Privacy Law and Policy Reporter
Three years after it was enacted, the Hong Kong Personal Data (Privacy) Ordinance (the Ordinance) remains the most recent information privacy law in the English speaking world, and arguably the best such law in any jurisdiction, nothwithstanding some recent European and Asian competition. This book by Berthold and Wacks provides both a valuable guide to the Hong Kong law and a commentary on its origins and development over a period of more than five years, as well as comprehensive but concise summary of the limited common law privacy protections, which as much as anything provides a reminder of the need for statutory protection.
An accessible guide to the Hong Kong law is particularly valuable to businesses and governments in Australian and other Asia Pacific jurisdictions which do not yet have comprehensive statutory privacy protection. This is because the book shows how the Ordinance has been designed with close attention to 20 years of international experience, resulting in what is coming to be known as ‘light handed’ regulation. There are two main characteristics of this approach as seen in the Ordinance. The first is the deliberate rejection of any bureaucratic and costly registration requirements (while leaving the Commissioner with the power, not yet invoked, to require selective returns). The second characteristic is the provision for Codes of Practice to be developed by or in consultation with particular sectors. The authors point out however that unlike the apparently similar provisions in the NZ Privacy Act, codes of practice under the Ordinance (to date two have been issued — on Consumer Credit Data and on the HK Identity Card Number) supplement but do not replace the statutory principles.
The pragmatic approach to the rules is balanced by a strong monitoring and enforcement regime. The authors explain in detail the complaints processes which can lead to binding determinations and are backed up by criminal offence provisions, as well as the Commissioner’s extensive powers to conduct investigations and inspections and to publish reports.
The other highly significant feature of the HK Ordinance is its provisions concerning inter-jurisdictional transfers of personal data. The authors explain how the Ordinance was partly designed with the trans-border data transfer implications of the European Directive in mind, and deal in detail with the ‘onward transfer’ provision in s 33, which has yet to be commenced. They comment specifically on the precise wording of s 33 which allows for unrestricted transfers to places which have in force a ‘... law substantially similar to .... [the Ordinance]’. As Berthold and Wacks point out, this is more restrictive than the equivalent provision in the EU Directive and does not allow for non-statutory codes or mechanisms, however effective, to satisfy this test. Hong Kong data users wishing to export personal data will therefore be thrown back on one of the other exceptions, such as contract terms, even if the destination jurisdiction, such as the US, Japan or Australia, manages to persuade the Europeans that self-regulatory initiatives provide adequate protection.
The authors qualifications for their self-appointed task are impeccable. Mark Berthold, as Secretary of the HK Law Reform Commission Privacy Sub-Committee, was the main architect of the Commission’s 1994 Report, the proposals of which formed the basis of the Ordinance passed in 1995. He went on to assist in the drafting of the Bill, and became the first Legal Adviser to the Privacy Commissioner for Personal Data. Co-author Raymond Wacks, of the University of Hong Kong, is a recognised international authority on privacy law, was a member of the Sub-Committee and currently serves on the Commissioner’s Advisory Committee. This background gives the authors an ‘insiders’’ perspective which inevitably gives the book a greater value than if it had been written by an outside observer, however expert in the topic.
The structure of the book is clear and straightforward, with chapters largely corresponding to the Data Protection Principles which lie at the heart of the law, and to the ‘machinery’ of compliance monitoring and enforcement. An alternative thematic structure, bringing together the exemptions and experience of enforcement with each Principle in turn, would have some advantages now, but could not readily have been written at the time that this book appeared, since there was very little practical experience to draw on. While the structure does mean, for most purposes, a lot of flipping back and forth between chapters, this is no great chore and at least it is obvious where to find material, even without the help of the comprehensive index.
The application of the Principles and exemptions, and the prospective performance of the Commissioner’s functions, are illustrated extensively by reference to experience under the Australian, NZ, UK and other data privacy laws. While this is useful, readers need to bear in mind that the Hong Kong Commissioner, Administrative Appeals Board and courts will develop their own jurisprudence, which may vary in some significant respects from that of their overseas counterparts. In the absence of much practical experience at the time the book was written, some of the interpretations in the book appear a little pedantic. To the frustration of some lawyers and privacy advocates, Privacy Commissioners tend in practice to adopt a pragmatic and some would suggest overly permissive view of the letter of the law, they would say seeking instead to implement its spirit, but arguably letting data users get away with strictly non-compliant behaviour.
Berthold and Wacks are relatively restrained in commenting on the potential for performance to fall short of promise, although they do cite criticisms from David Flaherty (now the British Columbia Privacy Commissioner) and others to alert readers to this important issue. A second edition commenting more extensively on actual experience under the Ordinance would interesting and will hopefully be forthcoming in due course.
The inclusion of the text of the full text of the Ordinance in an Appendix is valuable, although anyone seeking to apply the law would now also need a range of supplementary guidance material issued by the Commissioner, including the codes of practice. While the individual chapters are well-referenced, a consolidated bibliography would have been a useful addition.
Anyone seeking to understand or apply the Hong Kong Personal Data (Privacy) Ordinance will find this book an invaluable aid, and more broadly it is also instructive for anyone involved in developing information privacy laws or codes, particularly in English speaking countries with a common law tradition.
Review by Nigel Waters.
Note — Author Mark Berthold (firstname.lastname@example.org), a member of the PLPR Editorial Board, has now moved to Australia where he is working as a consultant.