Hong Kong DPA Finds Companies Violated Direct Marketing Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Michael Standaert  

SHENZHEN, China--Hong Kong's data protection authority concluded that a medical center and an insurance broker engaged in the “deceitful” collection and sale of the personal data of more than 360,000 people over a two-year period, according to an investigation report released April 9.

Allan Chiang, Privacy Commissioner for Personal Data for the Hong Kong Special Administrative Region, said the case serves as a warning to companies of the higher fines and criminal sanctions possible under 2012 amendments to the Personal Data (Privacy) Ordinance (11 PVLR 1117, 7/9/12) and new guidance that took effect April 1 on provisions of the amendments related to direct marketing activities.

The DPA said its investigation found that Hong Kong Preventive Association Ltd. (HKPA) had collected personal data on 363,830 people and sold it to Aegon Direct Marketing Services Insurance Broker Ltd. over a period of two years for use in directly marketing insurance products in ways that breached data privacy rules.

Aegon paid over HKD 10 million (nearly $1.29 million) for the data it procured from HKPA, according to the DPA.

The DPA held that HKPA misled those it contacted into believing they were being offered free medical checkups under a “universal medical check-up scheme” supported by the government, and “failed to clearly explain” that the personal data would be transferred to Aegon.

Aegon had not obtained “voluntary and explicit consent” to use the personal data for direct marketing that differed from the original purpose of the data collection.

The investigation by the privacy commissioner highlights that there has been “quite a divergence” in the state of preparedness of companies for the new PDPO rules, Scott Thiel, foreign privacy consultant with DLA Piper in Hong Kong told BNA April 11.

“This sounds like a clear-cut case of contravention of the privacy ordinance and the direct marketing provisions that came into effect last week,” Thiel said. “There’s little doubt that data was being collected in a way that was not appropriate.”

Threat of Fine, Prison Term

The DPA ordered Aegon Direct to destroy by the end of September the personal data it collected from HKPA, with the exception of data on those that bought insurance products as a result of the HKPA referral. The office told the companies that if they failed to comply they would be liable for criminal penalties of up to two years and maximum fines of HKD 50,000 ($6,441). The report said that Aegon had already destroyed the data in compliance with the order.

“I sincerely wish all corporate data users to measure up to customers’ expectations and embrace privacy and data protection as a business imperative, instead of taking a remedial approach when sanction is invoked against them,” Chiang said in an April 9 statement announcing the release of the investigation report.

“At the minimum, they should seriously review their privacy policies and data protection practices to ensure compliance with the Ordinance,” Chiang said. “Strategically, they are encouraged to build a privacy-respectful culture within their organizations so as to win customers’ trust and enhance their competitive edge.”

Thiel said it is “quite extraordinary” that some businesses have continued to ignore the direct marketing requirements.

While many larger foreign-owned companies, particularly foreign banks, prepared ahead of time for the latest changes, some companies were still struggling with a “culture change” needed to ensure compliance from top to bottom, he said.

“The cultural change is the larger thing, getting that message down to what might be a very large sales force, getting that culture of compliance ready,” Thiel said. “It can be a real challenge to bring about that genuine cultural shift.”

New Guidance on Direct Marketing

Under the new guidance on direct marketing activities under the amended privacy ordinance, data users must obtain consent in writing from data subjects if they intend to use that data for any direct marketing purpose.

Data users must disclose their intent for how they will use the data and whether it will be used for financial gain. They must also inform data subjects how they can opt out, what kinds of data would be used, to whom the data would be provided, and how it will be specifically used in direct marketing.

Violation of the new provisions can result in fines of up to HKD $1 million ($128,000) and a maximum of five years imprisonment.

The amendments allowed data collected before April 1 to be used in direct marketing if the data were collected for direct marketing of related goods or services.

Thiel said these grandfathering provisions had been confusing to some organizations, and that there were still concerns regarding business-to-business marketing, which the guidance on direct marketing did not exempt.

While there is some thought that the privacy commissioner would not enforce this, there is still some “nervousness” around the business-to-business marketing and potential “danger” for large businesses that may be engaged in cross-selling within their own organizations, Thiel said.

By Michael Standaert  

The investigation report is available at http://www.pcpd.org.hk/english/publications/files/R13_1138_e.pdf.

The “New Guidance on Direct Marketing” is available at http://www.pcpd.org.hk/english/publications/files/GN_DM_e.pdf.

Request Bloomberg Law: Privacy & Data Security