LCQ20: Protection of consumers' personal data
*********************************************

     Following is a question by the Hon Kenneth Lau and a written reply by the Acting Secretary for Constitutional and Mainland Affairs, Mr Ronald Chan, in the Legislative Council today (November 23):
 
Question:
 
     In recent years, with the increasing popularity of members of the public using various types of online payment facilities for conducting online transactions, there are concerns about the risk of personal data disclosed by consumers in the process of such transactions being misused by traders.  The Consumer Council has revealed earlier that some traders keep, after termination of service by the customers, those customers' personal data for up to seven years and even indefinitely.  Moreover, the provisional liquidator of a closed fitness centre chain plans to sell the personal data of the centre's members for use in direct marketing.  In this connection, will the Government inform this Council:
 
(1) of the number of complaints received by the authorities in the past five years about misuse of consumers' personal data disclosed to traders in the process of online transactions and, among them, the number of those involving the use of cross-border payment services; the measures in place to curb the practice of non-local traders misusing the personal data disclosed by Hong Kong residents when conducting online transactions; 

(2) of the existing mechanism or legislation restricting traders from keeping customers' personal data for a prolonged period or misusing such data after the closing down of their business or expiry of the actual time required for the fulfillment of the purpose for which the personal data are collected; and 

(3) whether it will consider amending the legislation to stipulate that traders are not permitted to keep customers' personal data beyond (i) a statutory period or (ii) such period that they have indicated to their customers for which the data will be kept? 

Reply:
 
President,
 
     After consulting the Office of the Privacy Commissioner for Personal Data (PCPD), my consolidated reply to the questions raised by the Hon Lau is as follows:
 
     From January 1, 2012 to October 31, 2016, PCPD received 3 complaints relating to the misuse of consumers' personal data provided during online transactions.  There is, however, no information showing whether these cases involved the use of cross-border payment services.
 
     According to Data Protection Principle 2(2) under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), data users (such as traders) should ensure that personal data is not kept for a period longer than is necessary to fulfil the purpose for which the data is used.  Section 26(1) of PDPO also provides that, where personal data is no longer required for the purpose for which it was used, the data user must take all practicable steps to erase the personal data.
 
     Moreover, Data Protection Principle 3 protects the personal data of data subjects (such as consumers) from being used in purposes not expected originally.  The Principle stipulates that personal data shall not, without the prescribed consent of the data subject, be used for any new purpose other than the purpose for which the data were to be used at the time of the collection of the data or directly related purposes.  
 
     Part 6A of PDPO further requires that, if a trader intends to provide customers' personal data to a third party for use in direct marketing, he must inform the data subjects in writing of his intention to so provide the data, and provide them with the prescribed information (including the kinds of personal data to be provided, the classes of persons to which the personal data is to be provided, etc.); if the provision of the personal data is for gain (such as in return for money), data subjects must also be informed explicitly in writing.  Traders must obtain written consent from the data subjects before providing their personal data to a third party for use in direct marketing.
 
     Since different data users will collect, retain and use different kinds of personal data by different means and for different purposes, and the reasonable retention periods required are different (note), PDPO does not specify a uniform statutory time limit for the retention of personal data.  Nevertheless, whether or not the data user has stated a retention period for the personal data in its control, the requirements under PDPO are still applicable.  PCPD will handle complaints about inappropriate collection, retention or use of personal data; and may initiate compliance checks or investigations if it has reasonable grounds to believe that there is any contravention of the requirements under PDPO.
 
     If a non-local trader is able to control, in or from Hong Kong, the collection, holding, processing or use of the personal data concerned, he is also subject to regulation under PDPO.
 
     PCPD has been a participant in collaboration arrangements with international privacy enforcement authorities.  If a data user is found contravening in another jurisdiction the privacy regulations of that jurisdiction, intelligence and information will be shared with the jurisdiction's privacy enforcement authority to facilitate their taking suitable actions.
 
Note: For example, section 8.4 of the Guideline on Anti-Money Laundering and Counter-Terrorist Financing (For Stored Value Facility Licensees) issued by the Hong Kong Monetary Authority requires stored value facility licensees to keep a customer's identity document throughout the business relationship with the customer and for a period of six years after the end of the business relationship; section 3.4A of the Code of Practice on Consumer Credit Data issued by PCPD provides that, a credit reference agency may retain the account repayment data until the expiry of five years after account termination, if the data does not reveal a material default or a status of write-off due to a bankruptcy order.

Ends/Wednesday, November 23, 2016
Issued at HKT 15:40

NNNN