Privacy Law and Policy Reporter
On 3 August 1995 the Governor of Hong Kong, with the Legislative Council's advice and consent, enacted the Personal Data (Privacy) Ordinance ('the Ordinance'). The legislation adopts most of the Law Reform Commission's (LRC's) proposals providing for data privacy published in August 1994 (see 1 PLPR 165). Those proposals were based on recommendations formulated following a five-year examination of the issue by the LRC's Privacy sub-committee chaired by Mr Justice Barry Mortimer. That examination included consideration of over 80 submissions elicited by a comprehensive public consultation exercise.
The Ordinance reflects an accelerated but nonetheless thorough examination by a committee of legislators chaired by the Hon Emily Lau resulting in the adoption of 30 committee-stage amendments to the Bill. The law is expected to come into force in the second quarter of 1996, following the setting up of the office of the Privacy Commissioner ('the Commissioner').
The Ordinance's short title states that it is 'an Ordinance to protect the privacy of individuals in relation to personal data'. 'Privacy' is a notoriously vague expression, but in the context of the Ordinance it can be attributed an operational definition, namely compliance with the data protection principles. Traditionally, organisations in Hong Kong have tended to assume that they have exclusive control over data they hold about an individual (the data subject). The data protection principles enable the data subject to share this control.
The Ordinance regulates data users in both the public and private sectors. Section 2 defines 'data user' as the person who 'controls' personal data, either alone or jointly with another person. Section 2(12) excludes from this definition a person doing so solely on behalf of another person and not for any of his own purposes, such as an Internet service provider. Section 52 exempts from the application of all the data protection principles data held by an individual and concerned only with the management of his personal, family or household affairs, or held only for recreational purposes.
'Data' is defined as 'any representation of information (including an expression of opinion) in any document, and includes a personal identifier.' In Hong Kong the identity card number constitutes an ubiquitous personal identifier. To constitute 'personal data' and hence be subject to the Ordinance the data must fulfil all three following requirements:
The identification and retrievability tests modify the Ordinance's focus on recorded personal information. They recognise a harm test: personal data may pose only insignificant risks to the individual unless and until they can be reasonably identified or retrieved. It follows that whether the data in question fall within the definition of 'personal data' is not determined by their category (for example, name, address) but will fluctuate according to the context provided the data by different data users controlling the data.
The data protection principles distil the principles of fair information practice that form the heart of the Ordinance and are set out in Sched 1. Although based on those formulated by the OECD, the wording adopted differs in some respects. They have also been supplemented in some respects.Principle 1 - Purpose and manner of collection
This principle imposes various requirements on the collection of personal data. 'Collection' is undefined but covers two situations:
Principle 1 requires that personal data be collected:
Where the collection is from an individual, he or she must be informed at the time of matters relevant to the decision whether to provide the data, namely whether it is obligatory or not to provide them, the consequences of not providing them, the purposes for which they will be used, and the classes of persons to which they will be transferred. The data subject must prior to their use be also advised of his or her access and correction rights and contact details of the officer handling such requests. Except as regards voluntariness and consequences (which will often be obvious from the context), the data subject must be explicitly informed of these matters. Where repeated collections are involved in similar circumstances (for example,. hospital patients), s 35 provides that annual reminders suffice so as to avoid pointless repetition. These requirements derive not from the OECD principles but from the EU Directive on data protection, as modified in response to submissions received.Principle 2 - Accuracy and duration of retention
This imposes the requirement that personal data be accurate having regard to the purpose for which they are used. No absolute standard is accordingly imposed. In addition it requires that:
Data users will be faced with a major undertaking in upgrading the quality of their data to conform to the Ordinance. Accordingly while s 66 provides that an individual who suffers damage (including injury to feelings) as a result is entitled to compensation, this right does not accrue for inaccurate data until one year after the law comes into force.Principle 3 - Use
This provides that personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than 'the purpose for which the data were to be used at the time of the collection of the data'. 'Purpose' includes a directly related purpose.
A noteworthy feature of this formulation is that it dispenses with the OECD Purpose Specification Principle's requirement that data purposes must be specified not later than the time of data collection. As regards collections from the data subject, we saw above that principle 1 requires the specification of purposes. But where the data are collected from third parties, principle 3 envisages the attribution of a data purpose whether or not it was explicitly formulated at the time of collection. In view of the increasingly unilateral nature of data collection from other data users this probably makes sense. It has also facilitated dispensing with a mandatory notification requirement (see below).
This principle is the linchpin of the regulation of the use of data and is very broad. As mentioned above, 'collection' of data may be from either the data subject or from a third party. Under principle 3 the data subject's prescribed consent is required to a change of purpose in either case.
The most logical interpretation of 'time of collection of data' is that it is not restricted to the initial collection but extends to subsequent collections. On this basis, consent would be required to a change of use from the purpose that the data user in question collected it for. This purpose may differ from that applicable to data users controlling the data earlier in the data 'food chain'.
'Use' of data would appear to extend to merely calling up the data for inspection, in view of the wording adopted in principle 4 set out below. Under the differently worded provisions of the UK Data Protection Act 1984, in R v Brown  QB 547 the Court of Appeal held that 'use' did not extend to such activities (see (1994) 1 PLPR 32).
'Prescribed consent' is defined (in s 2) as 'express consent given voluntarily'. Express consent must be given affirmatively and it would not suffice to simply advise the data user of the change of purpose and indicate that his consent will be inferred unless he objects. Further, consent must be informed consent and the data subject must given a clear idea of what is proposed.Principle 4 - Security of personal data
This requires the data user holding data to take 'all reasonably practicable steps' to protect that data against unauthorised or accidental 'access, processing, erasure or other use' having particular regard to a number of matters there set out.
This is the only data protection principle which extends to data that do constitute 'personal data' because they are not reasonably retrievable. It accordingly regulates the insecure storage and disposal of unstructured manual data.Principle 5 - Information to be generally available
This principle provides a general exhortation of transparency in dealing with personal data. It requires data users to be open about their data policies and practices, the kinds of personal held and their main purposes.Principle 6 - Access to personal data
This principle provides the data subject with the right to ascertain from a data user whether it holds data on him and if so to access and correct or qualify that data. The mechanics of this process are elaborate and are spelt out in Pt V of the Ordinance. The combined effect of s 19(3)(a)(ii) and s 19(5) is that for the first year that the Ordinance is in force the right is qualified and the data user is allowed to clean up his data and only provide the data subject with the residue.
The relationship between the principles articulated in Sched 1 and Pts I-X is defined by s 4 which provides that a data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless it is required or permitted under the body of the Ordinance.
Part VIII prescribes specific exemptions from principles 3 and 6 where their application to data is likely to prejudice a competing public interest. Three general points are:
Exemptions from both principles are accorded where their application to the data in question is likely to prejudice health, the prevention, preclusion or remedying of illegal or 'seriously improper conduct' (for example, disciplinary breaches), law enforcement, the collection of tax, and security, defence or international relations in respect of Hong Kong. Financial regulation is accorded some elaborate supplementary exemptions. Also exempted are data held by a news business solely for the purpose of a news activity.Exemptions from principle 6 only
Part II details the setting up of the office of the Privacy Commissioner (the Commissioner). This will be a new regulatory body to monitor and, if necessary, enforce compliance with the legislation. Part VII prescribes the procedures to be followed by the Commissioner in investigating and reporting on complaints and confers various powers in this regard. Main features are:
Prescribed functions include supervising compliance, education, promoting codes of practice, examining proposed legislation that may affect privacy, and monitoring computer technology impinging on privacy. These last two functions were omitted from the LRC's recommendations, but correspond with those of his Australian and NZ counterparts.
The Commissioner's investigative powers are accompanied by powers of entry to premises and enabling him to collect evidence. These powers are balanced by competing civil liberties concerns. Accordingly, a judicial warrant is required for entry to domestic premises. Nor do his evidence seeking powers extend to the seizure of evidence.
Section 28(4) provides that a data subject may complain to the Commissioner about an act or practice engaged in by a specified data user which may contravene a requirement of the Ordinance. In the first instance the emphasis will be on resolving a dispute through conciliation. However, the Commissioner is conferred comprehensive mandatory powers to enforce compliance. Appeals on the merits will be entertained by the Administrative Appeals Board. Criminal sanctions are prescribed for some contraventions.
In exercising his investigative powers, the Commissioner is not restricted to reacting to complaints but may initiate his own investigations and conduct systematic inspections of selected data users. These powers are circumscribed in relation to news organisations and he may only conduct an investigation following receipt of a complaint following publication or broadcast of the data. Nor may he conduct inspections of news organisations. The concern was that the application of these powers to the media could weaken its institutional integrity. An additional safeguard to press freedom is the requirement that the Commissioner may only require the identification of journalistic sources after obtaining a court order so permitting. The Hong Kong legislation more explicitly balances privacy and press freedom concerns than its counterparts. This is largely to address a growing concern about the development of media self-censorship in the territory.
To assist the Privacy Commissioner an advisory committee will be established. Contrary to the LRC's recommendations, it will lack any executive functions. This conforms to doubts expressed by international experts about the feasibility of a hybrid body.Commissioner's role regarding exemptions
The exemptions are identified exhaustively and the scheme permits no role for the Commissioner in varying their scope. The Commissioner's role is limited to monitoring the application of exemptions in particular instances. Upon receiving a complaint or otherwise investigating a suspected breach, the Commissioner may review the claim that an exemption is applicable. The Commissioner will be assisted in discharging this function by the requirement that upon refusing an access request, the data user must enter the particulars in a log book (a requirement unique to the Hong Kong). The only sphere in which the Commissioner's review powers are restricted relates to data likely to prejudice security, defence or international relations in respect of Hong Kong. As regards these matters, the Governor or Chief Secretary may sign a certificate so providing, giving reasons. The common law principles of judicial review apply to such certificates.
Part III deals with the promulgation of codes of practice to elaborate on the application of the necessarily generally expressed data protection principles to particular sectors. The provisions of such codes may elaborate on, but not amend or abridge, any requirement of the law. The Commissioner may issue his own codes or approve suitable codes prepared by others. In either case he must consult affected parties. A breach of a code does not of itself constitute a contravention of the law, but will be admissible in the investigation of an alleged contravention.
Part IV provides the Commissioner with powers to require specified classes of data users to furnish him with returns providing general information about their record-keeping activities. The requirement only applies to data users falling within a class specified to be specified by the Commissioner. This flexible approach departs from that recommended by the LRC, which felt constrained by the Purpose Specification Principle to impose a statutory requirement that all data users provide notifications. As mentioned earlier, the requirement that data purposes always be explicitly specified has been omitted from the principles. The approach adopted allows for the phased introduction of a notification scheme, taking into account the nature of data processing activities in question. Before specifying a class of data users the Commissioner must consult relevant parties.
Part VI regulates specific data processing situations, namely matching procedures, opt-out procedures for direct marketing data, and transfers of data to a place outside Hong Kong.
The Ordinance regulates 'matching procedures' involving the comparison of data collected for difference purposes with a view to taking adverse follow-up action. The definition of 'matching procedure' is similar to the New Zealand provision, but emphasises an objective test in ascertaining whether the data may be used for the purpose of taking adverse action, whether immediately or at any subsequent time. Such programs are intrusive in nature and their results are susceptible to error and to address these concerns it is required that:
The developing trend in Europe is to discourage the transfer of data to jurisdictions lacking adequate data protection. This trend will accelerate following the adoption in July 1995 of the European Union Directive on data protection. Furthermore, such states may be hesitant to transfer personal data to a jurisdiction possessing legal controls which, however, countenance further transfers to data havens. Accordingly, the Ordinance imposes controls aimed at precluding Hong Kong from being a conduit for transfers to data havens. There are two aspects, namely the territorial reach of the Ordinance and a restriction on the transfer of data to jurisdictions outside Hong Kong.
The application of the control test included in s 2's definition of 'data user' means that the transfer of data to a jurisdiction out of Hong Kong will only cease to be subject to the Ordinance's general provisions if control is also relinquished. Where the transfer is of data is accompanied by a loss of control of the data, s 33 applies. This permits a transfer where it is to a jurisdiction possessing 'any law which is substantially similar to, or serves the same purposes as, this Ordinance' and the Commissioner may specify such jurisdictions by gazette. Also permitted are transfers justifiable on public interest grounds, or which further the interests of the data subject.
In all other cases, however, s 33 requires that the transferrer should be subject to a duty to take all reasonable steps to ensure that the transferee applies similar data privacy standards to those applicable in Hong Kong. It will be for the transferrer to assess the situation and take the most appropriate steps. Consideration will have to be given to such measures as obtaining contractual assurances. But in the last analysis, it will be for the Commissioner to determine upon receipt of a complaint or at his own initiative, whether the duty has been discharged by the transferrer.
These provisions obviously have major implications for Australia and other jurisdictions presently lacking comprehensive legal regulation of data privacy in the private sector. They are not restricted to transfers out of Hong Kong but extends to Hong Kong controlled transfers between two jurisdictions outside Hong Kong.
Upon the first communication for the purposes of marketing following the Ordinance coming into force, s 34 requires that the data subject must be expressly offered the opportunity to require that all data relating to him used for marketing purposes be no longer so used.
With the enactment of the Personal Data (Privacy) Ordinance, Hong Kong joins NZ as a Pacific-rim jurisdiction with a comprehensive legal regime protecting personal data in both the public and private sectors. On 13 August 1995 they were joined by Taiwan (see (1995) 2 PLPR 160). Moreover, the Hong Kong law's restrictions on transborder dataflows are directly relevant to data users in the region. The implications of these restrictions merit separate treatment.
Mark Berthold is consultant to the Hong Kong Law Reform Commission.