Ball Watch (Asia) Company Limited (“the defendant”) faced two charges under the Personal Data (Privacy) Ordinance (the “Ordinance”) today at the Eastern Magistrates’ Court. The first charge relates to the offence of using the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, contrary to section 35C of the Ordinance. The other charge relates to the offence of failing to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge, contrary to section 35F of the Ordinance. The defendant pleaded guilty to both charges, and was fined HK$16,000 in total (HK$8,000 in respect of each charge).
The case stemmed from a complaint received by the Office of the Privacy Commissioner for Personal Data (“PCPD”) in 2014.
The complainant is a registered occupational therapist. His personal data, including his name and address, were published in the Government Gazette pursuant to section 11 of the Supplementary Medical Professions Ordinance which concerns the publication of register and evidence of registration. In December 2014, the complainant received a promotional leaflet from the defendant by mail to his office address, which addressed him by his full name. The leaflet was to promote a model of wrist watch which was designed by Ball Watch Co and its partner. The complainant stated that he never had any dealings with Ball Watch or its partner, and both companies had never informed him of any intention to use or obtain his consent before using his personal data in direct marketing. The promotional leaflet that the complainant received did not contain any option allowing him to opt-out from directing marketing. After processing the complaint, Privacy Commissioner was of the view that the defendant had misused the complainant’s personal data.
The direct marketing provisions under the Ordinance require a data user (individual or organisation) not to use an individual’s personal data in direct marketing without that individual’s consent. In order to obtain valid consent, the data user must notify the individual of the types of personal data that will be used; the classes of goods or services that will be marketed; and a response channel through which the individual can communicate his consent to the intended use.
The Privacy Commissioner for Personal Data, Mr Stephen Kai-yi WONG, said, “Personal data obtained from public domains, such as Government Gazette in this case, is also protected under the Ordinance. The Ordinance does not prohibit direct marketing activities but provides clear provisions to enable a data user to respect others’ privacy right in collecting and using personal data, in that:
The data user must—
Even if a data subject has given his consent, the data user is still required to inform the data subject of his opt-out right, when using his personal data in direct marketing for the first time.”
Since the implementation of direct marketing provision in 2013, there have been eight related conviction cases, and two of which are being appeal against.
SOURCE: The Office of the Privacy Commissioner for Personal Data