In the 21st century, we are living in the digital world. Personal information and data can be easily collected, accessed and transferred. It is important to safeguard the usage and collection of personal data as the business and technologies have been changing over time. In Hong Kong, Article 30 of the Basic Law states that ‘the freedom and privacy of communication of Hong Kong residents shall be protected by law.’ Furthermore, the Hong Kong Personal Data (Privacy) Ordinance (Cap 486) (PDPO) is the essential law that protects the privacy of the individuals regarding to personal data. It was enacted in 1995 and based upon the United Kingdom’s Data Protection Act 1984. Nevertheless, the PDPO came into force for more than 17 years, it is being overhauled that the inadequacy to deal with many privacy issues created by the development of the technology. In 2009, the government realised that there was a need for reform of the PDPO and conducted the public consultation. In 2010, due to the strong public reaction with regards to the incident involving Octopus Holding Limited for its unauthorized sale of the personal data of its customers, it reflected the necessity for the reform of the Ordinance. In June 2012, the Legislative Council passed the Personal Data (Privacy) (Amendment) Ordinance which tried ‘to balance the enhancement of data subject’s rights on the one hand and the data user’s effective use of personal data on the other.’ In this paper, I am discussing whether the amendment of the PDPO has effectively addressed the current problems as the use and transfer of personal data is easier in the digital world today.
Due to the public uproar over the sale by the Octopus Card management company of the personal data of millions of its clients to business partners through current technologies, a great portion of the amendments have targeted with this specific types of transfer of personal data and implemented stricter control regarding the sale of personal data for direct marketing. Section 34 of the PDPO was replaced by new Part VIA which states that ‘data users intending to use personal data for direct marketing purpose must provide an opt-out to data subjects at the time of the first use of such data for direct marketing.’ Although the opt-out right of data subject remains the same, the replacement of section 34 imposed some mandatory requirements which personal data is to be transferred for direct marketing purposes. The amendments have included the timing of data subject’s right to opt-out at any time which was not specified before. In addition, the data users are required to specific actions to inform and acquire consent from the data subjects for the intended use of personal data for direct marketing that were not specifically required before the amendment. Furthermore, the penalty for non-compliance of the ‘opt-out’ right of data subject has increased from HK$10,000 to HK$ 500,000 and three years imprisonment. These newly added requirements comply with the Data Protection Principle 1 (DPP1) which requires the data subject must be given reasons for the collection of the data and Data Protection Principle 3 (DPP3) that requires the need of consent to the use of personal data. I understand the increment of the penalty as the previous fine did not serve a effective deterred effect, especially to big companies for which such a penalty is a mere trifle. However, I do not perceive the more liberal approach in Part VIA which provides ‘consent, in relation to the use of personal data in direct marketing or a provision of personal data for use in direct marketing, includes an indication of no objection to the use or provision.’ It is unreasonable to treat silence as consent as it is stipulated in the fundamental contract law principle which ‘the general rule is that silence does not amount to an acceptance.’ It is unfair and burdensome for the data subject to take the positive action against the...
Please join StudyMode to read the full document