Damon Pang reports:
The Privacy Commission says that Hang Seng Bank and CITIC Bank have breached data protection laws. An investigation revealed CITIC transferred personal information on 150,000 clients to three insurance companies for direct marketing purposes, without their consent.
Hang Seng was also found to have planned to keep data on bankruptcies for 99 years, instead of the maximum of eight.
The commission has no powers to penalise the banks.
Well, if there’s no power to do penalize banks, what is their motivation to comply with data protection laws? If the Privacy Commissioner does not have the authority to do anything, does Hong Kong’s financial regulator?