For the first time since the Personal Data (Privacy) Ordinance (“PDPO”) came into force in 1996, an individual has received a jail sentence for a breach of the PDPO. It is expected to be the first of many such custodial sentences.
What is the HK PDPO and what are the Penalties?
The PDPO protects the personal data of living individuals. Any person who controls the collection, processing, storage or use of personal data in Hong Kong is subject to the requirements of the PDPO. A breach of the PDPO or non-compliance with enforcement notices issued by the Privacy Commissioner, may amount to a criminal offence and result in a fine and/or imprisonment – currently a maximum fine of HK$500,000 and up to 3 years imprisonment. Failure to comply with an enforcement notice issued by the Privacy Commissioner, which requires certain remedial or preventative steps to be taken, also constitutes an offence, and is subject to a maximum fine of HK$50,000 and 2 years imprisonment on first conviction (with a daily penalty of HK$1,000 if the offence continues).
This Case and the Offence
In October 2012, an individual lodged a complaint with the Office of the Privacy Commissioner (PC), claiming that an insurance agent had obtained her personal data through unfair means. This agent had originally contacted the complainant whilst he was employed at company A. The insurance agent subsequently moved to company B. He then contacted the complainant again and persuaded her to sign up for a new insurance policy, without disclosing the fact that he had resigned from insurance company A and that the policy would be issued by insurance company B. The complainant claimed that the insurance agent had misled her, and in so doing had obtained her personal data by unfair means.
The PC investigated and subsequently discovered that the responses given by the agent during the course of the investigation were untrue. So the PC found that the insurance agent had committed an offence under Section 50B(1)(b)(i) of the PDPO which makes it a criminal offence for a person to make a statement to the PC, which he knows is false, or to knowingly mislead the PC. Such an offence incurs a maximum fine of HK$10,000 and up to 6 months imprisonment.
On 4 December 2014, the insurance agent was sentenced to 4 weeks imprisonment.
This is the first time a prison sentence has been issued for a breach of the PDPO, and is likely to be only the start of such actions and convictions. It is anticipated that the Hong Kong courts will start to take a more hard-line approach to offenders under the PDPO in 2015 & beyond.
Published January 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.