Privacy Law and Policy Reporter
David Banisar and Simon Davies, with contributors
The Global Internet Liberty Campaign (GILC) released a major report in October 1998 titled ‘Privacy and Human Rights — an International Survey of Privacy Laws and Practice’ (see http://www.gilc.org/privacy/survey/). The GILC survey contains both a topical ‘Overview: the State of the World’s Privacy’ and an analysis of the privacy and surveillance laws and practices of 49 nations. This ambitious survey was funded by the Open Society Institute. Its primary authors are David Banisar and Simon Davies of Privacy International, with additional research by Wayne Madsen, Ronnie Breckheimer, Michael Kassner and Shauna van Dongen, and contributions from experts around the world. It is intended to be updated annually.
With GILC’s permission, we include below extracts from the survey dealing with Asian countries. In this issue we cover Hong Kong, India, Japan, South Korea and Malaysia. The next issue will cover the Philippines, Singapore, Taiwan and Thailand. [Graham Greenleaf — General Editor]
Following the Peoples’ Republic of China’s resumption of sovereignty over Hong Kong on July 1, 1997, the constitutional protections of privacy are contained in the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China. Article 29 provides:
The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited.
Article 30 provides:
The freedom and privacy of communi-cations of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences.
Also relevant is Article 17 of the International Covenant on Civil and Political Rights, which was incorporated into Hong Kong’s domestic law with the enactment of the Bill of Rights Ordinance. Article 39 of the Basic Law provides that the Covenant as applied to Hong Kong shall remain in force and implemented through the laws of Hong Kong.
In 1995, Hong Kong enacted its Personal Data (Privacy) Ordinance and most of its provisions took effect in December 1996. The legislation enacts most of the recommendations made by the Hong Kong Law Reform Commission following its six year comparative study. 
The statutory provisions adopt features of a variety of existing data protection laws and the draft version of the EU Directive is also reflected in several provisions. The Ordinance does not differentiate between the public and private sectors, although many of the exemptions will more readily apply to the former. A broad definition of ‘personal data’ is adopted so as to encompass all readily retrievable data recorded in all media which relates to an identifiable individual. The Ordinance does not attempt to differentiate personal data according to its sensitivity. The processing of personal data must conform to data protection principles based on those of the OECD. The six principles regulate the collection, accuracy, use and security of personal data as well as requiring data users to be open about data processing and conferring on data subjects the right to be provided a copy of their personal data and to effect corrections.
The Ordinance imposes additional restrictions on certain processing, namely data matching, transborder data transfers, and direct marketing. Data matching requires the prior approval of the Privacy Commissioner. The transfer of data to other jurisdictions is subject to restrictions that mirror those of the EU Directive. Also based on the directive is the requirement that upon first use of personal data for direct marketing purposes, a data user must inform the data subject of the opportunity to opt-out from further approaches.
The Ordinance establishes the Office of the Privacy Commissioner to promote and enforce compliance with statutory requirements. The Commissioner is given strong enforcement powers based on those contained in the UK Data Protection Act. In addition to investigating complaints, the commis-sioner may initiate his own investigations of reasonably suspected contraventions. He may also conduct audits of selected data users. A contravention of any provision other than a data protection principle is a criminal offense. A contravention causing the data subject damage (including injured feelings) is a basis for claiming compensation. The Commissioner is empowered to designate classes of data users required to publicly register the main features of their data processing. The Commissioner may issue codes of conduct to provide guidance on compliance with the Ordinance’s necessarily general provisions. The provisions of a code are legally subordinate but have evidential relevance in determining whether a contravention of the Ordinance has occurred. To date the Commissioner has issued two codes: the code on the use of personal identifiers and of credit information.
The interception of communications is presently regulated by the Telecommuni-cations Ordinance and the Post Office Ordinance. These enactments provide sweeping powers of interception upon public interest grounds. The vagueness of the powers and the lack of procedural safeguards are inconsistent with the International Covenant of Civil and Political Rights and the Basic Law. No official figures are released on the number of intercepts, which are believed to be widespread.
A detailed set of reform proposals released by the Hong Kong Law Reform Commission in 1996 resulted in two legislative initiatives. In early 1997, the government released a draft Bill for public consultation regulating the interception of communications. When that initiative stalled, James To, an independent legislator, introduced a private members Bill, the last enactment to be passed by the colonial legislature prior to July 1, 1997. That enactment has never been brought into force and to date the government has declined to indicate when any legislation regulating the interception of communications will take effect.
Hong Kong is an associate member of the Organisation for Economic Co-operation and Development.
The Constitution of 1950 does not expressly recognise the right to privacy. However, the Supreme Court has ruled in a number of cases that there is a right of privacy implicit in the Constitution. The Court ruled in 1996 that wiretaps are a ‘serious invasion of an individual’s privacy’ under Article 21 of the Constitution which states:
No person shall be deprived of his life or personal liberty except according to procedure established by law.
The Court held in 1992 that any information which required disclosure of private matters of a woman’s life cannot be requested.
There is no general privacy law in India. The National Task Force on IT and Software Development, set up by the Prime Minister’s Office in May 1998, submitted an IT Action Plan to Prime Minister Vajpayee in July 1998 calling for the creation of a ‘National Policy on Information Security, Privacy and Data Protection Act for handling of computerized data.’ It examined the UK Data Protection Act as a model and recommended a number of cyber laws including ones on privacy and encryption. The Act is expected to be drafted by the end of 1998.
There is also a right of privacy guaranteed by Indian laws. Unlawful attacks on the honor and reputation of a person can invite an action in tort and/or criminal law. The Public Financial Institutions Act of 1993 codifies India’s tradition of maintaining confidentiality in bank transactions. A draft Freedom of Information Bill is expected to be introduced in the fall session of Parliament.
Wiretapping is regulated under the Indian Telegraph Act of 1885. An order for a tap can be issued only by the Union home secretary or his counterparts in the States. A copy of the order must be sent to a review committee directed to be set up by the High Court. Tapped phone calls are not accepted as primary evidence in India’s courts. There have been numerous phone tap scandals in India, resulting in the 1996 decision by the Supreme Court which required the government to promulgate rules regulating taps. However, illegal wiretapping by government agencies appears to be continuing. According to prominent non-government organisations, the mail of many NGOs in Delhi and in strife-torn areas continues to be subjected to interception and censorship.
Article 21 of the 1946 Constitution states:
Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed ... (2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.
Article 35 states:
The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized ... (2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer.
The 1988 Act for the Protection of Computer Processed Personal Data Held by Administrative Organs governs the use of personal information in computerised files held by government agencies. It is based on the OECD guidelines and imposes duties of security, access, and correction. Agencies must limit their collection to relevant information and publish a public notice listing their files systems. Information collected for one purpose cannot be used for a purpose ‘other than the file holding purpose.’ The Act is enforced by the Government Information Systems Planning Division of the Management and Co-ordination Agency. The Prefecture of Kanagawa also has legislation that protects privacy in both the public and private sectors.
In June 1998, then-Prime Minister Ryutaro Hashimoto announced that he had signed an agreement with US President Clinton for self-regulation for privacy measures on the Internet except for certain sensitive data:
If data in a certain industry is highly confidential, legal methods can be considered for that industry.
On March 4, 1997, the Ministry of International Trade and Industry (MITI) issued Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector. In February 1998, MITI established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the granting of ‘privacy marks’ to businesses committing to the handling of the personal data in accordance with the MITI guide-lines, and to promote awareness of privacy protection for consumers. The ‘privacy mark’ system was introduced on 1 April, and is administered by the Japan Information Processing Development Center (JIPDEC) — a joint public/private agency. Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy protection mark. It is assumed that they will then be penalised by market forces. However, in addition, the new Supervisory Authority will investigate violations and make suggestions as necessary to the relevant administrative authorities.
Wiretapping is considered a violation of the Constitution’s right of privacy and has only been authorised a few times. An anti-crime bill that would legalise wiretapping (Tochoho) is currently pending in the Diet. The Bill would give police the authority to tap telephone lines and eavesdrop on computer telecommunications, including email. It is being opposed by the Federation of Bar Associations.  In June 1997, the Tokyo High Court upheld a lower court’s finding that the Kanagawa Prefectural Police had illegally wiretapped the telephone at the home of a senior member of the Japanese Communist Party. The court imposed a fine of four million yen. 
There is also considerable activity on privacy in the Diet. A Bill to amend the Residents Registry Law (Jumin Kihon Taichoho) has been introduced into the Diet. This would allow centralised control by the Ministry of Home Affairs of information on residents currently held by local governments and the creation of a 10 digit number for all residents. A government committee recommended that a new law be enacted to protect credit reports in July 1998 [fn 289]. Japan’s Ministry of Posts and Telecommunications (MPT) announced plans in June 1998 to study privacy in telecommunications services, establishing a study group to look into the matter. There is also a controversial Bill relating to medical records pending.
The National Police Agency has operated a comprehensive video surveillance system called the ‘N-system’ with 400 locations on expressways and major highways throughout the country, which has been automatically recording the license plate number of every passing car for the last 11 years. Whenever a ‘wanted’ car is detected, the system immediately issues a notice to police. Eleven motorists filed a lawsuit challenging the system in 1997.
Japan is a member of the Organisation for Economic Cooperation and Development (OECD) and a signatory to the OECD Guidelines on Privacy and Transborder Dataflows.
The Constitution provides for protection of privacy and secrecy of communications. Article 16 states:
All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented.
Article 17 states:
The privacy of no citizen may be infringed.
Article 18 states:
The secrecy of correspondence of no citizen may be infringed.
The Act on the Protection of Personal Information Managed by Public Agencies of 1994 sets rules forthe management of computer-based personal information held by government agencies and is based on the OECD privacy guidelines. Under the Act, government agencies must limit data collected, ensure their accuracy, keep a public register of files, ensure the security of the information, and limit its use to the purposes for which it was collected. The Act is enforced by the Minister of Government Administration. The Ministry of Commerce, Industry and Energy (MCIE) is seeking the enactment of a Basic Law for Electronic Commerce in 1998. In May 1998, it proposed a set of guidelines for electronic commerce legislation, including protecting privacy in the digital trade environment.
Wiretapping is regulated by the Communications Privacy Act. Under previous administrations, there were widespread surveillance and wiretapping abuses by intelligence and police officials. In January 1997, a law was approved that granted new powers to the Agency for National Security Planning, also known as the Korean CIA. Amnesty International protested the increased powers, noting that the ANSP had:
... been responsible for the surveillance, arbitrary arrest, torture and ill-treatment of political suspects and it lacks accountability for its actions.
The United Nations Human Rights Committee recommended in 1995 that the National Security Law be repealed.
Credit reports are protected by the Act Relating to Use and Protection of Credit Information of 1995. Postal privacy is protected by the Postal Services Act.
In 1997, the government announced the creation of an Electronic National Identification Card Project. The card is based on a smart card system and according to a local human rights group will include:
... universal ID card, driver’s license, medical insurance card, national pension card, proof of residence, and a scanned fingerprint, among other things.
The government was scheduled to issue cards to all citizens by 1999. On November 17, a law on the ID card project passed the National Assembly. In December 1997, Kim Dae Jung won the Presidential election. He had publicly opposed the ID card project in his campaign and it appears to have stopped. However, activists believe that government agencies are continuing to push for the proposals quietly.
South Korea is a member of the Organisation for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The Constitution of Malaysia does not specifically recognise the right to privacy.
The Ministry of Energy, Tele-communications and Posts is drafting a Personal Data Protection Act which will create legal protections for personal data. Minister Datuk Leo Moggie said the Act would also cover the security of personal data in relation to the implementation of an electronic network. He told the Dewan Rakyat (House of Representatives) in July 1998 that the Act will be tabled in Parliament by the end of the year.
In July, the House approved the Communications and Multimedia Bill, which has several sections on telecommunications privacy. Section 234 prohibits unlawful interception of communications. Section 249 sets rules for searches of computers and includes access to encryption keys. Section 252 authorises police to intercept communications without a warrant if a public prosecutor considers that a communications is likely to contain information which is relevant to an investigation.
Several other laws relating to technology have recently been approved, including the Digital Signature Act 1997 and the Computer Crime Act 1997. Section 8 of the Computer Crime Act allows police to inspect and seize computing equipment of suspects without a warrant or any notice. The suspect is also required to turn over all encryption keys for any encrypted data on his or her equipment. Malaysia’s Banking and Financial Institutions Act 1989 Pt XIII also has provisions on privacy.
Police detained four people under the Internal Security Act on suspicion of spreading rumors of disturbances in Kuala Lumpur in August 1998. Inspector-General of Police Tan Sri Abdul Rahim Noorsaid told the media then that the suspects were detained after police tracked their activities on the Internet with the assistance of Internet service provider Mimos Berhad. The provider said later that it did not screen private email.
David Banisar and Simon Davies, Privacy International with contributors.
36. http://www.kimsoft.com/korea/nsl-en.htm (unofficial English translation). Commission on Human Rights, Question of the Human Rights of All Persons Subjected to Any Form of Detention or Imprisonment, E/CN.4/ 1996/39/Add. 21 November 1995. (http://www.unhcr.ch/unhcr/refworld/un/chr/chr96/country/39-add1.htm).  Act Relating to Use and Protection of Credit Information, Law No 4866, 5 Jan 1995. http://www.visas-usa.com/korealaw/library/cinfo-a-trn.htm. Enforcement Decree for the Act Relating to Use and Protection of Credit Information (http://www.visas-usa.com/korealaw/library/cinfo-d-trn.htm).  Amended by Law No2372, 16 December 1972; Law No3602, 31 December 1982 (http://www.mic.go.kr/english/intro/rule/post12.htm).
40. http://kpd.sing-kr.org/idcard/main-e.html. Joohoan Kim, Ph D, ‘Digitised Personal Information and the Crisis of Privacy: The Problems of Electronic National Identification Card Project and Land Registry Project in South Korea’ (http://kpd.sing-kr.org/idcard/joohoan2.html).  Constitution of Malaysia (http://star.hsrc.ac.za/constitutions/constmalcont.html).
43. http://www.skali.com.my/today/gen/199807/22/gen19980722_02.html. Communications and Multimedia Bill 1998 (http://www.kttp.gov.my/mm/multimedia.htm).  Digital Signature Bill 1997 (http://www.cert.org.my/digital.html).  Computer Crimes Bill 1997, http://www.cert.org.my/crime.html.  ‘Rumours over Internet: Four to be charged soon’, NST, 24 September, 1998.  ‘E-mail not screened, says service provider’, The Straits Times, 17 August, 1998.