Protecting Your Personal Data in Hong Kong

The revelation of the sale of customers’ personal knowledge by Octopus Holding Ltd, the leading electronic payment company in city, to 3rd party business partners for marketing functions has sparked widespread public considerations over major privacy breaches by personal knowledge collectors here.

The considerations have spilled over to money establishments and banks as they conjointly receive and method voluminous quantity of non-public knowledge from their customers by reason of their distinctive roles as lenders, deposit-takers and suppliers of varied money product and services. 

The recent call of the executive board of appeals (the “Board”) in Wing respiratory organ Bank restricted v Privacy Commissioner for private knowledge might give some helpful insights on however banks ought to handle the private knowledge of their customers.

Wing respiratory organ Bank restricted v Privacy Commissioner for private knowledge

In the case, Wing respiratory organ Bank restricted (the “Bank”) and a 3rd party insurance firm (the “Insurance Company”) entered into two selling agreements. consistent to those agreements, bound personal knowledge of the Bank’s mastercard customers were provided to the insurance firm and also the insurance firm then promoted its insurance product to the Bank’s customers over the phonephone. 

The litigator within the case, being one in all the Bank’s individual customers with success applied for a mastercard issued by the Bank. In Gregorian calendar month 2007, she was approached by a workers of the insurance firm through the phonephone and purchased one in all their insurance product basic cognitive process it to be one in all the Bank’s. The litigator later lodged a grievance to the Privacy Commissioner for private knowledge (“PCPD”) against the Bank for transferring her personal knowledge to the insurance firm. The PCPD later on issued Associate in Nursing social control notice to the Bank. 

The Bank appealed to the Board and its application was rejected for the subsequent reasons :- 

The mastercard form (the “Application Form”)

The Bank’s form contained, inter alia, the subsequent provisions :-

4. the needs that knowledge with reference to a client is also used square measure as follows :-
(viii) selling services or product of the cluster and/or chosen firms …;

5. knowledge control by the cluster with reference to a client are unbroken confidential however the cluster might give such info to the subsequent parties for the needs started out in paragraph four :-
(vii) any insurance firm or agent, broker, bourgeois or alternative business partners of the cluster …

The Bank argued that paragraph 5(vii) on top of may mean firms outside the cluster of the Bank. Having browse the terms and conditions within the form and alternative connected documents given to the litigator by the Bank, the litigator ought to moderately expect that her personal knowledge would be transferred to 3rd parties.

The Board rejected the Bank’s argument by initial stating that the little print of the provisions within the form, as well as paragraphs four and five on top of, had the result of discouraging customers from reading its contents. additionally, one cannot expect individual customers to travel from one clause (paragraph 5) to a different (paragraph 4) in such alittle print document to seek out for themselves the way during which their personal knowledge would be forbidden. If the Bank had the intention of providing the private knowledge to a 3rd party, it should clearly state such intention in an exceedingly clear manner and procure the specific consent from its customers.

The Board any opined that “any insurance firm” in paragraph 5(vii) on top of solely cited insurance company among the Bank’s cluster rather than as well as insurance firms outside the cluster as contended by the Bank. The Board so adopted a restrictive interpretation on the terms of the applying type so as to produce bigger privacy protection to customers.

The Credit Cardholder Agreement (the “Agreement”)

The Bank conjointly relied on clause 11(c) of its Agreement, that explicit  that any details of the cardholder might from time to time be used for direct sales and/or promoting product of the Bank, the Bank’s affiliates and/or third parties fastidiously chosen by the Bank.

The Board cited PCPD’s steering on cross-marketing activities as amended in 2009 that counseled that if at the time an organization collected the private knowledge it had no specific cross-marketing activities in mind however later on determined to try and do thus, then before the transfer of such personal knowledge to a different company it should make sure that the employment of the private knowledge is among the first purpose of assortment of the info. the info collector ought to conjointly contemplate informing the relevant customers of its intention and reason of doing thus. Having reviewed the selling agreements between the Bank and also the insurance firm, the Board thought of that the transfer of the complainant’s knowledge to the insurance firm failed to fall among {the original|the initial|the initial} functions that such knowledge was first collected, namely, for the applying of a mastercard issued by the Bank .

The Board any fashioned the read that the Bank has not notified the litigator in regard to its transfer of the complainant’s knowledge to the insurance firm. The receipt of the applying type and also the Agreement by the litigator failed to quantity to her consent to the transfer or sale of her knowledge by the Bank to the insurance firm.


The city financial Authority (“HKMA”) has conjointly issued a circular on the transfer of client knowledge to be used in selling on twelve August 2010. The circular is per the opinion of the Board within the on top of case, e.g. the need of specific consent from customers before transfer or sale of non-public knowledge and also the relevant written agreement provisions be in an exceedingly moderately decipherable size.

The HKMA’s circular and also the adoption of the restrictive approach in decoding knowledge privacy connected written agreement terms can provide bigger protection to customers on banks’ handling of customers’ knowledge. At identical time, banks also are inspired to review their current practices to make sure compliance with the rules issued by the HKMA.