Landmark Case for Abuse of Personal Data
In the September 9th landmark decision, the Hong Kong Magistrates’ Court convicted Hong Kong Broadband Network (“HKBN”) of a criminal offence for failing to comply with the direct marketing provisions of the Personal Data (Privacy) Ordinance (“PDPO”).
The facts of the case are quite unremarkable. It is the decision and – what it means for consumer businesses in Hong Kong – that is noteworthy. A broadband customer received a voicemail from HKBN, reminding him about his contract termination date and offering new service packages. The individual had sent a direct marketing opt-out request to the company, which had been acknowledged by the company in writing. The individual made a complaint to the Privacy Commissioner for Personal Data (“Commissioner”), alleging a breach of the PDPO. The relevant provision is section 35G(3) which requires a data user to cease using an individual’s personal data in direct marketing upon that individual’s request. Failure to do so is an offence.
The Court did not accept HKBN’s defence that the phone call was a “service related call” and necessary to inform the client about his contract coming to an end.
The Court was also not convinced that the precautionary steps taken by HKBN to prevent violations of the PDPO were sufficient to exonerate the company. Those measures included training new staff on legal requirements, amending the client handbook and randomly monitoring two phone calls by employees every week.
The Court convicted the company and imposed a fine of HK$ 30,000.
SIGNIFICANCE OF THE CASE
That HKBN was taken to court and fined for what it might have considered a relatively minor offence, demonstrates the firm approach being taken by the Commissioner, the Police and the Department of Justice in relation to direct marketing. Enforcement measures will not necessarily depend upon financial loss or other harm being suffered, nor indeed upon the number of individuals impacted. When organisations engage in direct marketing, customers’ opt-out requests should be complied with every time. Corporations should adopt clear policies and procedures – particularly with regard to maintaining and updating opt-out lists. Organisation-wide training is essential to mitigate the practical risk of staff breaching the law, and also to substantiate a defence in the event that a breach does occur.
This conviction, which is the first of its kind, will undoubtedly serve as a wake-up call for organisations with institutional complacency on the issue of privacy, and may support a culture of more “responsible” marketing. The maximum penalty for direct marketing offences under the PDPO was raised in April 2013 from HK$ 10,000 to HK$ 500,000 and 3 years’ imprisonment. The fine imposed in this instance was relatively low but it is likely that much larger fines will be deemed appropriate for offences involving significant numbers of customers. For large companies, the reputational damage is likely to be more wounding than the fines.