Date: 23 May 2017
PCPD Joins Global Sweep Exercise to Examine Consumers’ Control Over Their Personal Data Collected by Customer Loyalty and Reward Programmes
(23 May 2017) The Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) will participate in the annual exercise of the Global Privacy Enforcement Network (“GPEN”) in conducting a “Privacy Sweep” from 22 to 26 May 2017[1]. The theme of this year’s Privacy Sweep is “User Control over Personal Information”, in which participating Privacy Enforcement Authorities (“PEAs”) will examine the practice of business enterprises or organisations in relation to their privacy communication with their customers (i.e. data subjects), and the ease with which they can exercise their rights and control over their own personal data.
Participating PEAs may focus on different sectors, like health, retail, travel, etc. The PCPD will examine customer loyalty programmes and reward schemes operated by different sectors, with a view to understanding how the operators of those programmes collect and use personal data of their customers; the transparency in the processing of personal data; and the degree of control their customers have over the use and retention of personal data, etc.
Loyalty programmes are popular amongst business enterprises to attract and retain customers. Generally, they seek to promote return visits and increase consumer spending by providing incentives such as discounts, frequent-visit stamps, or accumulation of loyalty points.
To administer these reward schemes, business enterprises or organisations will invariably collect a certain amount of personal data for records and redemption purposes. However, it is not uncommon that data may also be collected or generated in respect of the consumers’ shopping habits and personal preferences. This information may be utilised by those businesses for marketing their products, or potentially be passed on to other organisations for further processing and analysis. The information may also be used to predict customers’ potential ‘wish-lists’ to facilitate targeted advertising. In addition to collection and use of the personal data, data security and retention period of the data may be a concern.
The Sweep exercise will look at the adequacy and transparency of information provided to customers when personal data is collected from them; whether the data collection is fair and not excessive; how that data is used; and whether the customers are given sufficient means to exercise control over their own personal data, such as retention and transfer of the data.
Mr Stephen Kai-yi WONG, Privacy Commissioner for Personal Data, Hong Kong said, “People value their control over their own personal data. The collection of personal information by businesses is increasingly extensive, especially through online and other automated means. This information can be used in tailoring advertising and recommendations with a view to providing personalised services, but at the same time the use can be privacy-intrusive. A fine balance has to be struck between the legitimate purposes of businesses in collecting, using and processing personal data, and individuals’ right to privacy. Informed consent, in that there are no surprises, and meaningful choices exercised by customers about the processing of their personal data are essential in striking the balance.”
The results of the Privacy Sweep 2017 will be made public in the fourth quarter of this year. Concerns identified during the Sweep may result in follow-up actions, such as public education and promotion, outreach to organisations or enforcement actions.
– End –
Appendix – List of Participants in the 2017 Sweep
|
Country/Region |
Name of the Privacy Enforcement Authority |
|
Albania |
Information and Data Protection Commissioner |
|
Australia |
Office of the Australian Privacy Commissioner |
|
Australia, Victoria |
Office of the Commissioner for Privacy and Data Protection |
|
Australia |
Office of the Children’s eSafety Commissioner |
|
Canada |
Office of the Privacy Commissioner |
|
Canada, Alberta |
Office of the Information and Privacy Commissioner of Alberta |
|
Canada, British Columbia |
Office of the Privacy Commissioner for British Columbia |
|
Canada, Ontario |
The Office of the Information and Privacy Commissioner of Ontario |
|
China, Hong Kong |
Office of the Privacy Commissioner for Personal Data, Hong Kong |
|
China, Macau |
Office for Personal Data Protection |
|
Colombia |
Superintendencia de Industria y Comercio |
|
Estonia |
Estonian Data Protection Inspectorate |
|
France |
Service des affaires economiques |
|
Germany, Bavaria |
Bavarian Data Protection Authority |
|
Germany, Hessen |
Data Protection Commissioner of Hessen |
|
Gibraltar |
Gibraltar Regulatory Authority |
|
Ireland |
Office of the Data Protection Commissioner |
|
Israel |
Israeli Law, Information and Technology Authority |
|
Italy |
Garante Per La Protenzione Dei Dati Personali |
|
Japan |
Personal Information Protection Commission |
|
Korea |
Korea Internet & Security Agency |
|
Mexico |
National Institute for Transparency, Access to Information and Personal Data Protection (INAI) |
|
Morocco |
CNDP |
|
New Zealand |
Office of the Privacy Commissioner |
|
Singapore |
Personal Data Protection Commission |
|
United Kingdom |
United Kingdom Information Commissioner’s Office |
|
United States |
Federal Trade Commission |
[1] GPEN was established to foster cross-border cooperation among Privacy Enforcement Authorities. This year, 27 Privacy Enforcement Authorities from around the world (full list at Appendix), including the PCPD, will participate in the Sweep to broaden public and business awareness of data privacy rights and responsibilities, identify data privacy concerns which need to be addressed, and encourage compliance with data protection legislation. Similar exercises have been conducted by PCPD annually since 2013.