Apr 19 Legal Update
Top stories
(i) Privacy Commissioner compliance check: shopping mall memberships + online promotions
(Click: full report; press release)
In 2018, the Commissioner visited 100 shopping malls (including at least 2 malls from each of HK’s 18 districts), and reviewed 300 webpages requesting personal data in exchange for benefits. Such online promotion activities are most prevalent in beauty, education, and health products/services.
It then conducted compliance checks against 52 shopping mall membership programmes, and 19 online promotion operators.
The Commissioner accepts the collection of members’ contact information for identification and communication purposes. However, 60% of such mall programmes adopted a “the more the merrier” approach in collecting personal data. These include sensitive personal data (e.g. ID card number, birthday), personal and family status (e.g. family income, marital status). This is contrary to the “no-excessive data collection principle” under the Personal Data (Privacy) Ordinance (the “Ordinance”).
What you should know/do:
- Check your programmes against key findings summarized below
- Background (Data Protection Principle 1 of the Ordinance) (para 27, P. 12 of the report)
— (Including) data is adequate but not excessive
— Focus of this report
- Excessive collection of HKID Card/ passport number (sub-para (A), P.15 of the report)
— Very sensitive personal information
— “Code of Practice on the Identity Card Number and Other Personal Identifiers” referred (para 28, P. 14 of the report)
— For “identification” purposes? Should use a combination of less privacy-intrusive personal data (e.g. name, other basic contact information)
— For free trial services/samples? value not justifiable for collecting such sensitive information
- Excessive collection of birthday information (sub-para (B), P. 16 of the report)
— Should prudently consider collecting full birthday information (i.e. day, month and year of birth date)
— Whether compulsory or optional
— E.g. for birthday benefits? Only need to collect birthday “month” information
- Compulsory collection of other information (sub-para (C), P. 18 of the report)
— Personal and family status (e.g. education level, occupation, monthly income, areas of residence, ages and number of children)
— Not for membership benefits; but for market analyses
— Should offer option not to provide
- Unfair collection (“bundled consent”) (sub-para (D), P. 18 of the report)
- Good practices (para 33, P. 20 of the report)
— “Minimum collection of personal data”
— “Data deletion rights”
— “Meaningful choices given” (no “bundled consent” for various malls)
(ii) The Market Misconduct Tribunal (MMT) found Fujikon Holdings Limited, its chairman and CEO, CFO and Company Secretary had failed to make timely disclosure of inside information. (Click: press release)
It ordered the Company, Chairman and CEO, CFO and Company Secretary to pay fines of $1m, $300k and $200k, respectively, after they admitted liability. There was a delay for 7 weeks, in disclosing inside information on the discontinuance of production for one of the company’s top customers (comprising 10-15% of total revenue for the immediate past 2 years (2013-4)) (Click: reported in our Apr 18 legal update, when SFC commenced proceedings)
Also in this issue
Competition Commission published a new “cooperation policy” relating to cartels. (Click: press release, full policy)
Cartels are an enforcement priority of the Commissioner. The new cooperation policy expands the Commission’s leniency program in two ways, thereby providing a framework with clear incentives for companies to co-operate.
What you should watch out for:
- Firstly, benefits of the existing leniency program can only accrue to a single company involved in a cartel
— The cooperation policy is available to subsequent applicants as well
- Secondly, new concept of “Leniency Plus”
— A company being investigated in a cartel action can submit evidence of a new, separate cartel; and get credit for its cooperation in relation to both the “old” and “new” cartels
- More details also given in the new policy, including the range of discounted penalty, and factors to be considered