Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

of the customers. The bank was therefore found to have contravened DPP3 in disclosing

the personal data for obtaining benefit.

7.57

In another complaint handled by the Commissioner, telemarketers collected personal

data from targeted customers over the telephone by “offering” them free medical

check-ups, and then passed such data to an insurance broker for use in direct

marketing. The so-called “administration fee” received by the telemarketers from the

insurance broker was not a cost recovery charge based on the number of promotional

calls made, but in effect the monetary reward for the provision of personal data. The

Commissioner considered that the true purpose of the offer of free medical check-ups

by the telemarketers was to entice target customers to provide their personal data for

sale in bulk to the insurance broker. The Commissioner found that neither the transfer of

the complainants’ personal data to the insurance broker by the telemarketers nor the

subsequent use of their personal data by the insurance broker for direct marketing fell

within the stated purpose of use when the data was collected, or the reasonable

expectation of the complainants. In the absence of the complainants’ prescribed

consent, both the telemarketers and insurance broker had contravened DPP3.

7.58

The impact of the misuse and sale of personal data for direct marketing purposes (as

shown in particular in the Octopus Card case) on privacy prompted the government to

tackle this issue of public concern by strengthening the regulatory framework of the

Ordinance. The new requirements on the use of personal data in direct marketing under

Part 6A of the Ordinance, as amended, became effective on 1 April 2013. More details

about the new regulatory framework are provided in paragraphs 7.74 to 7.86 of this

Chapter.

Prescribed Consent

7.59

When the use of personal data does not fall within the original purpose of collection or

its directly related purpose, or where the data user is uncertain as to the proper use of

the personal data, the prescribed consent from the data subject will have to be

obtained to ensure compliance with DPP3(1), unless the exemption(s) set out in Part 8 of

the Ordinance applies.

The term “prescribed consent” is defined under section 2(3) of

the Ordinance:

(3) Where under this Ordinance an act may be done with the prescribed consent of a

person (and howsoever the person is described), such consent –

(a) means the express consent of the person given voluntarily;

(b) does not include any consent which has been withdrawn by notice in writing

served on the person to whom the consent has been given (but without prejudice

See also Investigation Report No. R11-1745 for similar views expressed by the Commissioner, available on the Website

( https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R11_1745_e.pdf )

. In

2014, the Commissioner published the

Guidance on the Proper Handling of Customers’ Personal Data for the Banking

Industry

providing guidance on the requirements under the Ordinance, which can also be downloaded from the

Website

( https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_banking_e.pdf )

See Investigation Report No. R13-1138, available on the Website:

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R13_1138_e.pdf

For discussion of the Part 8 exemptions, readers may refer to Chapter 12.