Gabriela Kennedy and Heidi Gleeson write about the Octopus breach previously mentioned on this site.
The recent large scale sale of personal data by Hong Kong’s Octopus Holdings Ltd. for the purposes of direct marketing is currently being investigated by the Hong Kong Privacy Commissioner and has prompted calls for reforms to the data protection regime.
Octopus provided the personal information of almost 2 million card holders to six insurance companies for direct-marketing over a four and a half year period, earning the company HK$44 million in revenue.
The application form for the Rewards Program was drafted in such a way as to give Octopus very broad rights to deal with the personal information of card holders. In signing the application form for the Rewards Program, card holders automatically consented to their personal data being disclosed to any third party (at Octopus’s discretion) and used for direct marketing purposes. The only way that card holders were able to opt-out from their personal information being sent to third parties was to first sign the form (thereby consenting to the distribution and sale of their data to any third party), and later call Octopus to opt-out, a process which Octopus conceded would take approximately three days.
Read more on Chronicle of Data Protection.