Privacy Law and Policy Reporter
Mark Berthold and,Professor Raymond Wacks ,Hong Kong Data Privacy Law: Territorial Regulation ,in a Borderless World ,(2nd Edition) Sweet & Maxwell Asia 2003
Hong Kong Data Privacy Law is the second edition of Data Privacy in Hong Kong (1997). It was inevitable that there was going to have to be a second edition of this book, as the first edition was published in 1997, when the Hong Kong Personal Data (Privacy) Ordinance had barely entered into operation. This new edition of the book takes into account the many decisions of the Privacy Commissioner and appeals therefrom, as well as other recent legal developments in privacy law. As a result, this book is more authoritative than the first edition since the legislation has now had a chance ,to ‘bed down’.
Moreover, this second edition of the book goes above and beyond the call ,of duty, for it extends its discussion ,of personal data law to cover other relevant legislation in Hong Kong, and, as the subtitle to the new edition — Territorial Regulation in a Borderless World — indicates, the book also contains an added international focus that was absent from the first edition. The whole tone of the second edition seems more worldly, clearly showing that there was a great deal of reflection put into its writing. I suspect that in part this was because there was more time to contemplate international and technological developments for the second edition, as the first edition ,was put together very soon after the Ordinance was enacted. Such developments have also assumed greater and more urgent importance since the first edition of this book. ,In particular, the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on ,the Free Movement of Such Data, and national legislation enacted pursuant to it, have come into force and operated for several years. There is also the exponential growth in the usage and uses of the internet, particularly in ,the areas of electronic commerce and e-government. The international setting has evolved markedly from the time when the first edition came out. This book is, therefore, not simply an updated revision of the first edition, but, to all intents and purposes, it is a completely new book. It is also a better book than the first edition, which is praise indeed, given that the first edition was very good.
This second edition is a better produced book and is easier to use as a reference tool. For example, each chapter is divided into numbered paragraphs; the table of contents contains the subheadings for each chapter, which the first edition lacked, so it is easier to find particular topics; and there are footnotes rather than endnotes, which saves one from constantly flipping back and forth between the text and the notes. The index is adequate, but I noted a few problems with the tables in the book. For example, the reader is referred to para 1.72 for the New Zealand case of P v D  2NZLR 591, but there is no mention of it in the corresponding paragraph in the text. It is also unfortunate that the page headings for the Table of Legislation have ‘Table of Cases’ instead, which can be confusing if one forgets about it. These are, however, minor flaws in an otherwise well produced book.
The book is divided into three parts. The first two, ‘Transborder Issues’ and ‘Territorial Regulation’, comprise the bulk of the book. The relatively brief (only one chapter) but quite interesting third and concluding part ,is entitled ‘The Task Ahead’. The Ordinance itself is reprinted in the appendix.
The first part ‘Transborder Issues’ contains four chapters that deal with ,a number of issues that would be of general interest to an international readership. The first chapter, ‘The Right to Privacy’, is introductory to the book as a whole and contains a breathtaking survey of all the subjects relevant to the enterprise. It contains a brief introduction to the legal sources and an overview of privacy and related law in Hong Kong (such as the Basic Law of the Hong Kong Special Administrative Region and the Bill ,of Rights Ordinance), and the relationship of that law to Chinese law; relevant international standards; and, in turn, the relationships between these. There are also interesting but brief discussions of the tension between privacy and freedom of expression; issues introduced by technological developments; and an overview of the legal history of privacy protection.
Chapter 2, ‘The International Exchange of Personal Data’, focuses ,on the effect of the EU Directive on business to business exchanges of personal data in relation to Hong Kong. Chapter 3, ‘Privacy and the Internet’, looks particularly at consumer privacy issues. It contains, for example, advice on drafting website privacy notices. While it refers to the very useful template for such notices that is provided by the Hong Kong Privacy Commissioner’s website, it does not mention the also quite useful OECD ‘privacy statement generator’, an interactive website that enables agencies to develop their own tailor made privacy statements: <http://CS3HQ.oecd.org/scripts/pwv3/PWPart1.htm>. The literature on web privacy and related areas, however, has grown phenomenally in the past few years, so one would not expect too detailed or complete a discussion of this area in such a wide ranging book, at least in relation to international developments and the literature.
I would have been interested to read, for example, whether the authors agree or not with the view of the European Union’s Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, that:
... [t]he European data protection legislation has to be applied to data collected using automated or other equipment located in the territory of ,the EU/EEA ...
and in particular that the EU has jurisdiction over cookies sent from servers located outside Europe to the computer hard drives of European consumers. Thus, the Article 29 Working Party has stated:
If the computer is situated in an EU country and the third party is located outside the EU, the latter shall apply the principles of the national legislation of that Member State to the collection of data via the means of the cookie.
In such a case, according to article 4.2, the controller will also have to designate a representative in the territory of the Member State, without prejudice to legal actions which could be initiated against the controller himself.
The book simply mentions the ‘insistence by the European Union on adherence to its strict privacy standards by all businesses outside the EU that process the personal data of EU citizens’ (para 3.1).
Chapter 4 deals with the common law aspects of data privacy. It is debatable whether or not this chapter truly fits under Part I (‘Transborder Issues’), or whether it might more appropriately have been placed in Part II (‘Territorial Regulation’), but nothing really turns on this. While it is true that the common law applies across a great number of different jurisdictions, it does not really raise anything of a ‘transborder’ nature (in the sense of ‘the international framework regulating the transfer of personal data’: para 1.77) except perhaps for the cross-influence of judicially developed law among common law jurisdictions.
Although Part I of this book deals with a number of topics that are of particular interest to a wider international audience, they are mainly pitched to Hong Kong users of the book. For example, there is not very much on the US inspired privacy tort, since it evidently is not of particular relevance to Hong Kong law, and in ,any case ‘the authors do not endorse,the Zealand decisions on this point’ ,(para 1.72).
Part II of the book, ‘Territorial Regulation’, focuses principally on Hong Kong’s Personal Data (Privacy) Ordinance. This part of the book contains a new chapter (Chapter 5) that deals with other enactments that relate to the regulation of personal privacy in Hong Kong. There is a brief chapter that deals with the rationale behind and the interesting developments leading up to the introduction of the Ordinance (Chapter 6). There follows a series of chapters (Chapters 7 to 16) that discuss the Ordinance and its jurisprudence (together with some overseas parallels) in some detail. It is an extremely useful reference for both Hong Kong based and international researchers wishing to navigate their way around the Ordinance.
Part III of the book, consisting of ,a single chapter entitled ‘The Task Ahead’, brings the book to an appropriate conclusion. In it, the authors, who in their own description ‘have both spent over a decade in the development and application of data privacy legislation’, impart ‘some of the lessons ... learnt from this regulatory challenge’ (p ix). This information is intended to assist ‘the better regulation of personal data in jurisdictions that have not yet legislated and in developing codes in those that have’ ,(p 28). The authors are eminently qualified to do so, as both were closely involved in the preliminary studies, drafting, and application of the Hong Kong privacy legislation.
Mark Berthold was the secretary ,of the Hong Kong Law Reform Commission’s privacy subcommittee and he drafted the report that formed the basis of the Personal Data (Privacy) Ordinance. He was subsequently a legal advisor to the Secretary for Home Affairs to assist the Legislative Council Bills Committee in the process that culminated in the enactment of the Ordinance in 1995. The following year, he was appointed as legal advisor to the Office of the Privacy Commissioner for Personal Data. Professor Raymond Wacks, internationally recognised as a ‘godfather’ of privacy studies, was a former Chairman of the privacy subcommittee of the Law Reform Commission of Hong Kong and was, until recently, a member of the statutory Personal Data (Privacy) Advisory Committee.
The depth of the authors’ knowledge and the richness of their academic and practical experience are much apparent in this excellent book. This is ‘the’ book to get if the reader wants information about data privacy in Hong Kong and related transborder issues, as well as a serviceable account of wider legal, conceptual and practical issues in the area of privacy and data protection.
Paul Roth is Associate Professor in the Faculty of Law at the University of Otago, New Zealand, and a member of the PLPR Editorial Board. This article was written while he was on sabbatical at the University of Melbourne.
 Article 29 Data Protection ,Working Party Privacy on the ,Internet: An Integrated EU Approach ,to On-line Data Protection ,adopted 21 November 2000 (5063/00/EN/FINAL WP 37) ,at p 28.
 As above p 29.