Handle with care – Hong Kong's new data protection laws in the spotlight
It would be an understatement to say that recent changes to Hong Kong's data privacy rules were a wake-up call for companies doing business in the region. The strict new Personal Data Privacy Ordinance (PDPO), which came into force on 1 April, has banned companies from using personal data in direct marketing without getting consent from the people being targeted. This threatens to curtail businesses' advertising campaigns and flood IT departments with opt-out requests.
July 18, 2013 at 07:04 PM
8 minute read
At Legal Week's Corporate Counsel Forum Hong Kong, a panel of senior in-house lawyers explained how they are responding to Hong Kong's tough new data protection laws. Elizabeth Broomhall reports
It would be an understatement to say that recent changes to Hong Kong's data privacy rules were a wake-up call for companies doing business in the region.
The strict new Personal Data Privacy Ordinance (PDPO), which came into force on 1 April, has banned companies from using personal data in direct marketing without getting consent from the people being targeted. This threatens to curtail businesses' advertising campaigns and flood IT departments with opt-out requests.
The authorities decided to act after it emerged in 2010 that the company operating Hong Kong's 'Octopus' cards – used for travel on its underground train system – had sold personal data to other businesses.
At the time the revelations sparked protests and international outrage, making them particularly damaging for MTR (Mass Transit Railway) Corporation, the Hong Kong subway network and Octopus' controlling shareholder.
In-house legal teams in Hong Kong have been among those most affected by the new legislation because of the difficulty of preparing their businesses for such a radical shift.
From now on companies will have to continuously obtain consent for direct marketing, both when it comes to new customers and old customers to whom new products or services are marketed, thus adding to the pressure on legal staff.
A group of in-house lawyers experienced in the subject recently gathered at Legal Week's second annual Corporate Counsel Forum in Hong Kong to provide some welcome tips.
Preparing the ground
Gill Meller, legal director and secretary at MTR, who kicked off the discussion, said: "As the new regulation comes in the expectation from the public is also increasing, so it's no longer acceptable for big companies just to comply with the law, they're expected to achieve a higher standard of 'doing the right thing'.
"I think companies often turn to their general counsel to try to really understand what that means and it's not always easy, so GCs have an important role to play."
She asked panellist Alison Ko (pictured, centre), GC for Hong Kong mobile phone operator CSL, how she made sure her company was ready.
"Getting the team prepared was not easy, especially in a telecoms business where we have a lot of customer information. We need to be very transparent about how we use it and what the purpose is," Ko said.
"From the legal side, we started by reviewing all the customer contracts, terms and conditions. And by getting all the business units to discuss with us how they process the information and why they collect it, we can understand how they use it. It takes a bit of time to get this."
Another difficulty has been dealing with the non-legal priorities of her company's commercial teams, she added, which are focused ultimately on making money and developing the business. And there was also the myriad reasons given for using customer data across departments such as retail and marketing.
"To get a compromise in legal we need to make a judgement on what is really necessary," said Ko. "Each department will want something different for their own team for their own benefits."
The panellists stressed that data processing was another important consideration. As a result, companies should review all commercial contracts to make sure they have liability clauses to protect their interests.
Separately, marketing scripts and interaction with customers are important, Ko said. In CSL's case, the company needed to think hard about its frontline response to requests and management of information and to make sure everyone was in agreement.
"We want customers to have a good customer experience. So even the back-end support team need to know what they can and can't do. There was a lot of training involved tailored for specific departments."
In-house impact
Moving over to panellist Chris Cheng, senior group legal adviser for HKT, another telecoms provider, Meller asked about the implications of the changes for the in-house community.
"The legal team play a crucial role in guarding the business people," he said. "They need to analyse the consequences and importance associated with compliance. They can share an in-depth analysis with the businesspeople and guide them on the real meaning of the provisions. They may not be as complicated or harsh as they seem at first.
"At the end of last year, I started preparing for the change and conducting sessions for our business people. It is important because, if you don't do it, you will lose a lot of opportunities in direct marketing activities."
Cheng went on to explain how GCs also needed to consider the draft of a good notification, to be effective in informing customers about their rights, as well as getting IT departments prepared for a possible surge in opt-out requests regarding data usage.
"If you mail out 100 letters talking about the marketing activities that your company will continue to be conducting, you would expect 10%-20% of them to come back and say they don't want you to do it. So that could put a lot of pressure on the IT people.
"You need a system that can cope with this flood of opt-out requests. We also shouldn't forget the UEMO [Unsolicited Electronic Messages Ordinance], which prescribes a rigid time limit for companies to process opt-out requests. Generally it has to be done in 10 days."
Another thing to note, he said, was that the regulations imposed a burden of proof on data users: "A legal counsel should be able to advise the company in time about the importance of preserving evidence of what you have sent out, when and to whom, and also a record of requests. You have to retain all of this and that's why you need to co-operate with the IT people."
Dealing with an investigation
Should in-house counsel find themselves investigated by Hong Kong's privacy commissioner, Meller and Cheng were also able to offer some potentially useful advice. Cheng said it was critical for GCs to stay on top of changes to the law and the Government's approach to data privacy by regularly checking the commissioner's web page and case decisions.
He said the typical approach of the commissioner's office when they start an investigation is to ask for a lot of information, but companies should be cautious about how much they reveal as this could prejudice their defence at a later stage.
"All it takes is a complaint from one individual to the privacy commissioner for them to kick off an investigation," added Meller. "Handling these investigations is enormously important because otherwise they can stifle the way your business is run as you find that the entire management team is focused on the investigation and not on day-to-day business operations."
The discussion ended with a case study of the commissioner's inspection of MTR's new CCTV systems on trains and those already in stations. The commissioner inspected everything from notices in stations and trains, to the way in which the company handled the recordings, as well as the manuals and guidance that were in place for the staff.
The investigation lasted from June 2012 until this February, during which time the commissioner visited MTR's premises, reviewed all of their internal documentation and interviewed a number of staff – including those on the regulatory side involved in putting together the guidance and manuals and the frontline operational staff involved in dealing with the recordings.
"Having been through the Octopus experience we managed to get the legal team involved right from the start," said Meller. "They were involved in responding to questions, and we had people present at inspections and during interviews with staff, so we felt like we were managing the entire process.
"The report following our inspection came out in April, and we were quite pleased. They found a few things to comment on: changes to the notices in stations and changes to the way we handle recordings. But they also made two bold statements: one was that we were justified in using CCTV for security and safety reasons; and the second was that our use of CCTV was compliant with the ordinance."
Meller also recommended that companies do a privacy assessment first if they are looking at using new technology that could somehow retain or record personal data, even if it is just existing technology being used in a different way.
"Since the ordinance has changed, they seem to be really driving this. It's something to bear in mind. Doing a privacy impact assessment is a good way of showing that you've tried to take into account the impact of the new technology on personal data."
The inaugural Legal Week Corporate Counsel Forum Singapore will take place in October. For more details about the event, email [email protected]
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute read'Never Been More Dynamic': US Law Firm Leaders Reflect on 2024 and Expectations Next Year
7 minute readTrending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250