HK Broadband was found guilty of failing to comply when asked to stop using a customer's personal data, the Office of the Privacy Commissioner for Personal Data (PCPD) said.
The customer complained in May 2013 to the PCPD. He had requested to opt-out of direct marketing by email and by mail in April of that year, and received confirmation in writing from HK Broadband. However, a member of HK staff then left a voicemail on the customer's phone in May, telling him that his contract had been terminated and promoting the company's services.
Under the direct marketing regulations, which took effect in April 2013, a service provider must comply with a request to cease using a customer's data in direct marketing for no charge, and must add them to an 'opt-out list'.
This is the first conviction since the penalty level of the offence was raised from HK$10,000 to HK$500,000, plus three years' imprisonment, under the new direct marketing regulatory regime.
Hong Kong-based data privacy expert Peter Bullock of Pinsent Masons, the law firm behind Out-Law.com, said: "It would have been unheard of for a company with a scintilla of risk management capability to become criminally liable under the Hong Kong data protection regime as it stood before the 2012 Amendments. To do so, the company would have had to have demonstrated that it was unlikely to take heed of an enforcement notice, which is an initial compliance step issued by the Commissioner, and then subsequently ignored any enforcement notice which was issued."
"The facts of Hong Kong Broadband Network’s case do not appear to be aggravated, in that the marketing was a message given alongside a legitimate service message, yet the authorities still thought fit to prosecute. For those administering ‘opt out’ lists, this is likely to be a major headache," Bullock said.
Hong Kong privacy commissioner for personal data Stephen Wong said: "These are the results of the concerted efforts of PCPD, the police and department of justice. I believe that this successful conviction will convey a strong message to organisations engaging in direct marketing activities that requests from the consumers must be complied with and the use of consumers' personal data be respected. Hopefully, the conviction and the penalty imposed will serve as a deterrent and strengthen the culture of respecting personal data privacy."
"Organisations should update the opt-out list regularly and ensure that their standing procedures for their staff to follow are followed. I appeal to all organisations engaged in direct marketing activities, large or small, to comply with the legal requirements and refrain from taking risks of non-compliance," he said.
Hong Kong's privacy commissioner, Allan Chiang recently said senior business executives have a role to play in promoting data privacy in their organisations. He encouraged companies to develop privacy management programmes to improve internal accountability for data privacy.