2011 was a busy year in the realms of privacy and data protection in Greater China.
We saw a consultation on the draft Information Security Technology – Guide of Personal Information Protection circulated by the Ministry of Industry and Information Technology. The draft guide will be non-binding, but it is significant as it demonstrates that the collection and handling of personal data is on the agenda for PRC authorities.
The draft guide may ultimately be viewed as an industry guide for best practice, and may be a predecessor for a long anticipated data protection law in China. In addition to this development, Jiangsu province has become the first province to introduce a generally applicable data protection law. Provisions and penalties were also added to the Law of the People’s Republic of China on Resident Identity Cards to protect data contained on resident identity cards.
We also saw an increase in the number of convictions for the illegal sale and purchase of personal data. Prison sentences – as well as fines in some cases – were imposed for these activities. Some of the cases occurring in the latter part of 2011 are described in more detail in this edition. We expect that this prosecution trend will continue in 2012.
In Hong Kong, the most significant development was the introduction of the bill to amend the Personal Data (Privacy) Ordinance (PDPO) to the Legislative Council last July. The bill represents the outcome of several years of consultation on amendments to the PDPO. Generating the most public interest and debate are provisions on the sale and use of personal data in direct marketing. These provisions create a number of offences with fines of up to HK$1 million (US$130,000). It is anticipated that the bill will be passed this year.
Privacy Commissioner active
The Privacy Commissioner also issued a consultation on the introduction of the Data Users Return Scheme (DURS), which would see data users in certain industries, or those that hold large quantities of personal data, being required to provide certain information to the Privacy Commissioner about their data collection and handling policies and procedures.
On the investigation and enforcement front, the Office of the Privacy Commissioner for Personal Data, Hong Kong has also been active.
Some of the more significant actions taken by the office in 2011 were:
- fines for breach of section 34 of the PDPO issued against a membership sales company, a property agency, a real estate agent (the first conviction against an individual employee) and a bank. Each case arose out of a complaint by a data subject who had continued to receive direct marketing material despite repeated requests for the direct marketing activities to cease
- releasing reports on investigations into the activities of five banks regarding the sale of personal data to third parties by the banks
- focus on other activities of banks including appropriate periods for retention of personal data, data collection practices, including clearer terms and limiting types of data collected, and compliance with opt-out requests with respect to direct marketing
Looking further into 2012, we expect action from the Privacy Commissioner to continue.
In the first week of January, the commissioner released two important guidance notes in relation to collecting data on the Internet and data retention and erasure.
We expect that the Privacy Commissioner will continue to step up his monitoring of the activities of businesses that handle high volumes of personal data, particularly with regard to direct marketing, sale of data, data collection practices and data erasure and retention practices.
We recommend that any organisation that is handling personal data should review its internal policies and practices in these areas to ensure that they are in line with the Privacy Commissioner’s latest guidance and findings.