Legal Protection of Digital Property
PhD(Computer Science) LLM(Intellectual Property) Department of Computer Science
Direct Marketing (Part VIA)
Copyright By PowCoder代写 加微信 powcoder
• PartVIAhascomeintoeffectsince1 April 2013 (“commencement date”)
• s.35A(1):”directmarketing”=
– offering or advertising of availability of goods, facilities or services; or
– solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes
through direct marketing means
NB. The expression “donations or contributions” is not defined, but generally refers to money or property with monetary value (eg. food, clothing, household items, computers, cars etc).
• s.35A(1):”directmarketingmeans”=
– sending information or goods, addressed to specific persons by names, by mail, fax, email or other means of communication; or
– making telephone calls to specific persons
Q: Is the following “direct marketing means”? – sending SMS to the mobile of a named
individual
– sending advertising leaflets by mail to occupiers of a building
– sales person knocking on the door of a potential customer to promote his products
NB. Excludes unsolicited messages sent to telephones, fax machines or email addresses without addressing to specific persons by name; face-to- face promotions; or telephone calls made to phone numbers randomly generated. (*RR: on Direct Marketing)
NB. Marketing communications addressed to the contact staff of a corporation by name and made to his office address, email or telephone number is not direct marketing means because not targeted at the person in his personal capacity.
• s.35C:datauserwhointendstouse personal data in direct marketing must
– inform the data subject its intention and that it will not so use the data without the data subject’s consent; AND
– provide the data subject with the following information
» the kinds of personal data to be used;
» the classes of “marketing subjects” (goods, services, or purposes of donations) in relation to which the data is to be used
– provide a free channel through which the data subject may send his consent
NB. S.35C applies whether or not the personal data is collected directly from the data subject: s.35C(3). But communications need not be in writing.
NB. “Consent” in relation to direct marketing includes an indication of no objection: s.35A(1). Indication must be clear, thus silence or no response ≠ no objection!
Q: Is the following valid consent ?
1. (oral reply) “I am interested to know about the product but I am busy, please call my home number at … in the evening”.
2. (oral reply) “I’ll think about it”.
3. (reply form) not checking the box “I do not want to receive direct marketing materials” but checking the box “I have read and understood the data user’s data policy”.
4. letter states that objection must be made by sending the objection slip attached, but no response is received.
• s.35E: data user must not use personal data in direct marketing unless
– data subject’s consent has been received;
– if consent is given orally, data user has, within 14 days from receiving it, sent a written confirmation to the data subject confirming the permitted kind of data and permitted class of marketing subjects; and
– use is consistent with the consent (ie. personal data falls within the permitted kind, and marketing subject falls within the permitted class)
• s.35F:whenusingpersonaldatain direct marketing for the 1st time, data user must inform data subject that it will cease to use the data in direct marketing if data subject so requires
• s.35G:datasubjectmay,atanytime, require data user to cease to use his personal data in direct marketing, and data user must comply
NB. Contravention of s.35C, 35E, 35F or 35G is an offence ($500,000 + 3 yrs).
NB. S.35H: prescribed consent for use of personal data in direct marketing deemed to be obtained if data user has not contravened ss.35C (inform before use), 35E (use after consent) or 35G (cease when required).
• s.35J:datauserwhointendstoprovide personal data to another for use in direct marketing must
– inform the data subject in writing its intention and that it will not so provide the data without the data subject’s written consent; AND
– provide the data subject with the following written information
» whether the data is provided for gain;
» the kinds of personal data to be provided;
» the classes of persons to receive the data;
» the classes of “marketing subjects” in relation to which the data is to be provided
– provide a channel through which the data subject may send his consent free of charge
• s.35K:datausermustnotprovide personal data to another for use in direct marketing without data subject’s written consent
NB. Contravention of s.35J or 35K is an offence
– for gain: $1M + 5 yrs;
– not for gain: $500,000 + 3 yrs.
• s.35L:datasubjectmay,atanytime, require data user to cease to provide data to another for use in direct marketing and to notify any recipient to cease such use, and the data user and recipient must comply
NB. Contravention of s.35L is an offence
– data user: $1M + 5 yrs (for gain); $500,000 + 3 yrs (not for gain);
– recipient: $500,000 + 3 yrs.
NB. S.35M: prescribed consent for provision of data to another for use in direct market is deemed to be obtained if data user has not contravened s.35J (inform before provision), 35K (provide after consent) or 35L (cease if required).
NB. Part VIA does not apply to
– the offering or advertising of social or health care services run or subsidised by the government: s.35B;
– provision of personal data to another person for use as above, unless the provision of personal data is for gain: s.35I
E1: X, a provider of interest classes for young children, expands its business into manufacturing toys for young children. It sends out advertising leaflets for its toys to customers on its database. Any liabilities?
E2: Y, who works for an insurance company, obtains a printed HKU telephone directory from his friend Z, a lecturer at HKU. Y uses the directory to give “cold calls” to HKU staff.
• allpracticalstepsshallbetakento protect personal data against unauthorised or accidental
– processing;
– erasure;
– loss; or
• allpracticalstepsshallbetakento ensure that a person can
– ascertain a data user’s policies and practices in relation to personal data;
– be informed of the kind of personal data held by a data user;
– be informed of the main purposes for which personal data held by a data user are used
• adatasubjectshallbeentitledto
– ascertain whether a data user holds personal data of which he is the data subject;
– request access to personal data
» within a reasonable time;
» at a fee, if any, that is not excessive;
» in a reasonable manner; and
» in a form that is intelligible
– be given reasons if an access request is refused;
– object to a refusal of an access request;
– request the correction of personal data;
– be given reasons if a correction request is refused;
– object to a refusal of a correction request
NB. Requests may be made by the “relevant person” defined in s.2(1).
NB. Data subject entitled to access his personal data but not necessarily the entire document containing the data.
Refusal to Comply with Data Access Request: s.20
• adatausershallrefusecomplianceif
– not supplied with information as to the identity of the requestor and its relationship with the data subject;
– cannot comply with the request without disclosing personal data of another explicitly named/identified (s.20(2)(a)) data subject (unless the latter has consented to such disclosure); OR
– compliance is prohibited under any
NB. Confidentiality not imposed by any Ordinance is not a ground for refusal: AAB Appeal No. 26 of 2013.
NB. Data user must comply with an access request if it can do so by omitting identifying particulars of other data subjects: s.20(2)(b). This is so even if the identity of the latter can be deduced or inferred: Wu Kit Ping v Administrative Appeals Board [2007] HKCFI 1104. (*RR)
NB. Source of personal data may itself be personal data if the source is an identified individual: s.20(2)(a).
NB. Confidentiality not imposed by any Ordinance is not a ground for refusal: AAB Appeal No. 26 of 2013.
E1: X, a student body, holds a database of comments made by its members about the lecturers. Y, a CS lecturer, requests X to send him a copy of all comments about him. Must X comply, and if so, how?
E2: As in E1. The Head of the CS Dept requests X to send him a copy of all the comments about CS lecturers.
• adatausermayrefusecomplianceif
– request not written in Chinese or English;
– not supplied with information reasonably required to locate the personal data;
– request follows 2 or more similar requests and it is unreasonable in all the circumstances to comply;
– compliance prohibited because another data user controls the use of the data, and if so, must inform data subject of the name and address of the other data user: s.21(1)(c); (NB. Must comply as far as
no contravention of prohibition: s.20(4).)
– compliance may be refused under any Ordinance
Recommended Reading
• NewGuidanceonDirectMarketing (January 2013)
• WuKitPingvAdministrativeAppeals Board [2007] HKCFI 1104
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com