Personal Data (Privacy) (Amendment) Ordinance 2012

Amendments to the Personal Data (Privacy) Ordinance include:

Direct Marketing [effective date to be announced (tentatively 1 April 2013)]

• A data user is required to take specified action before using personal data in direct marketing.
• There is grandfathering arrangement for pre-existing personal data used for the same class of marketing subjects before the commencement of the new provisions.
• Data user must not use or provide personal data to others for use in direct marketing without data subject’s consent or indication of no objection.
• Data user must notify data subject when using personal data in direct marketing for first time.
• Data subject may require data user to cease to use or provide personal data to others for use in direct marketing.
• The offering or advertising of social or health care services by certain service providers to a data subject is exempt from the new requirements unless the data subject’s personal data is provided to another person for use in direct marketing for gain.
• Contraventions of the requirements under the new regulatory regime are offences. For those contraventions involving the provision of personal data for gain, the maximum penalty is a fine of $1,000,000 and imprisonment for 5 years.