程序代写 COMP7901 (2021-22)

COMP7901 (2021-22)
Legal Protection of Digital Property Suggested Answer to Homework #2
(In the following, references to sections are references to the Personal Data (Privacy) Ordinance, Cap 486, unless otherwise stated)
(a) Legal liabilities of Mart007 under PD(P)O

Copyright By PowCoder代写 加微信 powcoder

InstPay keeps the name, address, contact information and credit card number of its users. Obviously these are personal data under PD(P)O, s.2(1): relating to living individuals, from which it is practicable to ascertain the identity of the individual, and in a form in which access to or processing of the data is practicable. All InstPay customers are data subjects. InstPay controls the collection, holding, processing or use of the data, and hence is the data user (PD(P)O, s.2(1)). Mart007 and SecuPay are also the data users.
Mart007 sold the List to SecuPay, it is liable for the offence under s.64(1), by disclosing the personal data of InstPay¡¯s customers to SecuPay without InstPay¡¯s (data user) consent, with an intent to obtain gain in money.
SecuPay has sent email addressed to the customers of InstPay personally, offering and advertising the availability of their services, it is direct marketing under s.35A(1).
If Mart007 knew that SecuPay were going to use the data they sold them in direct marketing, Mart007 is also criminally liable under s.35J and s.35K. Mart007 must inform InstPay¡¯s customers in writing and get their written consent before providing the List to SecuPay (s.35J). Under s.35K, Mart007 should not provide personal data to SecuPay before obtaining written consent from InstPay¡¯s customers.
Mart007 has also violated DPP1 and DPP3. According to DPP1, the means of collection must be lawful and fair. The List was obtained by an employee of Mart007 directly from InstPay’s database, it can be inferred that the employee has hacked into InstPay¡¯s database. It has also infringed the copyright of InstPay, by making copies of the data without the consent of the copyright owner. Hence, the means of collection by Mart007 is not lawful. Mart007 is in breach of DPP1.
Under DPP 3, personal data must be used for the purpose for which the data is collected or for a directly related purpose, it shall not be used for any new purpose without prescribed consent.
It can be reasonably assumed that the data policy of InstPay in respect of the personal data in question did not include selling or transferring the data to a third party. It is a new purpose and Mart007 should obtain prescribed consent from InstPay¡¯s customers (data subjects) before selling them to SecuPay. The facts do not suggest Mart007 had done so.

(b) Legal liabilities of SecuPay under PD(P)O
SecuPay has sent email addressed to the customers of InstPay personally, offering and advertising the availability of their services, it is direct marketing under s.35A(1).
According to s.35C, before sending emails to InstPay¡¯s customers, SecuPay must have informed them about the kinds of personal data to be used and the classes of marketing subjects, and asked for their consent. Under s.35E, SecuPay should not have sent the email to InstPay¡¯s customers unless it has received their consent. Furthermore, under s.35F, if the email was the first time that SecuPay used their personal data in direct marketing, it must inform the customers that it would cease to use the data in direct marketing if they so required. Contravention of any of s.35C, E, F is an offence under PD(P)O. On the facts, it appears that SecuPay has not complied with any of these provisions. If so, SecuPay is criminally liable. InstPay¡¯s customers can also request SecuPay to stop using their data for direct marketing any time s.35G.
SecuPay has also violated DPP1. The means of collection is unfair because SecuPay knew the data belonged to InstPay and yet bought them behind the scene on condition that SecuPay would keep the data confidential. It is also unlawful for it is copyright infringement as SecuPay was essentially keeping an infringing copy of the data without the consent of the copyright owner.
SecuPay may have also violated DPP3 as using the data by a third party other than InstPay is a new purpose. SecuPay needs to obtain prescribed consent from InstPay’s customers before using them.
(c) Legal liabilities of InstPay under PD(P)O
As for liability of InstPay, it may have violated DPP4. Under DPP4, all practical steps shall be taken to protect personal data against unauthorized access and use. Mart007 has obtained the List by hacking into InstPay server. To avoid liability under DPP4, InstPay has to prove that they have taken all practical steps to protect their users¡¯ data. For example, installing firewall, with regular monitoring of unusual activities of the server, or encrypting important customers¡¯ information.

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com