Hong Kong - Direct Liability of data processors for marketing activities
Published 25 April 2016
Following two recent cases in Hong Kong, it now appears that organisations carrying out marketing activities on another organisation's behalf will be liable under the Hong Kong Personal Data (Privacy) Ordinance ("PDPO"), for mishandling of personal data.
Generally, as under current UK legislation, data processors such as outsourced marketing companies have no direct obligations under the PDPO, and the data controller is liable for their data processors' compliance.
However, this position now seems less clear, with a recent case against an insurance agent resulting in a community sentence order for breach of direct marketing rules, despite the agent acting on behalf of an insurer and another case against a outsourced marketing company resulting in a fine for breach of the direct marketing provisions when conducting marketing on behalf of the hotel.
In both cases, despite the prosecuted parties acting on behalf of other organisations (their data controllers), no action was taken against the data controllers. These cases would therefore appear to place direct liability on the insurance agent and the marketing company.
The rationale for this appears to be an extension of which organisations will be deemed a 'data user' under the PDPO, a term which denotes control of and responsibility for the data. In these arrangements the court appears to have taken the view that undertaking marketing activities requires a marketing company or agent to have a degree of control sufficient to bring them under the title 'data user'. It is also in line with the position under the new EU General Data Protection Regulation, under which European data processors will have direct obligations for the first time.
It is not yet clear whether these decisions will have a broader effect, with outsourced service providers in other contexts also becoming directly liable for data protection compliance. However, to the extent an organisation makes use of third parties for its marketing activities it should be aware of this new liability, which such third parties may wish to seek protection from or, where an organisation acts as an agent on behalf of another organisation and carries out marketing activities on that organisation's behalf, that the agent may now have direct liability under the PDPO in relation to those activities.
Organisations should also continue to monitor developments in this area to see if this new position is extended to outsourced service providers in other contexts.
A press release about the insurance agent case can be accessed here.
A press release about the marketing company case can be accessed here.