Sale of Personal Data for Direct Marketing — How Many Tentacles Can an Octopus Have?

The Octopus case

Octopus Holdings Ltd. operates the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets. The cards may also be used as a student card or as an access card for residential apartments or office buildings.

In addition to the electronic payment facilities, Octopus Rewards Limited, a company which is wholly owned by Octopus Holdings Ltd. (referred collectively as "Octopus") operates a rewards program linked to the Octopus card, whereby card holders earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). While the electronic payment facilities of the Octopus card may be used without registering and providing any personal data, card holders wishing to take advantage of the Rewards Program must first register with Octopus. Card holders are requested to supply a broad range of personal information on the registration form (some of which is required for the application to proceed), including name, identity card or passport number, gender, month and year of birth, contact details, marital status, education level, occupation, income and interests.

Octopus provided the personal information of almost 2 million card holders to six insurance companies for direct-marketing over a four and a half year period, earning the company HK$44 million in revenue.

The application form for the Rewards Program was drafted in such a way as to give Octopus very broad rights to deal with the personal information of card holders. In signing the application form for the Rewards Program, card holders automatically consented to their personal data being disclosed to any third party (at Octopus’s discretion) and used for direct marketing purposes. The only way that card holders were able to opt-out from their personal information being sent to third parties was to first sign the form (thereby consenting to the distribution and sale of their data to any third party), and later call Octopus to opt-out, a process which Octopus conceded would take approximately three days. The application form cross-referred to a separate set of terms and conditions relating to data protection/privacy, making it unlikely that the card holder would fully understand the scope of their consent prior to signing the form. Even if card holders understood that by signing the registration form they consented to their personal information being sold to third parties, it is likely that given the inconvenient and time consuming opt-out procedure, they would be reluctant to take the necessary steps to protect their personal information.

Investigation by the Privacy Commissioner

On 21 July 2010, the Privacy Commissioner ordered a formal enquiry into Octopus’s practices to ascertain whether the collection and disclosure of card holders’ personal data for direct marketing purposes was in contravention of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Commissioner exercised his powers under the Ordinance to hold a hearing to summon witnesses to assist with the investigation.

The Privacy Commissioner is yet to issue the final report on the investigation. However, in response to the mounting public concern regarding the handling of personal data under the Rewards Program, on 30 July 2010 the Privacy Commissioner took the unusual step of issuing an interim report, containing his preliminary findings as well as interim recommendations to Octopus regarding its handling of personal data.

The Privacy Commissioner made 12 recommendations regarding Octopus’s handling of personal data, including the following:

• Card holders should be able to submit their applications for the Rewards Program using only their names and Octopus card numbers.

• Consent to use personal data for direct marketing purposes should be expressly given and should not be deemed.

• The parties to whom personal data may be transferred should be clearly identified.

• Octopus should not disclose personal information other than name and contact information for direct marketing purposes, as any additional information is unnecessary and excessive.

The Privacy Commissioner is yet to issue a final determination on the matter. If Octopus is found to have breached the Ordinance it is likely to be because the scope of the information collected was arguably excessive for the purposes for which it was collected.

Calls for reform

As Octopus sold the personal information of almost 2 million people (almost a third of the population of Hong Kong) to third parties, the case received a fair amount of publicity and has generated debates in the media and has led to calls for reform of the data protection regime in Hong Kong.

Hong Kong’s Personal Data (Privacy) Ordinance is currently under review by the Government. A number of amendments have been proposed, partly in response to the increasing concern of the public relating to protection of personal data. The Government published a consultation document on 28 August 28 2009, inviting public comment on the proposed amendments to the Ordinance. The consultation period ended on 30 November 2009. The Government is yet to make any further announcements in relation to the reforms, but given the profound impact that the proposed changes may have on various sectors of the community and the recent furore over the Octopus case, it is expected that further changes may be introduced when the bill is made public.

Authored by Gabriela Kennedy and Heidi Gleeson.