At Legal Week's Corporate Counsel Forum Hong Kong, a panel of senior in-house lawyers explained how they are responding to Hong Kong's tough new data protection laws. Elizabeth Broomhall reports

It would be an understatement to say that recent changes to Hong Kong's data privacy rules were a wake-up call for companies doing business in the region.

The strict new Personal Data Privacy Ordinance (PDPO), which came into force on 1 April, has banned companies from using personal data in direct marketing without getting consent from the people being targeted. This threatens to curtail businesses' advertising campaigns and flood IT departments with opt-out requests.

ccfhk13-web2The authorities decided to act after it emerged in 2010 that the company operating Hong Kong's 'Octopus' cards – used for travel on its underground train system – had sold personal data to other businesses. 

At the time the revelations sparked protests and international outrage, making them particularly damaging for MTR (Mass Transit Railway) Corporation, the Hong Kong subway network and Octopus' controlling shareholder.

In-house legal teams in Hong Kong have been among those most affected by the new legislation because of the difficulty of preparing their businesses for such a radical shift.

From now on companies will have to continuously obtain consent for direct marketing, both when it comes to new customers and old customers to whom new products or services are marketed, thus adding to the pressure on legal staff.  

A group of in-house lawyers experienced in the subject recently gathered at Legal Week's second annual Corporate Counsel Forum in Hong Kong to provide some welcome tips.

Preparing the ground

Gill Meller, legal director and secretary at MTR, who kicked off the discussion, said: "As the new regulation comes in the expectation from the public is also increasing, so it's no longer acceptable for big companies just to comply with the law, they're expected to achieve a higher standard of 'doing the right thing'. 

"I think companies often turn to their general counsel to try to really understand what that means and it's not always easy, so GCs have an important role to play."

ccfhk-event-2-webShe asked panellist Alison Ko (pictured, centre), GC for Hong Kong mobile phone operator CSL, how she made sure her company was ready. 

"Getting the team prepared was not easy, especially in a telecoms business where we have a lot of customer information. We need to be very transparent about how we use it and what the purpose is," Ko said.

"From the legal side, we started by reviewing all the customer contracts, terms and conditions. And by getting all the business units to discuss with us how they process the information and why they collect it, we can understand how they use it. It takes a bit of time to get this."

Another difficulty has been dealing with the non-legal priorities of her company's commercial teams, she added, which are focused ultimately on making money and developing the business. And there was also the myriad reasons given for using customer data across departments such as retail and marketing. 

"To get a compromise in legal we need to make a judgement on what is really necessary," said Ko. "Each department will want something different for their own team for their own benefits."

The panellists stressed that data processing was another important consideration. As a result, companies should review all commercial contracts to make sure they have liability clauses to protect their interests.

Separately, marketing scripts and interaction with customers are important, Ko said. In CSL's case, the company needed to think hard about its frontline response to requests and management of information and to make sure everyone was in agreement. 

"We want customers to have a good customer experience. So even the back-end support team need to know what they can and can't do. There was a lot of training involved tailored for specific departments."

In-house impact

Moving over to panellist Chris Cheng, senior group legal adviser for HKT, another telecoms provider, Meller asked about the implications of the changes for the in-house community.

"The legal team play a crucial role in guarding the business people," he said. "They need to analyse the consequences and importance associated with compliance. They can share an in-depth analysis with the businesspeople and guide them on the real meaning of the provisions. They may not be as complicated or harsh as they seem at first. 

"At the end of last year, I started preparing for the change and conducting sessions for our business people. It is important because, if you don't do it, you will lose a lot of opportunities in direct marketing activities."

Cheng went on to explain how GCs also needed to consider the draft of a good notification, to be effective in informing customers about their rights, as well as getting IT departments prepared for a possible surge in opt-out requests regarding data usage. 

"If you mail out 100 letters talking about the marketing activities that your company will continue to be conducting, you would expect 10%-20% of them to come back and say they don't want you to do it. So that could put a lot of pressure on the IT people. 

"You need a system that can cope with this flood of opt-out requests. We also shouldn't forget the UEMO [Unsolicited Electronic Messages Ordinance], which prescribes a rigid time limit for companies to process opt-out requests. Generally it has to be done in 10 days."

Another thing to note, he said, was that the regulations imposed a burden of proof on data users: "A legal counsel should be able to advise the company in time about the importance of preserving evidence of what you have sent out, when and to whom, and also a record of requests. You have to retain all of this and that's why you need to co-operate with the IT people."

ccfhk-event-1-webDealing with an investigation

Should in-house counsel find themselves investigated by Hong Kong's privacy commissioner, Meller and Cheng were also able to offer some potentially useful advice. Cheng said it was critical for GCs to stay on top of changes to the law and the Government's approach to data privacy by regularly checking the commissioner's web page and case decisions.

He said the typical approach of the commissioner's office when they start an investigation is to ask for a lot of information, but companies should be cautious about how much they reveal as this could prejudice their defence at a later stage.

"All it takes is a complaint from one individual to the privacy commissioner for them to kick off an investigation," added Meller. "Handling these investigations is enormously important because otherwise they can stifle the way your business is run as you find that the entire management team is focused on the investigation and not on day-to-day business operations."

The discussion ended with a case study of the commissioner's inspection of MTR's new CCTV systems on trains and those already in stations. The commissioner inspected everything from notices in stations and trains, to the way in which the company handled the recordings, as well as the manuals and guidance that were in place for the staff. 

The investigation lasted from June 2012 until this February, during which time the commissioner visited MTR's premises, reviewed all of their internal documentation and interviewed a number of staff – including those on the regulatory side involved in putting together the guidance and manuals and the frontline operational staff involved in dealing with the recordings. 

"Having been through the Octopus experience we managed to get the legal team involved right from the start," said Meller. "They were involved in responding to questions, and we had people present at inspections and during interviews with staff, so we felt like we were managing the entire process.

"The report following our inspection came out in April, and we were quite pleased. They found a few things to comment on: changes to the notices in stations and changes to the way we handle recordings. But they also made two bold statements: one was that we were justified in using CCTV for security and safety reasons; and the second was that our use of CCTV was compliant with the ordinance."

Meller also recommended that companies do a privacy assessment first if they are looking at using new technology that could somehow retain or record personal data, even if it is just existing technology being used in a different way.

"Since the ordinance has changed, they seem to be really driving this. It's something to bear in mind. Doing a privacy impact assessment is a good way of showing that you've tried to take into account the impact of the new technology on personal data."

The inaugural Legal Week Corporate Counsel Forum Singapore will take place in October. For more details about the event, email [email protected]