'Undertaking approach correct things faster than enforcement notice'

The Office of the Privacy Commissioner for Personal Data has ruled that Octopus Rewards Limited contravened three Data Protection Principles when it sold the personal information of its customers for profit, said the Commissioner Allan Chiang on Monday.

Apart from severe damage to its reputation, Octopus will get a walk as Chiang will not recommend prosecution and he has no authority to initiate prosecution on his own.

Octopus mishandled the private data of more than two-million of its card holders, leaving the clients open to unwanted solicitations for services.

The Commissioner indicated the company "collected excessive personal data", namely, Hong Kong ID card number (or, passport number, birth certificate number), and the month and year of birth, for the purpose of customer authentication, while the same purpose can be achieved by using more widely-adopted but less privacy-intrusive contact data, such as telephone numbers and home address.

Chiang also stated that the company failed to take all reasonable practicable steps to explicitly inform the classes of transferees. He slammed Octopus Cards for printing its Personal Information Collection Statement in "unreasonably small fonts". Octopus Cards applied terms that had no reasonable certainty as to their meaning, such as the catch-all phrase "other related purposes". The terms also stipulated the vague description "any person", leaving the company with sole discretion as to what personal data were to be transferred and to whom.

In addition, the Commissioner ruled the company sold personal data to five business partners "without customers' prescribed consent". The data transactions for profit cannot be regarded as the original or directly related purpose of data collection, and neither was that stated in the Collection Statement. Therefore the customer's signature cannot be seen as consent to the sale of personal data, Chiang decreed.

Chiang noted, although the transactions "in essence were sale of personal data"; it did not prohibit the current Ordinance.

Although three contraventions were found, Octopus Rewards is facing no punishment.

"There are severe restrictions as to what punitive actions the Commissioner can take ... Contravention of a Data Protection Principles itself is not an offense," said the Commissioner.

An enforcement notice was not issued to Octopus. A data user who contravenes an enforcement notice commits an offense and is liable on conviction to a fine of HK$50,000 and imprisonment for two years. Chiang explained that the notice can be issued only when the contravention is ongoing, or it's likely that the contravention will continue or be repeated.

Instead, the Commissioner obtained an undertaking from Octopus last Thursday, stating the company will, within two months, delete the excessive data it collected and the data sold to its partners, and will improve its data collection and use process as the Commissioner recommended.

He noted that the undertaking approach can correct violations more quickly than issuing an enforcement notice.

Chiang stressed that the Octopus case is not an isolated incident, but the practice of selling consumer data already has become quite common. Present provisions under the Ordinance are "inadequate to meet nowadays requirements". He also stated that the Office "lacks substantive power" to prosecute or provide penalties against offenders. "What we can do is really limited," he said.

The Office made 20 recommendations on the collection and use of personal data in direct marketing, and also provides new guidelines to personal data users.

The Commissioner also declared that Octopus Holdings Limited should bear the legal responsibilities for the incident because it wholly owns Octopus Rewards and approved all the activities.

China Daily

(HK Edition 10/19/2010 page1)