Personal Data (Privacy) (Amendment) Bill 2011
*********************************************

     The Government said today (July 7) that the Personal Data (Privacy) (Amendment) Bill 2011 (the Bill) would be introduced into the Legislative Council on July 13.

     "The Bill seeks to implement the proposals in the Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance (the further public discussions report) released in April 2011," a Government spokesman said.

     "Recent cases of transfer of customer personal data by some enterprises to others for direct marketing purposes without explicitly and specifically informing the customers of the purpose of the transfer and the identity of the transferees, and seeking the customer's consent, have aroused widespread community concerns. We need to address these concerns and improve the operation of the Personal Data (Privacy) Ordinance (PDPO).

     "To provide data subjects with an informed choice as to whether to allow the use of their personal data in direct marketing, the Bill includes provisions requiring a data user who intends to use personal data in direct marketing or provide personal data to other persons for use in direct marketing to inform the data subject in writing of the kinds of personal data to be used or provided, the classes of persons to which the data is to be provided, and the classes of goods, facilities or services to be offered or advertised or the purposes for which donations or contributions may be solicited. The data user is also required to provide the data subject with a response facility through which the data subject may, without charge from the data user, indicate in writing to the data user whether the data subject objects to the intended use or provision. Such information and the response facility must be presented in a manner that is easily readable and easily understandable.

     "We propose to adopt the arrangement so as to strike a balance between the protection of personal data privacy and allow room for businesses to operate while providing data subjects with an informed choice as to whether to allow the use of their personal data in direct marketing.

     "A data user who uses personal data in direct marketing or provides personal data to other persons for use in direct marketing without complying with the requirements or against the wishes of the data subject will be liable, on conviction, to a fine of $500,000 and imprisonment for three years.

     "If, after the provision of the information and response facility required, the data subject sends a reply to the data user indicating that he or she does not object, the data user may proceed to use or provide the data for use in direct marketing. If no reply indicating objection is sent within 30 days after the information and response facility are presented to the data subject or after the data is collected, the data subject will be taken not to object. The reply has to be in writing, whether or not through the response facility.

     "The Bill further provides that, irrespective of whether a data subject has, within the 30-day response period, sent any written reply to the data user indicating no objection, the data subject may subsequently, at any time, object in writing to the use or provision of his or her personal data and the data user will then have to cease to use or provide the data subject's personal data for use in direct marketing. The data subject may also require the data user to notify the persons to whom his or her personal data has been provided for use in direct marketing to cease to so use the data. Upon receipt of the notification, the persons concerned have to cease to so use the data and failure to do so will be an offence. The penalty for contravention of these provisions will be a fine of $500,000 and imprisonment for three years. This will enhance protection to data subjects," the spokesman said.

     "Some of the recent cases of transfer of customer personal data by enterprises involve monetary gains. This has aroused widespread concerns and there are calls from different quarters of the community for criminalising such acts. In response to these concerns, the Bill introduces specific requirements regarding sale of personal data. A data user who intends to sell personal data must, before the sale, inform the data subject in writing of the kinds of personal data to be sold and the classes of persons to which the data is to be sold. The data user is also required to provide the data subject with a response facility through which the data subject may, without charge from the data user, indicate in writing to the data user whether the data subject objects to the intended sale. Such information and the response facility must be presented in a manner that is easily readable and easily understandable.

     "A data user who sells personal data without complying with the requirements or against the wishes of the data subject will be liable, on conviction, to a fine of $1 million and imprisonment for five years.

     "As with the use of personal data in direct marketing, if no reply indicating objection to the sale is sent within 30 days after the information and response facility are presented to the data subject or after the data is collected, the data subject will be taken not to object. The reply has to be in writing, whether or not through the response facility. Irrespective of whether a data subject has, within the 30-day response period, sent any written reply to the data user indicating no objection, the data subject may subsequently, at any time, object in writing to the sale of his or her personal data and the data user will then have to cease to sell the data subject's personal data. Furthermore, the data subject may also require the data user to notify the persons to whom his or her personal data has been sold to cease using the data. Upon receipt of the notification, the buyers have to cease using the data. Failure to do so will be an offence. The penalty will be a fine of $1 million and imprisonment for five years.

     "It will also be an offence for a person who obtains personal data from a data user without the data user's consent, and subsequently discloses the personal data with an intent to obtain gain in money or other property, whether for the benefit of the person or another person; with an intent to cause loss in money or other property to the data subject; or causing psychological harm to the data subject. The penalty will be a fine of $1 million and imprisonment for five years.

     "In addition, the Bill empowers the Privacy Commissioner for Personal Data (PCPD) to provide legal assistance to an aggrieved data subject who intends to institute legal proceedings against a data user to seek compensation.

     "The Bill also provides for implementation of other proposals that we intend to take forward as indicated in the further public discussions report."

     The PDPO has been in force since 1996. Having regard to developments over the last decade, the Government has reviewed the PDPO with the support of the PCPD. The legislative proposals in the Bill were drawn up after consideration of the views received from the public consultation during August to November 2009 and further public discussions during October to December 2010.

Ends/Thursday, July 7, 2011
Issued at HKT 17:14

NNNN