Changes to Direct Marketing Privacy Laws come into force on 1 April 2013 1
February 2013
Changes to Direct Marketing Privacy Laws
come into force on 1 April 2013
Introduction
The Personal Data (Privacy) (Amendment) Ordinance 2012 (the “Amendment Ordinance”), introduced some important changes to personal data (privacy) laws in Hong Kong last year. Our newsletter of July 2012, summarising the changes, can be seen here.
One of the most important changes introduced was a new set of requirements imposed on data users who intend to use or transfer personal data for direct marketing purposes. The government has now announced that the provisions relating to direct marketing will come into effect on 1 April 2013.
Further, the Privacy Commissioner has now issued a set of guidance notes (“Guidelines”) to provide practical guidance on data users’ compliance with the new requirements. This newsletter summarises the practical requirements imposed by the new direct marketing provisions when considered in conjunction with the Guidelines.
What type of data use is covered by the “direct marketing”
requirements?
The direct marketing provisions are broad and cover the offering of the availability of goods, facilities or services, through various means of communication (such as telephone calls, sending information or goods addressed to specific persons by mail, fax, email or other means).
This broad definition of “direct marketing” has potentially far-reaching consequences for any person sending out information which could be considered to be “marketing” to the recipient. However, the Guidelines now make it clear that the Amendment Ordinance does not cover direct marketing which is “targeted at corporations as opposed to individuals in their personal capacities”.
Where it is clear that:
personal data is collected from individuals in their official capacities as the owner or staff of a corporation; and
the product/service is clearly meant for the exclusive use of the corporation;
Contents
Introduction ... 1 What type of data use is covered by the “direct marketing” requirements? ... 1 Use or Transfer of
Personal Data for Direct Marketing ... 2 Exemption:
Grandfathered Direct Marketing ... 2 How to inform and obtain consent from data
subjects ... 3 Designing your PICS ... 4 What you should do ... 4
Changes to Direct Marketing Privacy Laws come into force on 1 April 2013 2
the Privacy Commissioner will generally take the view that it is not appropriate to enforce the direct marketing regulations.
This means that data users who send out information to individuals of corporate clients, intended for the data subjects’ use in their corporate capacities, can breathe a sigh of relief: the new requirements will not apply to those activities. Nevertheless, any data user who is marketing to individual data subjects in the data subjects’ personal capacity will still be covered by the regulations.
Use or Transfer of Personal Data for Direct Marketing
The Amendment Ordinance requires data users to take steps to firstly, inform the data subject about certain matters (“Information”); and secondly, to obtain the data subjects’ consent to the use of their personal data for such purpose. The requirements differ depending on whether the data user is using the personal data for its own direct marketing purposes; or transferring it to another party for that party’s direct marketing purposes (i.e. cross-marketing). Specifically, where a data user intends to use personal data for his/her direct marketing purposes, the data user needs to inform the data subject of:
the intention to use his/her personal data for direct marketing;
that his/her personal data may not be used for direct marketing unless the data subject consents; and
the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used.
Where a data user is transferring personal data to another party, he/she must additionally inform the data subject of the classes of persons to whom the data may be transferred (and if it is being transferred for gain, that must be explicitly stated).
Having provided the requisite Information, consent must be obtained through a response channel. For data users using the data for their own direct marketing purposes, the data subject’s consent may be obtained orally, but the data user must send a written confirmation to the data subject within 14 days. For data users transferring the personal data to another entity for direct marketing purposes, the consent must be in writing. The mechanics of that consent are discussed below.
Even if the consent is obtained, when a data subject’s personal data is used in direct marketing for the first time, the data user must provide an “opt-out” option by informing the data subject of the right to require the data user to cease using the data.
Exemption: Grandfathered Direct Marketing
The new requirements which are set out above will not, generally speaking, apply to personal data properly collected and used in direct marketing before 1 April 2013 so long as certain criteria are fulfilled. If all the criteria are fulfilled, a data user can continue to use the grandfathered personal data as long as it is used for the direct marketing of the data user’s own
products/services which belong to the same class of products/services as before.
The grandfathering arrangement does not apply to cross-marketing; this means that after 1 April 2013, no new cross-marketing may take place unless the new requirements are complied with.
How to inform and obtain consent from data subjects
The Guidelines offer some important guidance as to how data users should set out the Information, and obtain the requisite consent from data subjects. It is prudent for data users to provide the Information by way of a written notice known as a Personal Information Collection Statement (“PICS”).
Data users should be aware that if the Information is not properly set out, the consent which is obtained may be deemed to be unfairly obtained and in breach of the data protection principles (“DPP”) within the PDPO.
For example, when providing the Information to the data subject:
in specifying the classes of marketing subjects, the description should be specific, making reference to the distinctive features of the goods, facilities or services;
in specifying the “permitted class of persons” to whom data may be transferred, the data user must be similarly specific, and not overly vague.
Having provided the requisite Information, the data user must provide a response channel for the data subject to communicate his/her consent. A response channel may be a hotline, a fax number, email account, online facility, address, or other such means.
“Consent” is defined broadly to include (as well as positive consent) “an indication of no objection to the use or provision” of the personal data. The Guidelines now confirm that in order to qualify as an “indication of no objection”, the data subject must have explicitly indicated that he/she does not object to the use (or transfer, if appropriate) of his/her personal data in direct marketing.
For example, consent may be given if the data subject:
has not checked the tick box indicating objection to receiving direct marketing materials (but having signed an agreement acknowledging the data user’s notification regarding the collection, use and provision of personal data); or
has ticked the box “I do not object to the use of my personal data for direct marketing of XXX” in an application form.
However, consent cannot be inferred, and silence does not constitute consent.
In designing a PICS or privacy terms and conditions within a broader document, data users should bear in mind that the Privacy Commissioner will
Changes to Direct Marketing Privacy Laws come into force on 1 April 2013 4
assess whether the data is being collected and used within the framework of the broader DPP.
What you should do
In view of the imminent changes to the direct marketing regime, we remind clients of the preparatory steps which might usefully be taken prior to 1 April 2013:
review the standard PICS and other relevant terms and conditions of agreements to determine the extent they will need to be amended to comply with the new requirements;
consider to what extent the grandfathering arrangements will apply to personal data currently held and used for direct marketing and whether a fresh exercise to obtain consent should be conducted;
consider whether you conduct cross-marketing and if so, whether consent from data subjects needs to be obtained; and
develop or update internal personal data policies and procedures. Should you have any questions regarding these recent data privacy developments, please contact either Rowan McKenzie or Deborah Papworth.
Designing your PICS
1. Only personal data which is necessary, adequate and not excessive should be sought and collected for use in direct marketing.
2. Both the Information provided and the mechanics of the consent must be fair and lawful in order to be considered valid. This includes:
giving clear consent options to a data subject so that he/she can consent to the use of his/her personal data for some purposes, but not for others (such as direct marketing); and
informing data subjects of their right to indicate separately whether their consent relates to the use and/or the transfer of their personal data.
3. The Information should be presented in an easily understandable and readable manner (for example, where it is given in written format, ensuring clear and simple language is used and that the font is large enough to be easily readable).
4. In order to ensure that data subjects properly understand the intended use of their personal data, data users should clearly and specifically define the purpose of use, and the classes of persons to whom the data may be transferred - this means not using loose or vague terms.
Changes to Direct Marketing Privacy Laws come into force on 1 April 2013 5
A16142456/0.15/06 Feb 2013
This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors.
© Linklaters. All Rights reserved 2013
Linklaters Hong Kong is a law firm affiliated with Linklaters LLP, a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to refer to a member of the LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP and of the non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ, England or on www.linklaters.com. Please refer to www.linklaters.com/regulation for important information on our regulatory position.
We currently hold your contact details, which we use to send you newsletters such as this and for other marketing and business communications.
We use your contact details for our own internal purposes only. This information is available to our offices worldwide and to those of our associated firms.
If any of your details are incorrect or have recently changed, or if you no longer wish to receive this newsletter or other marketing communications, please let us know by emailing us at [email protected].
Contacts
For further information please contact: Rowan McKenzie Head of Employment and Incentives (+852) 2901 5224 [email protected] Deborah Papworth Managing Associate (+852) 2901 5814 [email protected]
10th Floor, Alexandra House Chater Road Hong Kong Telephone (+852) 2842 4888 Facsimile (+852) 2810 8133/2810 1695 Linklaters.com
