 75,912 visits per month (compared with 45,192 visits per month in 2012).
Strategic Focus for 2014
The PCPD will continue to face the privacy and data protection challenges by stepping up efforts in enforcement as well as public education. There will be a special focus on:-
(a) the privacy issues associated with the increased use of mobile apps;
(b) the need for organisations to embrace privacy and data protection as part of their corporate governance responsibilities and adopt holistic privacy management programmes; and
(c) assisting the Government in reviewing the regulatory issues concerning cross-border flows of personal data.