Image of hammer and gavel against backrop of soccer ball and red and yellow cards representing data protection
Data Protection - A Tale of Two Cities

Data Protection – A Tale of Two Cities

Amidst a global push towards personal data protection there seems to have been an element of complacency by companies when it comes to the ability of data protection commissions to enforce the rulings, regulations and legislation around the issue. That complacency is now being tested with a slew of judgements against organisations that have stepped over the boundaries.

Singapore and Hong Kong take the lead

Southeast Asian companies will have to start taking data protection a lot more seriously if the examples of Singapore and Hong Kong are any indication of an enforcement trend.

Singapore’s Personal Data Protection Commission (PDPC) served notice on a number of companies during April 2016 for transgressing the rules and regulations set out in the Personal Data Protection Act (PDPA). The actions taken by the PDPC included direct warnings to 11 organisations, four of which were also faced with financial penalties.

Hitting companies where it hurts

The fines were no slap on the wrist. Karaoke chain, K Box Entertainment Group faces a financial penalty of S$50,000 (US$36,500). The Group was found guilty of not adequately protecting the personal data of 37,000 members after hackers accessed member details including contact numbers, email addresses, NRIC numbers and dates of birth from the Groups public site.

In a telling indictment of the ‘lasses faire’ attitude that has until recently characterised the approach of private enterprise to data protection issues, the data protection commission said that the fact that the Group had not appointed a data protection officer was a contributing factor to the breach.

We have spoken about compliance on a number of occasions in this newsletter and the details of K Box’s approach to security show a company that is guilty of not employing the most rudimentary of security protocols and procedures. The data protection commission noted that K Box did not update patches to ensure that its security was ‘sufficiently robust’ and that it also had weak control of access to personal data.

In a related move that will have vendors worried, a S$10,000 (US$7,300) fine was levied against the vendor in charge of K Box’s content management system – Finantech Holdings for ‘failing to implement proper and adequate protective measures for the personal data in the system’. In a flagrant example of either laziness or a simple ignorance of the dangers posed by hackers, the PDPC added that K Box’s IT systems were extremely vulnerable due to the password for the administrator account being set as ‘admin’.

The example of K Box should provide companies with all the motivation in the world to appoint a data protection officer – as is required by Singapore’s PDPA. It is likely that the executives in charge of these companies would have claimed ignorance about just how lackadaisical the organisation’s approach to security was, a situation that would have been avoided with the appointment of a professional to implement and manage suitable security measures.

Unfortunately for K Box and other companies who have faced sanction, the legal principle of Ignorantia juris non excusat – “ignorance of the law excuses not” is increasingly going to be applied by organisations such as the PDPC which police personal data protection issues. The principle holding that a person (or in this case organisation) is unaware of a law is not any excuse. Those organisations will not escape liability for violating that law merely because it was unaware of its content. No matter what the jurisdiction we believe that this approach is completely justified.

Hong Kong data protection commission gets proactive

The Hong Kong Privacy Commissioner has recently shared some insights into the state of privacy in the Special Administrative Region and the activities of the Office of the Privacy Commissioner for Personal Data (PCPD). Businesses were instructed to take heed of the announcement – another sign that the patience of Hong Kong authorities is running short when it comes to those organisations which have been slow to transform the way in which they treat personal data.

Hong Kong gets tough on direct marketing

The message seems to be filtering down to the man in the street – 2015 saw a spike in the number of privacy complaints to the data protection commission in terms of the Personal Data (Privacy) Ordinance (“PDPO”). The majority of these complaints were against companies active in the marketing, financial sector, then property management companies and organisations active in Telecoms. Given the focus of Hong Kong business in these sectors, this is hardly surprising. What may have taken Hong Kong businesses by surprise is the willingness of the PCPD to issue stern warnings, enforcement notices and even refer cases to the Hong Kong Police. The PCPD is now pulling no punches in enforcing the region’s Personal Data (Privacy) Ordinance (“PDPO”).

Three cases around the issue of direct marketing in Hong Kong have received a lot of attention. The first is where an insurance agent, knowing that an insurance company had suspended services provided to an individual, sent a letter to the individual that promoted the services of another insurance company. That individual filed a complaint with the data protection commission, claiming that the insurance agent had used personal data for direct marketing purposes in contravention of the PDPO and a criminal investigation followed.

The insurance agent was charged and convicted of two offences under the PDPO: using personal data in direct marketing without taking actions required by law and obtaining consent (contrary to section 35C of the PDPO), and failing to inform the individual of his right to opt-out of direct marketing without charge (contrary to section 35F of the PDPO).

The Court imposed a Community Service Order of 80 hours on the insurance agent.

In another high profile case a marketing company after receiving an opt-out request from an individual regarding messages from a hotel promoting its membership and services, continued to call the individual. This person then complained to the PCPD, which referred the complaint to the police for criminal investigation.

The marketing company admitted that it had received the individual’s opt-out request, but it then failed to distribute an updated opt-out list to its staff in a timely manner, resulting in further marketing calls being made to the individual.

The marketing company was charged and convicted of two offences under the PDPO: using personal data in direct marketing without taking actions required by law and obtaining consent (contrary to section 35C of the PDPO), and continuing to use the individual’s personal data in direct marketing after he opted-out (contrary to section 35G of the PDPO). The organisation was fined HK$16,000 (around US$2,100).

The third case that has been in the headlines concerns a portfolio manager at a Hong Kong bank who was registered under the Securities and Futures Ordinance to carry on Type 1 & Type 4 regulated activities. This individual sent information regarding over 1,500 customers to his personal email address on his last day of work. After starting a job at another bank, the portfolio manager sent the customers’ data to his new work email address. Upon discovery, the new employer deleted the emails with the customers’ data and terminated the portfolio manager’s employment.

The case was referred to the SFC by the Hong Kong Monetary Authority (“HKMA”). The SFC found that the portfolio manager had breached the Code of Conduct for Persons Licensed by or Registered with the SFC and the PDPO by transferring the customer data for purposes other than that for which the data was collected.

The result is that the portfolio manager was banned from re-entering the industry for twelve months. No action has been taken against the bank from which the emails were sent.

The direct marketing cases marked the fifth and sixth direct marketing convictions handed down by the Hong Kong Courts since September 2015. Like the previous four convictions, both cases arose out of a single complaint by a data subject to the PCPD. The growing sensitivity of the public to data protection and the decrease in their tolerance for unwanted marketing indicates a higher risk of complaint and subsequent action.

Website security under the spotlight in Hong Kong

In yet another case the personal data of up to 3.3 million members of SanrioTown website were publicly accessible due to security vulnerabilities and the disclosure of the data of 5 million parents and over 6.6 million related children’s profiles worldwide was snatched from the website of VTech.

In Singapore, companies need to keep in mind that the PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age) may give consent for the purposes of the PDPA. In general, whether a minor can give such consent would depend on other legislation and the common law. This would also seem to the case in Hong Kong. This stipulation makes it even more important for companies to maintain vigilance as regards both the gathering and protection of this sort of data.

Some countries have passed legislation to specifically protect minors below a certain age. For example, in the United States, the ‘Children’s Online Privacy Protection Act’ (“COPPA”) requires organisations to obtain verifiable parental consent to collect personal data from children under 13 years of age.

European influence

The data protection commission in Hong Kong are intensely focused on the possible impact of the new General Data Protection Regulation introduced by the European Commission and current best international data privacy practices. The new EU framework will introduce a significant change to data privacy practices in the EU, especially in relation to digital data. Tellingly this focus is on the responsibility of organisations to designate a responsible person to oversee the organisation’s compliance with the PDPO, which is not a mandatory requirement but is similar to the role of a data protection officer in other jurisdictions.

2015 Saw a number of (non-binding) best practice guidance notes issued by the Hong Kong PCPD. These promote higher standards of data privacy practice than those prescribed in the PDPO, and these indications suggest this trend may continue in 2016.

Data protection commission shows teeth

The last word on the matter of company compliance and preparedness should be left to Singapore’s PDPC Chairman Leong Keng Thai. Mr. Leong commented that the data protection commission recognised the pivotal role that data plays in today’s information driven global economy. “We recognise that data, including personal data, is essential to innovation in today’s economy. So what we’re saying is, use the information for business competitiveness, but use it responsibly, and take appropriate measures to protect personal data information.”

The latest penalties levied against companies in both Hong Kong and Singapore indicate that enforcement authorities are now prepared to bare their teeth in an effort to ensure appropriate levels of compliance. The grace period for companies is now well and truly over – the data protection commission is watching with an eagle eye and it is now becoming obvious that any transgressions as far as personal data protection is concerned will be treated extremely harshly.