In Hong Kong, the fallout from the Octopus data privacy scandal continued to linger through the end of 2010, as the Office of the Privacy Commissioner released its report on the incident as well as a set of proposals for amendments to the Personal Data (Privacy) Ordinance. This was followed shortly thereafter by a government report on the extensive public consultation on the review of the Personal Data (Privacy) Ordinance, or PDPO.
While the Privacy Commissioner’s report neither shed any new light on the incident, nor actually called out any specific breach of the ordinance by Octopus (apart from a perhaps excessive collection of data), the government report on the other hand, at almost 200 pages long, proved a interesting reading. Covering both proposals for the ordinance that will be taken forward for further review as well as those that will not, it provided members of the Hong Kong Legislative Council (Legco) with some great ammunition for the lengthy debates that took place in public and behind closed doors through November and December. And there are clearly many views from the various political parties and from those members that occupy the functional constituency seats (like insurance for example) that could be impacted by any proposed changes.
Outside of Legco, it is clear that Allan Chiang, the recently appointed privacy commissioner for Personal Data, is on a mission to shake off the lame-duck image that his office has carried for many years, and is in favour of more draconian legislation with a push to 100 percent opt-in for data collection and elevated criminal and prosecutorial powers for his office. It must be said that it is admirable that someone has at last taken on the post with a strong vision and conviction; however his agenda seems to be driven by political desire rather than a true interest in making our already world-class ordinance work as it was intended – by not only protecting the right of the consumer to choose, but also protecting the rights of businesses to prosper in the free economic environment that Hong Kong is so proud of.
I am a firm believer that legislation is most definitely an important part of the overall solution to protecting personal data and consumer privacy; however it is not the entire solution. Those marketers that are belligerent in their abuse of the rights of consumers will continue to be so with or without more stringent regulations in place, and so enforcement of the existing legislation is just as important as looking to expand relevant legislation.
The existing ordinance that was drafted back in 1996 through consultation with industry associations, coupled with an adherence to globally accepted best practices around data privacy and, most importantly, a wide-reaching consumer education programme, is the best solution for not only protecting the consumers’ right to choose, but also providing businesses, particularly in the SME sector, the right to do business in Hong Kong.
However, having sat through a number of Legco sessions where the pros and cons of opt-in vs. opt-out and increased legislation were debated, it is my own personal view that the one item that has been left off of the table is that of responsibility – who is ultimately responsible for data privacy?
As a board member of both the Hong Kong Direct Marketing Association and the Asia Digital Marketing Association I see clients and service providers everyday going above and beyond the letter of the law to ensure that the rights of the consumer are protected and that any activities that fall under the scope of the Personal Data (Privacy) Ordinance or the Unsolicited Electronic Message Ordinance are fully compliant. It is what legitimate businesses and marketers that care about customer relationships actually do. If they did not, their businesses would suffer.
However, what I don’t see are consumers taking the same level of care and attention when they are signing up to reward programmes in super markets and department stores, or for credit cards along the elevated walkways of Central. Show them a free gift, or the prospect of cash back coupons for Park n’ Shop or Wellcome and your everyday Hong Kong consumers will give you all the personal and financial data you want on themselves and their nearest and dearest and sign on the dotted line without a second look at the terms and conditions that accompany their signatures.
For the most part, the organisations that they enter into these agreements with are legitimate businesses, and there are no issues. They are relationships built around notice, transparency, and choice, with the consumer always enjoying the right to choose or to opt out. But it is unscrupulous organisations and marketers amongst us that collect data surreptitiously or use data for purposes other than for which it was collected that ultimately give us all a bad name.
Without a doubt, the consumer must play a pivotal role in the success of Hong Kong’s PDPO and with it they must also take responsibility for their own data privacy. The problem is that most consumers could not even tell you where to get a copy of the ordinance from, let alone tell you what rights and obligations they have!
So clearly what Hong Kong needs is not more legislation and regulation, but a comprehensive and long-term awareness and education programme on data privacy. And for that I call on the government of the HKSAR, the Office of the Privacy Commissioner, and you the marketers and agencies to put the consumer front and centre and to work in partnership to ensure that our current legislation actually works for those that it is meant to protect – consumers and businesses alike; because ultimately we are all responsible.