There are complaints and even legal proceedings launched in recent months relating to some alleged acts on disclosing personal data obtained without consent from the data users (披露未經資料使用者同意而取得的個人資料). We are not going to comment on any details through this article regarding those lawsuits or complaints which are still in progress. We just wish to raise your awareness on this offence under Section 64 of the Personal Data (Privacy) Ordinance, Cap 486 (the Ordinance).
What's that offence about?
Subsections (1) & (2) of Section 64 of the Ordinance stipulate that:
(1) A person commits an offence if the person discloses any personal data of a data subject which was obtained from a data user without the data user's consent, with an intent:
- to obtain gain in money or other property, whether for the benefit of the person or another person; or
- to cause loss in money or other property to the data subject.
(2) A person commits an offence if:
- the person discloses any personal data of a data subject which was obtained from a data user without the data user's consent; and
- the disclosure causes psychological harm to the data subject.
The first thing to note is that the offence is not concerning about whether the data subject (資料當事人) has given his/her consent to you for disclosing his/her personal data. The question is on whether the data user (資料使用者), who lawfully holds the relevant data, has consented to the disclosure. Example: When you are working in a company (data user) which holds a customer (data subject)'s personal data, are you authorised by that company to disclose the data of that customer to other persons?
The second thing for constituting the offence is that there must be certain intention or impact for the disclosure, ie you intend to obtain gain for yourself or for another person, or the disclosure causes loss or psychological harm to the data subject. Further to the above example, if you disclosed a customer's personal data to others without your employer's consent and you get paid for such disclosure or it has caused psychological harm to the customer, then you might have committed that offence.
What are the consequences on the offender?
A person who has violated Subsection (1) or (2) of Section 64 may be liable to a maximum fine of $1,000,000 and imprisonment for five years upon conviction.
With reference to the media statement published by the Office of the Privacy Commissioner for Personal Data (PCPD) on 26 July 2019, there were a series of online data disclosure incidents occurred in mid-2019 which involved potential breach of Section 64. The PCPD had referred more than 400 cases to the Police for further investigation. It is possible that some landmark court cases relating to Section 64 may come out in the near future.
What should I be aware of when performing my job duties?
In short, you must follow your employer's instruction when disclosing your customers or colleagues' personal data to other parties. Never act outside your normal duties when you handle personal data. If you are in doubt, you should seek instruction from your supervisor before disclosing the relevant personal data.
To play safe, you should also avoid forwarding personal data which you obtained from various sources (eg websites) to others unless you could see the consent wordings posted up by the relevant sources (data users).
Any possible defences?
If a person has breached Subsection (1) or (2) of Section 64 of the Ordinance, he/she may rely on Subsection (4) to try to avoid liability. However, the defences available in Subsection (4) may involve technical legal arguments. If you have any queries on whether any of such defences is applicable to your case, you should seek legal advice.
Referring to Subsection (4) of Section 64, it is a defence for the person charged under the subject offence to prove that:
a. he or she reasonably believed that the disclosure was necessary for the purpose of preventing or detecting crime;
(example: you try to stop a criminal act ASAP by reporting the case (including the relevant personal data) to the police but, due to time constraint, you did not seek prior consent from the company which holds the data)
b. the disclosure was required or authorised by or under any enactment, by any rule of law or by an order of a court;
c. he/she reasonably believed that the data user had consented to the disclosure; or
- disclosed the personal data for the purpose of a news activity as defined by section 61(3) or a directly related activity; and
- had reasonable grounds to believe that the publishing or broadcasting of the personal data was in the public interest.
This document has been carefully prepared and should be seen as general guidance only. This document cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. BDO does not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this document or for any decision based on them. Please contact your advisers or legal counsel to discuss related matters in the context of your particular circumstances.