It was reported that as of 24 November 2015, the Hong Kong Privacy Commissioner ("PC") had received 46 complaints regarding the misuse of personal data during the 22 November 2015 District Council elections. Most of the complaints relate to the unauthorised disclosure or use of voters' information by election candidates and/or their agents. The PC is in the process of making enquiries and will decide whether or not to launch investigations and to issue enforcement notices if it is determined that breaches of the Personal Data (Privacy) Ordinance ("PDPO") occurred.

Guidance on Electioneering Activities

On 25 August 2015, the PC issued a Guidance on Electioneering Activities ("Guidance Note") in anticipation of the District Council elections of 22 November 2015. The Guidance Note set out practical advice for election candidates and their agents on how to ensure compliance with the PDPO when carrying out their electioneering activities, e.g., calling or messaging voters to encourage them to vote for a particular candidate. For example, the Guidance Note advised candidates that:

  1. They should be directly responsible for ensuring that their campaign staff comply with the PDPO;
  2. Only personal data that is necessary and not excessive for carrying out the electioneering activities should be collected (e.g., Hong Kong Identity Card numbers should not be collected);
  3. Where the personal data is being collected directly from the individual, such individual should be informed of the purpose for which their personal data is being collected;
  4. Personal data should not be collected by deceptive means or by misrepresenting the purpose of collection;
  5. With regard to personal data obtained from third party sources (i.e., not collect directly from the relevant individual), the candidate must ensure that the original purpose for which that third party source collected the personal data relates to the intended electioneering activities, otherwise express consent from the individuals will be required;
  6. When contacting an individual for electioneering purposes, the candidate (or their agent) should inform the individual of how they obtained his/her personal data when asked; and
  7. Individuals should be given an opportunity to decline any further communication regarding the electioneering activities.

Conclusion

If the PC decides to conduct a formal investigation and finds that a breach of the PDPO has occurred, then enforcement notices are to be expected. Data protection and data breaches are in the news almost on a daily basis. From misuse of data by financial institutions, to the collection of excessive data through mobile apps, to high-profile data hacks of toy companies which collect data of minors, to data collected in an election context; nothing seems to be out of bounds today when it comes to data privacy.

Originally published 18 December 2015

Learn more about our Cybersecurity & Data Privacy, Intellectual Property and Technology, Media & Telecommunications practices.

Visit us at www.mayerbrown.com

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.