Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
SHENZHEN, China--Hong Kong's data protection authority concluded that a medical center and an insurance broker engaged in the “deceitful” collection and sale of the personal data of more than 360,000 people over a two-year period, according to an investigation report released April 9.
Allan Chiang, Privacy Commissioner for Personal Data for the Hong Kong Special Administrative Region, said the case serves as a warning to companies of the higher fines and criminal sanctions possible under 2012 amendments to the Personal Data (Privacy) Ordinance (11 PVLR 1117, 7/9/12) and new guidance that took effect April 1 on provisions of the amendments related to direct marketing activities.
The DPA said its investigation found that Hong Kong Preventive Association Ltd. (HKPA) had collected personal data on 363,830 people and sold it to Aegon Direct Marketing Services Insurance Broker Ltd. over a period of two years for use in directly marketing insurance products in ways that breached data privacy rules.
Aegon paid over HKD 10 million (nearly $1.29 million) for the data it procured from HKPA, according to the DPA.
The DPA held that HKPA misled those it contacted into believing they were being offered free medical checkups under a “universal medical check-up scheme” supported by the government, and “failed to clearly explain” that the personal data would be transferred to Aegon.
Aegon had not obtained “voluntary and explicit consent” to use the personal data for direct marketing that differed from the original purpose of the data collection.
The investigation by the privacy commissioner highlights that there has been “quite a divergence” in the state of preparedness of companies for the new PDPO rules, Scott Thiel, foreign privacy consultant with DLA Piper in Hong Kong told BNA April 11.
“This sounds like a clear-cut case of contravention of the privacy ordinance and the direct marketing provisions that came into effect last week,” Thiel said. “There’s little doubt that data was being collected in a way that was not appropriate.”
The DPA ordered Aegon Direct to destroy by the end of September the personal data it collected from HKPA, with the exception of data on those that bought insurance products as a result of the HKPA referral. The office told the companies that if they failed to comply they would be liable for criminal penalties of up to two years and maximum fines of HKD 50,000 ($6,441). The report said that Aegon had already destroyed the data in compliance with the order.
“I sincerely wish all corporate data users to measure up to customers’ expectations and embrace privacy and data protection as a business imperative, instead of taking a remedial approach when sanction is invoked against them,” Chiang said in an April 9 statement announcing the release of the investigation report.
“At the minimum, they should seriously review their privacy policies and data protection practices to ensure compliance with the Ordinance,” Chiang said. “Strategically, they are encouraged to build a privacy-respectful culture within their organizations so as to win customers’ trust and enhance their competitive edge.”
Thiel said it is “quite extraordinary” that some businesses have continued to ignore the direct marketing requirements.
While many larger foreign-owned companies, particularly foreign banks, prepared ahead of time for the latest changes, some companies were still struggling with a “culture change” needed to ensure compliance from top to bottom, he said.
“The cultural change is the larger thing, getting that message down to what might be a very large sales force, getting that culture of compliance ready,” Thiel said. “It can be a real challenge to bring about that genuine cultural shift.”
Under the new guidance on direct marketing activities under the amended privacy ordinance, data users must obtain consent in writing from data subjects if they intend to use that data for any direct marketing purpose.
Data users must disclose their intent for how they will use the data and whether it will be used for financial gain. They must also inform data subjects how they can opt out, what kinds of data would be used, to whom the data would be provided, and how it will be specifically used in direct marketing.
Violation of the new provisions can result in fines of up to HKD $1 million ($128,000) and a maximum of five years imprisonment.
The amendments allowed data collected before April 1 to be used in direct marketing if the data were collected for direct marketing of related goods or services.
Thiel said these grandfathering provisions had been confusing to some organizations, and that there were still concerns regarding business-to-business marketing, which the guidance on direct marketing did not exempt.
While there is some thought that the privacy commissioner would not enforce this, there is still some “nervousness” around the business-to-business marketing and potential “danger” for large businesses that may be engaged in cross-selling within their own organizations, Thiel said.
By Michael Standaert
The investigation report is available at http://www.pcpd.org.hk/english/publications/files/R13_1138_e.pdf.
The “New Guidance on Direct Marketing” is available at http://www.pcpd.org.hk/english/publications/files/GN_DM_e.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)