Last month, an insurance agent was charged and convicted of two offences under the Personal Data (Privacy) Ordinance (Ordinance), receiving a Community Service Order of 80 hours. This marks the fifth reported occasion on which Hong Kong courts have handed down convictions for breaching the Ordinance's direct marketing provisions, which came into force on 1 April 2013.
This is, however, the first time a court has ordered community service as opposed to a fine, making it a precedent which will no doubt concern businesses who 'sail close to the wind' in their direct marketing practices.
The case arose when an individual, having purchased an insurance policy with one insurance company (whose service had been suspended), received a letter from an insurance agent promoting the services of another insurance company. The individual had not consented to his personal data being used in direct marketing, nor had he been informed of his opt-out rights. He subsequently complained to the Privacy Commissioner for Personal Data (Commissioner), who referred the complaint to the police.
The Ordinance requires any person that controls the collection, processing or use of personal data (a 'data user') to obtain consent and provide clear notifications about their intended direct marketing activities. When using personal data in direct marketing for the first time, the data user is also required to inform individuals about their right to opt-out. Opt-out must be offered free of charge, and if requested the data user must then cease direct marketing in respect of that individual.
In this case, the conviction fell on the insurance agent, who was likely a joint data user with the insurance company. But liability can often arise for more than one party involved. It is worth noting that where a company is a data user, a 'rogue agent' or 'rogue employee' argument will only constitute a defence under the direct marketing provisions if the company can demonstrate that it 'took all reasonable precautions and exercised all due diligence' to avoid the offence. Data users are expected to provide appropriate staff training, and to impose adequate obligations on agents and service providers, in order to prevent activities occurring which would breach the Ordinance.
What can we expect next in privacy enforcement?
The first prison sentence under the Ordinance was ordered in 2014. We have not yet seen prison sentences for direct marketing offences, but this would be an unsurprising development in light of the current trend in privacy enforcement in Hong Kong. Interestingly, the current case stemmed back to a complaint from July 2014, which could mean there are many more cases like it in the pipeline.
Most of the enforcement action to date has stemmed from consumer complaints, which indicates a growing awareness and concern among citizens for their privacy. It also indicates a limited tolerance for the level of spamming and unsolicited marketing which remains common in Hong Kong. There have also been calls to address a gap in the law that still permits some types of 'cold calling' (eg using auto-generated telephone numbers which are technically outside the scope of the Ordinance).
Direct marketing is a particular risk area for businesses: because of the 'annoyance factor', the risk of complaints for unsolicited marketing is high, even from individuals who are not otherwise privacy-sensitive. By adopting fair and transparent practices, and ensuring that consent is obtained from individuals, businesses can mitigate their compliance risk while also targeting their marketing efforts towards those who are receptive and likely to be interested. One of the challenges for businesses who rely heavily on direct marketing is the initial engagement with the customer, and these businesses are looking to diversify channels for collecting consent in the first place. We have been assisting clients with their engagement strategy and direct marketing practices to ensure their practices comply with the law.
Companies in Hong Kong also face the challenge of sales staff or agents transporting client lists from company to company. It is unlawful for any employee, agent or service provider to take client lists from one company to another, unless they have notified the individuals about this transfer from the outset or subsequently obtained consent. Removal of client lists is also likely to constitute a breach of confidentiality, an actionable breach of employment duties or contractual undertakings, and in some cases an infringement of intellectual property rights.
We will continue to monitor developments and provide our clients with updates. In the meantime, if you would like further information on data privacy laws in Asia Pacific or elsewhere, our data privacy team would be pleased to hear from you.