An insurance agent in Hong Kong has been convicted of violating the territory’s personal data privacy ordinance for using the personal data of an individual for direct marketing without her consent.
The unnamed defendant pleaded guilty to violating sections 35C and 35F of the ordinance, and was fined a total of HK$8,000 for both counts.
According to a statement by Hong Kong’s Privacy Commissioner for Personal Data (PCPD), it received a complaint in May 2017 from an individual who received a WhatsApp message on her mobile number, addressing her by her surname, from the defendant, who was promoting a saving plan for the insurance company that they worked for. The complainant said that she did not know the defendant, and questioned how he obtained her surname and telephone number, to which the defendant failed to provide a satisfactory reply. The complainant then approached the PCPD, who forwarded the case to the police for a criminal investigation.
The ordinance’s section 35C requires data users (both individuals and organisations) to obtain an individual’s consent before using their personal data in direct marketing or transferring their data to a third party for direct marketing. Meanwhile, section 35F states that the data user must also, when using the data subject’s personal information in direct marketing for the first time, inform the subject of his or her right to request the data use be ceased.
“With all the different ways of direct marketing available nowadays, the ordinance provides clear guidance for data users to conduct direct marketing properly for effectively promoting businesses,” said Privacy Commissioner Stephen Kai-yi Wong. “Data users should also adopt the three data ethics values (i.e. respectful, beneficial and fair) in using customers’ data so as to meet their expectations alongside the requirements of laws and regulations.”