@eLaw.com.hk 葉謝鄧律師行

There are a variety of offences, for example non-compliance with an enforcement notice served by the Privacy Commissioner carries a penalty of a fine at Level 5 (at present $25,001 to $50,000) and imprisonment for 2 years.

An individual who suffers damage, including injured feeling, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.

Under Part VIII, specific exemptions from the requirements of the Ordinance are provided.

They include:

1 a broad exemption from the provisions for personal data held for domestic or recreational purposes;

2 exemptions on subject access for certain employment related personal data (for example?) ; and

3 exemptions where application is likely to prejudice certain competing public or social interests, such as: security, defence and international relations; prevention or detection of crime; assessment or collection of any tax or duty; news activities; and health.

The Ordinance came into force on 20th December 1996. However, it must be noted that some of the provisions, especially those relating to the cross-border transfer of personal data to a place outside Hong Kong, have not yet come into effect.

The relevant laws that protect data privacy in Hong Kong are expressed by way of six principles under Schedule 1 of the Ordinance. These six principles regulate the collection, access, use, storage and processing of personal data by ‘data users’ and outline the rights that extend to ‘data subjects’. For the full version of the 6 principles, please refer to pages 232-234 of your textbook. The following is the brief description of the six principles.

Principle 1 Purpose and manner of collection of personal data

This principle provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from a subject.

Principle 2 Accuracy and duration of retention of personal data

This principle provides that personal data should be accurate, up-to-date and kept no longer than necessary.

Principle 3 Use of personal data

Principle 3 discusses how data may be used. This principle restricts the uses to which data may be applied and provides that unless the data subject gives consent, personal data should be only used for the purposes for which they were collected or a directly related purpose.

Principle 4 Security of personal data

This principle establishes appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).

Principle 5 Information to be generally available

Principle 5 provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.

Principle 6 Access to personal data

This provides for data subjects to have rights of access to and correction of their personal data.

The Data Protection (Privacy) Ordinance is the legal and regulatory framework for data protection and privacy in Hong Kong.

The Ordinance governs 'data users', that is, private and public organizations who take part in the collection, processing and use of personal data. The personal data protected by the Ordinance must be data that relates directly or indirectly to an identifiable living individual. Such a living individual is referred as a 'data subject' in the Ordinance. The full text of the Ordinance can be found or downloaded at the website of the Office of Privacy Commissioner at http://www.pco.org.hk/english/ordinance/ordfull.html. In this section of the unit, we will examine the Ordinance in detail and then discuss the role of the Privacy Commissioner for Personal Data.

The objective of the Ordinance is to protect the privacy rights in respect of the personal data of living individuals in Hong Kong. Therefore, it does not cover the data of corporate bodies. The Ordinance follows international standards of data privacy protection and aims to ensure the free flow of information and personal data to Hong Kong from other countries. Many countries that deal with Hong Kong (particularly those from the European Union) have a high level of data protection. If Hong Kong wants to ensure the free flow of information between itself and these trading partners, it is important for Hong Kong to demonstrate through its legislation that it has the same or equal standards of personal data protection.

The tremendous growth in the number of people using email, has resulted in the Internet being increasingly used as a marketing tool by corporations. One of the most popular forms of e-commerce is using e-mail as a direct marketing tool.

In the past, merchants relied on direct mailing, faxes and telemarketing to conduct targeted marketing campaigns. While these marketing methods are still widely used, email is increasingly being adopted as a marketing medium because it is cheap, fast and potentially has a very wide reach. Unlike direct mailing which requires costly the production of printed materials and postage charges, a massive email marketing campaign can literally be distributed all over the world without any significant cost. Furthermore, the transmission of marketing materials by email only requires bandwidth, which is not charged according to usage volumes. The Internet therefore provides a new, easy and economical platform for direct marketing. If advertisers can also obtain spending and demographic profiles of consumers via cookie-generated profiles and/or via bought customer email lists, the potential for cheap targeted marketing is enormous.

However, Hong Kong's direct e-marketers need to be aware of data protection obligations when they are collecting, recording and using personal data via email. Hong Kong organizations must observe certain legal restrictions on data collection when compiling advertising profiles and mailing lists, and must observe the data protection principles and provisions of the Hong Kong Data Protection Ordinance when they engage in online direct marketing. Consumers also have the right to opt out of marketing that is directed towards them.

It's very likely that every time you check your email account, you will find some unsolicited ‘junk mail’, or promotional or advertising material that has been sent by a business or organization. Unsolicited electronic mail, also called "spam," is both a nuisance to Internet users and a threat to network security. Spam imposes substantial costs on Internet users and providers (especially in terms of time), and users and Internet providers have undertaken a variety of measures to reduce or stop spamming. Later in this unit (when we look at how website owners should comply with data protection laws), we will see that most attempts by users to control spamming have been counterproductive.
To find out more about spam, you can visit the following site:
www.ofta.gov.hk/junk-email/page1.htm

Let's now focus on an issue that is noted in the Yahoo privacy statement, namely the issue relating to children's use of the Internet. In particular, the question of how information is collected from children is worth examining.

Increasingly children are becoming a target for direct marketing over the Internet or television. Please elaborate on/give examples of some specific privacy issues related to kids.

The US is the largest market for electronic commerce and the White House report "A framework for Global Electronic Commerce" (dated 1 July 1997) cites as a particular concern "the use of information gathered from children, who may lack the cognitive ability to recognise and appreciate privacy concerns. Parents should be able to choose whether or not personally identifiable information is collected from or about their children". As a result of a large scale survey of websites, the US Federal Trade Commission in its "Report to Congress on Privacy Online" (dated 4 June 1998) recommended legislation that would place parents in control of the online collection and use of personal data from their children. This legislation requires that when websites collect information from kids they also need to provide notice to the children's parents and obtain parental consent. The aim of the legislation is to ensure that parents know about, and control, the online collection of information from their children.

Clicktrails are information derived from an individual's behaviour, pathway, or choices expressed while visiting a web site. They contain the links that a user has followed and are logged on the web server (the ISP's computer, for those who do not run their web server).

Clicktrails are normally used for troubleshooting and system maintenance purposes. However, clicktrails can also be misused to record profiles of the habits, tastes and online activities of an individual user. Information thereby traced (depending on the type of information) can adversely impinge on a person's privacy by targeting an individual for marketing a product or by fraudulently soliciting business from an individual. Please give some examples of how clicktrails can be used.

For more information about clicktrails, please refer to www.pco.org.hk/english/publications/guide_data_user_10.html

The methods that organizations or businesses use to collect data and the ways that data is used once it is collected and stored have enormous privacy implications. We now discuss some privacy issues related to the collection of data. In particular, we discuss how information collected by cookies and clicktrails may be used in ways that infringe on data privacy rights.

Cookies

Need to add brief intro of what cookies are and why they present privacy concerns, eg direct marketing, profiling and ‘purchase circles’.

To find out more about how cookies work, you can go to http://computer.howstuffworks.com/cookie.htm. The link entitled ‘Cookies basics’ tells you how cookies store information and how to locate the cookies that are stored in your computer.