Privacy Law and Policy Reporter
Mark BertholdThe Hong Kong Law Reform Commission (HKLRC) as released an ambitious blue-print for an integrated approach to the regulation of surveillance and the interception of communications. The proposals are contained in a consultation paper, Privacy: Regulating Surveillance and the Interception of Communications, released on 15 April 1996 (see http://www.info.gov.hk/info/pricon.htm for the Consultation Paper in English and Chinese and http://www.info.gov.hk/isd/news/apr96/16pri.htm for a call for submissions).
The main thrust of the proposals is that a comprehensive regulatory scheme is required to effectively control the manifold methods now available to monitor both behaviour and communications. The proposals should therefore be of interests to jurisdictions elsewhere (including Australia and NZ) whose coverage of such intrusions is incomplete. They also represent the first serious attempt to regulate surveillance in Asia.
The paper represents the latest instalment of the Hong Kong Law Reform Commission's comprehensive review regarding the legal protection of privacy. The work has been undertaken by a committee chaired by Mr Justice Barry Mortimer established to formulate reforms. The Committee's earlier comprehensive data protection proposals were adopted by the HKLRC in its report issued in August 1994 (see 1 PLPR 165), the main thrust of which found legislative expression with the enactment in August 1995 of the Personal Data (Privacy) Ordinance (see 2PLPR 164). Funding of HK$18.6 million ($A3m) was provided in December to establish a supervisory authority, but the appointment of Hong Kong's first Privacy Commissioner has been delayed as a result of not publicly advertising the post at the outset. It is understood, however, that an appointment is imminent and the Ordinance can then be brought into force.Data protection and regulating surveillance In the meantime, the Committee has proceeded to develop proposals regulating surveillance and the interception of communications. Understandably, some attention has been paid to the relationship between such proposals and those protecting personal data. With the development of the concept of `dataveillance' there has been a tendency to merge the two. However, the Committee thought it necessary to distinguish serious systematic intrusions such as bugging and tapping from the ancillary question of the collection and abuse of resultant data. Such an analysis follows logically enough from the Ordinance's explicit mandate of regulating the processing of personal data, with data being defined as `the representation of any information ... in any document'. By comparison, the Australian and NZ Privacy Acts regulate `personal information', although those law's retrievability requirements will tend to produce a similar focus on recorded data.
The paper proceeds then on the basis that legal controls already regulate the collection and misuse of personal data. Instead, the focus was on identifying those privacy interests that merited supplementary protection, regardless of whether personal data was collected and misused. As Raymond Wacks points out `When my telephone is tapped my principal objection is that there has been an intentional interference with my interest in seclusion or solitude': there is no necessary connection between the intrusion resulting in the individual being observed or overheard and the acquisition of personal information. The surveillance may be unfruitful in that the target refrains from meaningful activity. Even less is there any necessary connection between intrusion and information being recorded as data. Of course such intrusions will usually result in the compilation of personal data records. If so, the requirement of fair collection of personal data will probably be infringed. Separate controls are nonetheless thought merited to address intentional intrusions as such.
This approach is already reflected in legislation imposing criminal sanctions for serious intrusions such as bugging and telephone tapping. In Australia and NZ, but not the UK, such legislation predates that addressing data protection. However, the legislation is not systematic, so that while listening devices are regulated, visual surveillance is not.
Accordingly, the consultation paper endeavours to address the issue in the round. Essentially, the approach adopted was to identify the reasonable expectations of the individual in not being observed or overheard and to then determine the extent to which such expectations should be accorded the protection of the criminal law. Fundamental was the recognition that, As Gary T. Marx puts it in his seminal study Undercover, there has been `a subtle and deep lying shift' in social control:
As powerful new surveillance tactics are developed, the range of their legitimate and illegitimate use is likely to spread. Where there is a way, there is often a will. There is a danger of almost imperceptible surveillance creep ... like the discovery of the atom or the unconscious, new control techniques surface bits of reality that were previously hidden or didn't contain informational clues. People are in a sense turned inside out, and what was previously invisible or meaningless is made visible and meaningful.
It should also be appreciated that there is a dynamic to the protection of human rights in the area of surveillance. Once one form is subject to legal regulation, failure to control other forms not only becomes morally indefensible, but also in practice undermines the protection granted. This arises from the simple behavioural prediction that, assuming equal effectiveness, measures that can be undertaken free of oversight will be much more attractive to people doing the work than those which are subject to review. (In from the Cold: National Security and Parliamentary Democracy, p 44).The paper identifies three facets of the individual's reasonable expectation of freedom from intrusion, namely:
In considering the application of the criminal law to the protection of these three overlapping interests, the Committee was guided by the following principles:
Surveillance involving entry to premises
Physical surveillance can be divided into intrusion into private premises and surveillance conducted at large. The paper firstly examines territorial intrusion. While incidental protection is afforded by the common law remedies of trespass to land and nuisance, such protection is essentially an adjunct to property interests. More pertinent is art 17 of the International Covenant of Civil and Political Rights. Both Australia and NZ are parties to this treaty and obliged to periodically report to the Human Rights Committee on compliance efforts. Hong Kong has gone further and incorporated its provisions into its domestic law, although the legislation's survival after 1997 is not assured. The Covenant provides in part that `no one shall be subjected to arbitrary or unlawful interference with his privacy, home, or correspondence'. It adds that `everyone has the right to the protection of the law against such attacks'.
The common law tort of trespass is made out if the defendant enters without lawful justification or consent, even if unaware that he is thereby interfering with another's rights. While attaching criminal sanctions to simple trespass was therefore thought unwarranted, a stronger argument can be mounted for the creation of an offence of entry to private premises with intent to conduct surveillance. Accordingly, the paper proposes that it be an offence for a person to enter private premises as a trespasser with intent to observe, overhear or obtain personal information therein. Regarding the defence of consent of the lawful occupier, it was recognised that in premises such as hotels and hospitals, the victim will be the licensee rather than the owner. It is proposed that legal protection be extended accordingly.
The above proposed offence accommodates technically unaided surveillance. More common is the placement of hidden surveillance devices. As this constitutes a continuing intrusion on private premises civil trespass provides a remedy upon both discovery of the device and the culprit. However, the committee thought that as with listening device legislation, the victim should be provided the assistance of the police in these endeavours. Accordingly it is proposed that it also be an offence for a person to place, use or service in, or remove from, private premises a sense enhancing, transmitting or recording device without the consent of the lawful occupier. The definition of `devices' is drawn broadly, as regulation should not depend on the perceptual sense employed or medium deployed by the snoop or spy. However, unlike the proposed offence of unlawful entry with intent discussed above, the Committee does not propose that legal protection be extended to licensees. This means that such complex issues as the legitimacy of workplace and shop surveillance are not addressed in this context.
Surveillance at large
In principle, the individual may reasonably expect the protection of his privacy from surveillance activities falling short of entry, to or bugging of, his premises. Surveillance will often be conducted outside private premises, targeting individuals within. Further, in theory protection should not be restricted to the protection from the use of technical devices, but encompass such unsophisticated activities as peering through keyholes or peeping from behind bushes. The literature reveals, however, that both laws and recommendations for reform addressing surveillance at large have a narrower focus than that of protection from intrusive activities generally. References to devices are included in the formulation of a criminal offence of physical surveillance in all the jurisdictions reviewed by the UK Younger Report. So too do the recommendations of law reform agencies, such as the Australian Law Reform Commission. This restricted focus on surveillance by devices is supported by the following considerations:
While limiting the offence to surveillance by devices was thought necessary in imposing effective and sustainable criminal sanctions, the Committee concluded that additional restrictions were necessary. People in a public place must accept that they may be seen and overheard. Further, if an individual is readily observable by others generally (for example, on a street), it is not feasible prohibiting, for example, his being observed by binoculars some distance away. The individual's expectation of privacy in public must therefore acknowledge the risk of being observed, including by means of technical devices. (It is recognised, however, that the recording of such public conduct as protest marches raises additional issues, such as its chilling effect on free speech.) It was accordingly thought necessary to further narrow the scope of an offence addressing surveillance at large.
Perhaps the most systematic recent attempt to develop a general test for regulating surveillance was that of the Younger Committee. It recommended that it be an offence to surreptitiously use a technical device in circumstances in which, were it not for the sue of the device, the target would be justified in believing he had protected himself or his possessions (papers, databases etc) from observation or overhearing. The subsequent Calcutt Committee Report declined, however, to follow the test (mainly because of the difficulty in defining the act which it is intended to prohibit). The Calcutt Committee agreed that the imprecise and hypothetical `were it not for' test was undesirable or even unworkable in a criminal provision. This was the apparent price entailed by a flexible test encompassing surveillance of persons on public premises, but nonetheless screening out surveillance of those agreeable to being observed.
The alternative proposed by the consultation paper is to restrict the regulation of devices by reference to the nature of the premises subject to surveillance. Such an approach will usually, but not invariably, accord with the Younger test's focus on reasonable expectations: generally speaking, the individual's expectation of being free from observation or being overheard tends to coincide with being in private premises, particularly in such a crowded place as Hong Kong. The principal advantage of incorporating reference to the nature of premises being targeted is that it provides simplicity and precision as compared with mere reliance on a reasonable expectations test.
Accordingly the Committee proposes that it be an offence for a person to place or use a sense-enhancing, transmitting or recording device outside private premises with the intention of monitoring, without the consent of the lawful occupier, the activities of the occupant or of data held on the premises relating directly or indirectly to the occupant.
Extension to hacking
While an offence in these terms addresses classic surveillance activities involving the covert observation of an individual's behaviour, its reference to surveillance of data extends beyond it. The two concerns are conceptually distinct: classical surveillance directly monitors the physical activities of the individual, whereas data is consciously generated or retrieved by the individual. Also, the monitoring of data is already the province of anti-hacking legislation prohibiting the unauthorised access to a computer program, at least if effected by means of a computer (hacking laws do not usually regulate eavesdropping of a computer's electromagnetic radiation). The Committee argues that although whether the offences dealing with physical surveillance and data surveillance are drafted separately is a technical matter, it is increasingly difficult to distinguish the two concerns, `hence our concern to protect people from intrusion in the broadest sense'.
Part II of this Paper, dealing with telecommunications surveillance, and the Commission's recommendations, will be included in the next issue.
Mark Berthold, a former legal officer of the Commission, researched and drafted the Consultation Paper. He is now co-authoring a book on data protection law in Hong Kong.