Privacy Law and Policy Reporter
In part one of this article ((1994) 1 PLPR 165), Mark Berthold discussed the recommendations of the Hong Kong Law Reform Commission in its August 1994 Report on Reform of the Law Relating to the Protection of Personal Data.
The Australian and NZ legislation does not specifically address the transfer of data out of the jurisdiction. Insofar as the Australian Act deals with Federal government agencies, the issue was of limited relevance. Such transfers should, subject to exemptions, comply with the finality principle of consistency with the original purpose. But if the transfer is to a data haven, its subsequent dissemination will be unconstrained by data protection controls. The developing trend in Europe is to discourage the transfer of data to jurisdictions lacking adequate data protection. A number of European countries already restrict such transfers and art 26 (1) of the EU directive imposes a general requirement to this effect on all member states. Taking the matter one step further, such states may be hesitant to transfer personal data to a jurisdiction possessing legal controls which, however, countenance further transfers to data havens.
Accordingly, the Commission has recommended controls aimed at precluding Hong Kong from being a staging post or conduit for transfers to data havens. There are two aspects of this: (a) the territorial reach of the Hong Kong law; and (b) regulation of transborder transfers not subject to the law's general provisions.
The simplest method of regulating data transferred from the territory is to subject it to the same regulatory framework that is applied within Hong Kong. In determining the territorial scope of the law, there are three main approaches. The first (the control test) is to apply the legislation to processing controlled by a data user within the jurisdiction, whether or not the processing occurs within the jurisdiction (for example, the UK law). The second (the processing test) is to apply the law where the processing of the data occurs within the jurisdiction (for example, the French law). The third is to apply the law if the data relates to the citizens of that country (for example, the Netherlands law). This disparity of approaches means that personal data may be the subject of several data protection laws - or none. Greater uniformity will result from adherence to art 4 of the EU directive. This provides that the scope of national laws should be defined by reference to the control test, supplemented by the processing test. The Commission recommends the same approach under the Hong Kong law.
The Commission expects this broad approach to territorial application to reassure other countries contemplating transfers that a jurisdictional gap will be avoided. For example, the data controller based in France might only be prepared to transfer data to a jurisdiction if it continues to be subject to data protection controls. The present French law would cease to protect the data following transfer, as that law lacks a control test. Nor would the control test apply to the processing of data in Hong Kong, with the data controller situated in France. The regulatory gap posited is filled by applying the processing test.
The application of the control test means that the transfer of data out of the jurisdiction will only cease to be subject to the law's general provisions if control is also relinquished. In its consideration of what supplementary mechanism should apply to such transfers, the Commission recognised the futility of requiring data users to notify the Privacy Commissioner of all transfers. Nonetheless, an oversight role was thought essential. A distinction was drawn according to whether the transfer was sanctioned by art 26(2) of the EU directive, namely that it is pursuant to the consent of the data subject or necessary to protect his or her interests, pursuant to contract, or necessary on public interest grounds. Such transfers should be unfettered.
In all other cases, however, the Commission recommends that the transferor should be subject to a duty to take all reasonable steps to ensure that the transferee applies the data protection principles relating to that data. It will be for the transferor to assess the situation and take the most appropriate steps. If the transferee is in a jurisdiction subject to an adequate data protection law, then no further steps will be required. Otherwise, consideration will have to be given to such measures as obtaining contractual assurances. But in the last analysis, it would be for the Privacy Commissioner to determine, whether on receipt of a complaint or at his own initiative, the duty has been discharged by the transferor.
The Commission has recommended a comprehensive scheme of exemptions. Unlike under the Australian and NZ laws, the scheme is exhaustive and envisages no role for the Privacy Commissioner in its determination. This extends to his approval of sectoral codes of conduct, as these may not relax the application of the data protection principles. The only exemption from the application of all the data protection principles is for data used by an individual solely for private purposes. The remaining exemptions are restricted to the application of the use limitation principle and access and correction rights under the individual participation principle. Exemptions from both principles are recommended for the usual categories, namely where their application is likely to prejudice health, law enforcement, security, defence or international relations, or the collection of tax. Access exemptions are also recommended for data likely to identify informers, data for which a claim for professional privilege could be made out or which related to judicial appointments.
Not surprisingly, a number of respondents sought exemptions in additional areas. Regarding the use limitation principle, financial regulators pointed out that conduct which is not strictly illegal may nonetheless adversely affect the financial markets. As they are largely dependent on tip-offs, they objected to their sources being constrained by the purpose for which they received the data, such as servicing a client. The Commission accepted this need to waive the application of the use limitation principle to countenance a whistleblower disclosing illegal or 'seriously improper' conduct, provided he or she believed on reasonable grounds that the disclosure to the person receiving it would contribute to its prevention or remedy. As the disclosure of non-culpable factors such as incapacity may also be important, a similar dispensation is recommended where the disclosure relates to the character or activities of an individual where this is likely to seriously affect the performance of a statutory body or administrative tribunal. On a rather different note, the Commission accepted that an exemption was warranted for using data for research purposes where this was not originally envisaged by the data subject.
Similarly, respondents sought additional exemptions from having to afford data subjects access, particularly in the sphere of personnel management. The Commission accepted that access should be denied to staff succession plans involving long-term and hence necessarily hypothetical projections. Also recommended was denial of access to references until the position is filled. Further, interim access would be blocked where this would seriously disrupt an evaluative process, such as determining the class of a degree. As with references, the exemption would lapse on the completion of the process, precluding the accretion of potentially adverse material not subject to access and correction rights.
Under the general exemptions scheme on appeal the Privacy Commissioner may review the applicability of an invoked exemption. The only sphere in which it is recommended that his ability to do so be trammelled relates to security, defence or international relations in respect of Hong Kong. As regards these matters, the Governor or his deputy may sign a certificate so providing.
The exemption area that gave the Commission greatest grounds for pause related to journalistic purposes exercised by the media. Whereas the other exemptions outlined above endeavour to accommodate competing public interests, journalistic activities exercise a competing human right, namely that of free expression. This is provided for by art 19 of the International Covenant on Civil and Political Rights (ICCPR). Representing a treaty obligation for Australia and NZ, in Hong Kong the terms of the covenant are replicated in the Hong Kong Bill of Rights. The relevant jurisprudence is primarily contained in decisions construing the similarly-worded provision in the European Convention of Human Rights. These appear to establish the following propositions:
While art 9 of the EU directive requires member states to provide exemptions for journalistic purposes, the provision avoids specifics. As the Council of Europe has pointed out, the complete inclusion or exclusion of the media from the data protection regime would lack proportionality. The Commission accordingly reviewed the extent to which the application of each of the OECD principles could inhibit free speech rights. It concluded that most of the principles could be applied to the media without difficulty. It should keep unpublished data secure. Its data should be accurate for the purposes for which it is held; that is, publication. It should be collected fairly and lawfully. But the Commission concluded that exemptions were warranted from the following principles.
The use limitation principle The requirement that data should not be used for a purpose other than that for which it was obtained should not be a problem for the journalist, as publication would usually be contemplated. But it would inhibit the whistleblower who acquired the data for purposes not extending to its publication and who reasonably concludes that publication is justified. The Commission concluded that the journalistic enterprise requires freeing sources from the application of the principle.
The individual participation principle The Commission accepted the Hong Kong Journalist Association's argument that access and correction rights could undermine investigative journalism, by facilitating the data subject anticipating lines of inquiry and enabling him or her to warn off sources. Also, access and correction applications could tie-up resources and stymie the publication process. Accordingly the Commission recommends a total exemption from access rights for unpublished data held solely for journalistic purposes.
Significant recommendations not readily subsumed under the above headings include the following.1. Transmission of corrections
It is recommended that data users ensure that data corrections are passed on. It will be a matter for the data user to devise an adequate system for the propagation of corrections to transferees. Audit trails, tagging, or the maintenance of adequate lists are some of the possible approaches.2. Direct marketing
Article 15(3) of the EU directive requires member states to ensure that data subjects be afforded the opportunity to opt out before it be used for marketing purposes. Respondents objected to any requirement that they go through their mailing lists as being costly and time consuming. The Commission's recommendation on this is that upon the first communication for the purposes of marketing, and at reasonable intervals thereafter, the data subjects must be expressly offered the opportunity to have all data relating to them held for marketing purposes erased without cost.
Respondents sought a phased introduction. The most extreme position was that the law should only apply to data generated after its enactment. The Commission rejected this general curtailment of its application. Nonetheless, it recognised that data users would be faced with a major undertaking in upgrading the quality of their data. On the other hand, to delay the application of access and correction rights would be to deny data users a major aid in that process. The recommended compromise is to provide for a transition period of one year, during which access rights are qualified. During this period data users should not be obliged to provide a full copy of all held at the time the access request is received. Instead, the organisation should be entitled to update the data and delete irrelevant or dubious material. The data subject should provide a copy of all the remaining data.
The other aspect of the transition period relates to compensation. Compensation is recommended for any breach of the data protection provisions causing loss or injured feelings. It is recommended that this right not accrue for a breach of the data quality principle until the expiration of the transition period.
Mark Berthold, a Senior Crown Counsel in Hong Kong, was the Secretary to the subcommittee of the Hong Kong Law Reform Commission and drafted its privacy report.