On 30 December 2015, the Eastern Magistrates’ Court convicted its first case (ESS 24178-9/2015) where a person provided personal data to a third party for use in direct marketing without consent.

Factual background

This case involved two defendants, Mr Leung, a property agent, and Ms Tam, an insurance agent. Mr Leung obtained the name and mobile number (the “Personal Data”) from his university alumni colleague (the “Complainant”) at a social event, whereby Mr Leung failed to (i) inform and (ii) seek the Complainant’s consent that he would provide the Personal Data to a third party, Ms Tam, for direct marketing.

Two months later, Ms Tam telephoned the Complainant on two separate occasions.  In the first call, Ms Tam introduced herself as an agent of an insurance company and stated that she obtained the Personal Data from Mr Leung.  In the second call, Ms Tam again tried to provide the Complainant with information regarding financial planning and insurance products; the Complainant immediately expressed that he had no interest in such information and hung up.

Based on the two telephone calls, the Complainant filed a complaint to the Office of the Privacy Commissioner for Personal Data in April 2014.

What is a valid consent in direct marketing?

Under section 35C of the Personal Data (Privacy) Ordinance (Cap 486) (“PDPO”), a data user who intends to use the data subject’s personal data in direct marketing must take the following specific actions to:

1.       inform the data subject that the data user intends to use the personal data;

2.       provide the data subject with information of the intended use of the personal data;

3.       provide the data subject with a channel to communicate the data subject’s consent to the intended use.

Under section 35J of the PDPO, a data user who intends to pass the data subject’s personal data to a third party for the use of direct marketing must take the following specific actions to:

1.       inform the data subject in writing that the data user intends to provide the personal data to a third party, and the data user must not provide the personal data unless the data subject has given his/her written consent to the intended provision;

2.       provide the data subject the written information on (i) whether the personal data would be provided for gain; (ii) the kinds of personal data to be provided; (iii) the class of persons to which the data is to be provided; and (iv) the fact that the data subject has a channel to communicate the data subject’s consent to the intended provision in writing.

The PDPO requires that data users (individuals or organisations) seek a data subject’s valid consent before using the subject’s personal data in direct marketing or transferring such personal data to a third party for use in direct marketing.

Valid consent under the PDPO means that the data user must take the following specific actions to notify the data subject of:

1.       the types of personal data to be used;

2.       the classes of goods or services that will be marketed; and

3.       the available response channels where the data subject can give or revoke his/her consent. 

Furthermore, when transferring personal data to a third party for use in direct marketing, the data user must inform the individual of:

1.       the classes of transferees receiving the personal data; and

2.       whether the personal data will be transferred for gain.

Verdict

The Eastern Magistrates’ Court found Mr Leung guilty of providing personal data in direct marketing without taking specified actions, contravening section 35J of the PDPO.

Under section 35J of the PDPO, it is an offence to provide personal data to a third party without taking certain specified actions and obtaining consent.  The Magistrate stated that if Mr Leung had benefited from his offending actions, the maximum sentence would be 5 years of imprisonment and HK$1,000,000 in fines.  If however, Mr Leung had not benefited, the maximum sentence would be 3 years of imprisonment and HK$500,000 in fines.  Given that Mr Leung had not benefited from the offending actions, the Magistrate imposed a fine of HK$5,000 after considering all factors in Mr Leung’s case.

Ms Tam, on the other hand, was acquitted on the facts of the case.  Under section 35C of the PDPO, it is an offence to use personal data in direct marketing without taking specified actions.  However, given the Complainant had interrupted Ms Tam’s introduction and subsequently hung up the call, the Court could not rule out the possibility that she may have attempted to take those specified actions during her introduction.

Conclusion

As the first piece of case law for contraventions under sections 35C and 35J of the PDPO for direct marketing, it is certain that an individual now after disclosing personal data to third parties from social circumstances faces greater risk of breaking the law.  Not only do commercial data users (e.g. insurance organisations, financial intermediaries or service industries) need to be aware of the protections offered by the PDPO, but individuals who are able to collect, store, process or transfer personal data must also be weary of these protections on personal data. Commercial data users must now prepare a Privacy Policy Statement and a Personal Data Collection Statement in their data collection materials for the data subjects’ reference.