University of New South Wales Faculty of Law Research Series
Last Updated: 14 May 2012
Hong Kong’s privacy enforcement: Issues exposed, powers lacking
Graham Greenleaf, Professor, University of New South Wales
Robin McLeish, Barrister, Gray's Inn, London, and Hong Kong SAR
This paper was published at Privacy Laws & Business International Report, Issue 116: 25-28, April 2012. This paper may also be referenced as  UNSWLRS 15.
This article concerning the Hong Kong SAR is the second in a series surveying significant recent examples of data privacy enforcement actions in the Asia-Pacific. Hong Kong’s Privacy Commissioner for Personal Data (the PC) does not have any power under the Personal Data (Privacy) Ordinance (the Ordinance) to award compensation or order other remedies. His most significant legal power is the power to serve an enforcement notice when he concludes that a data user is likely to repeat or continue a contravention of the Ordinance. Where a suspected breach of the Ordinance may constitute a criminal offence he may refer the matter to the Police and the Department of Justice for investigation and prosecution. Where the PC completes investigations of more serious cases of breaches of the Ordinance, it is now common for him to issue detailed reports on the outcomes under s48(2), and in 2010 and 2011 he issued thirteen such reports.
One of the s48(2) reports issued in 2010 was on the ‘Octopus’ case, which involved the transfer of personal data of users of the widely-used Octopus contactless-card payment system to third-parties for direct marketing purposes. The PC issued s48(2) reports in June 2011 in respect of four of the bank cases in which he named the banks, and announced that such naming ‘will henceforth be adopted for all investigation reports published under section 48(2) of the Ordinance’, subject to certain exceptions. He is is the first personal data authority in the Asia-Pacific to explicitly adopt ‘naming and shaming’ of data users found to have been in breach as a means of promoting compliance with personal data legislation.
This article examines a wide variety of s48(2) reports on the following issues: the CITIC Bank case, where there was mass infringement, but no real penalty, on data retention, on fees for data access which were excessive, on disclosure of details of a debtor’s relatives, on unfair collection practices and improper use of public register information, and where covert monitoring was unfair collection. Other than in the debt collection case, the PC did not serve an enforcement notice in any of the cases summarised above because he was not of the opinion that the breaches found by him had occurred in circumstances that made it likely they would continue or be repeated.
The most recent s48(2) reports relate to “paparazzi” style photo journalism using systematic surveillance and telescopic lens photography to take clandestine photographs of TV personalities within their private residences. In both cases, the PC found that the taking of the photographs amounted to collection of their personal data by unfair means contrary to DPP1(2). He served enforcement notices directing the magazines to remedy their contraventions and the matters occasioning them. The details of the enforcement notices are, however, omitted from the published versions of the PC’s reports.The two magazines have appealed to the Administrative Appeals Board.
The article also examines a number of criminal prosecutions resulting from breaches of the Ordinance which have resulted in small fines. The PC commented that ‘the current level of fine is too low to be of deterrent effect, especially for organizational data users’. The overall conclusion is that the PC is tackling a wide variety of compliance issues in spite of the limitations on his formal powers of enforcement, and the absence of powers to order compensation or other remedies, as well as the inadequate penalties imposed by Courts.
This article is the second in a series surveying significant recent examples of privacy enforcement actions, in the Hong Kong SAR, most occurring in 2011. The next article in the series will cover the other Chinese-speaking Asian jurisdictions, Taiwan, Macau and the Peoples Republic of China.
‘Name and shame’ strengthens inadequate powers
Hong Kong’s Privacy Commissioner for Personal Data (the PC) does not have any power under the Personal Data (Privacy) Ordinance (the Ordinance) to award compensation or order other remedies. His most significant legal power is the power to serve an enforcement notice when he concludes that a data user is likely to repeat or continue a contravention of the Ordinance. The PC also has powers to issue reports on recommendations arising from inspections of personal data system and the results of investigations into breaches of the Ordinance. In addition, where the PC comes across a suspected breach of the Ordinance that may constitute a criminal offence he may refer the matter to the Police and the Department of Justice for investigation and prosecution. In the two calendar years 2010 and 2011 the PC issued thirteen such reports (five in 2010 and eight in 2011).
One of the s48(2) reports issued in 2010 was on the ‘Octopus’ case, which involved the transfer of personal data of users of the widely-used Octopus contactless-card payment system to third-parties for direct marketing purposes. Around the time the Octopus case blew up in 2009, the PC commenced investigation into fourteen similar cases, eight of which involved telecommunications companies, five involved banks and the one involved an insurance company. The PC issued s48(2) reports in June 2011 in respect of four of the bank cases in which the PC named the banks concerned (Citibank (Hong Kong) Limited, Fubon Bank (Hong Kong) Limited, Industrial and Commercial Bank of China (Asia) Limited and Wing Hang Bank Limited) and announced that:
‘This practice of naming the organizational data user which has contravened the requirements under the Ordinance will henceforth be adopted for all investigation reports published under section 48(2) of the Ordinance, subject to the following exceptions: (i) it is against Hong Kong’s public interests such as security, defence or international relations; (ii) it will prejudice the investigation or detection of crime; or (iii) there are other legislative requirements prohibiting publication and identification of the relevant data users in particular cases.’
Explaining the rationale for this new practice, the PC commented, ‘We hope that the practice of naming data users will invoke the sanction of public scrutiny. In turn it will serve to encourage compliant behaviour by data users concerned and related parties.’
The PC is the first personal data authority in the Asia-Pacific to explicitly adopt ‘naming and shaming’ of data users found to have been in breach as a means of promoting compliance with personal data legislation. However, in order for a data user to be ‘named and shamed’ it must have committed a breach of the Ordinance that the PC considered serious enough for the issuing of a s48(2) report, rather than a brief case note or summary, and the case must not fall within any of the exceptions he has laid down.
The CITIC case: mass infringement, no real penalty
In December 2011 the PC issued a fifth s48(2) report on the transfer of customer data by a bank to third parties for direct marketing. This disclosed that CITIC Bank International Limited (CITIC) had transferred personal data of around 90,000 of its account or credit card customers to insurance companies in the previous five years. The personal data that had been transferred included name, gender, phone number, address, date of birth, partial HK ID number, marital status, partial account number, account type, partial credit card number, card type, number of months lapsed since becoming a customer of CITIC, and whether the customer was a holder of any existing policy of the insurance companies concerned.
The PC concluded CITIC had not taken all practicable steps to ensure that on or before the collection of the personal data from its customers, the customers had been explicitly informed of the classes of persons to whom the data might be transferred as required by the notification data protection principle of the Ordinance (DPP1(3)). He further concluded that such arrangements constituted in substance the sale of personal data by CITIC for monetary gain. Since this purpose of use of the customers’ personal data was not stated in the notice given by CITIC at the time of collection the PC considered it fell outside the purpose for which CITIC had collected the data concerned (the Collection Purpose), and was not for a purpose directly related to the Collection Purpose (having regard to the reasonable expectations of the customers) or done with the customers’ express consent (as required by the Ordinance if personal data are to be used for a purpose other than, or not directly related to, the Collection Purpose). Accordingly, the PC concluded that CITIC had contravened the use limitation principle (DPP3) as well as the notification principle (DPP1(3)).
In spite of the PC’s finding of breaches of two data protection principles in relation to 90,000 customers, since CITIC had ceased all programmes and activities involving the transfer of customer data to unconnected third parties for marketing purposes, such data as had been so transferred had all been destroyed and CITIC had given undertakings as to future compliance with the Ordinance, the PC considered repeat contraventions by CITIC were unlikely and no enforcement notice was served on CITIC. There is also no suggestion in the report that CITIC disgorged the revenue obtained from these programmes and activities by making a payment to a charitable organisation, as occurred in the Octopus case, or otherwise.
Wide variety of cases investigated by the PC
Other s48(2) reports issued by the PC since the beginning of 2010 illustrate the wide variety of cases investigated by the PC.
Other than in the debt collection case, the PC did not serve an enforcement notice in any of the cases summarised above because he was not of the opinion that the breaches found by him had occurred in circumstances that made it likely they would continue or be repeated.
Taking on the media
So far in 2012 the PC has issued four s48(2) reports, the most recent of which are two s48(2) reports (both issued on 28 March 2012) that relate to “paparazzi” style photo journalism using systematic surveillance and telescopic lens photography to take clandestine photographs of TV personalities within their private residences. The first of these cases involved the publication by Sudden Weekly of photographs of a male TV personality within his flat in a state of undress. His flat was on the high floor of a building that was not exposed to public view with unassisted vision. In the second case, Face Magazine published pictures of an unmarried male and female TV personality engaged in acts of daily life and intimacy within a flat that faced a hillside some distance away.
In both cases, the PC found the individuals concerned would not reasonably expect that they would be photographed within their homes and that the taking of the photographs amounted to collection of their personal data by unfair means contrary to DPP1(2) of the Ordinance. The PC commented, ‘An individual should be protected from unwarranted intrusion to his/her personal life, irrespective of his/her social status and occupation. The complainants in question should not be deprived of this privacy right just because they are TV artistes.’
The PC dismissed public interest justifications for the publication of the photographs based on the magazines’ claims the photographs demonstrated that denials of cohabitation by the TV personalities concerned were untrue, saying ‘the state of cohabitation or otherwise is an individual’s sensitive personal data which he or she is under no obligation to divulge to others.’ Further, the ‘disproportionate use of lurid and sensational photos by the two magazines casts grave doubt on their contention that they have acted in the public interest rather than to satisfy readers’ curiosity of the private lives of the artistes concerned.’
Whereas in the cases summarised above no enforcement notices were served due to the absence of a threaten continued or repeated breaches of the Ordinance (other than in the debt collection case), in these cases the PC served enforcement notices directing the magazines to remedy their contraventions and the matters occasioning them. The details of the enforcement notices are, however, omitted from the published versions of the PC’s reports.
The matter may not rest there since the two magazines have appealed against the issuing of enforcement notices against them to the Administrative Appeals Board.
Broad scope but small fines
Investigations and prosecutions of criminal offences under the Ordinance are carried out by the Police and the Department of Justice. Such investigations are usually undertaken as a result of referrals by the PC but he has to act quickly because of the default 6 month limitation period applicable to summary offences. In recent years, the PC has successfully fostered improved understanding with the Police and the Department of Justice in order to increase the number of successful prosecutions.
Two examples of recent successful prosecutions are as follows.
The PC commented about each of these cases that ‘it is believed that it represented only the tip of an iceberg. ... This also reflects that the current level of fine is too low to be of deterrent effect, especially for organizational data users. The PC expects that through legislative amendment the Administration’s proposal of increasing the penalty to $500,000 and imprisonment for 3 years will cause more deterrent effect’. Hong Kong’s Legislative Council has not yet enacted this legislation.
The overall conclusion to be drawn from the enforcement actions that have been surveyed in this article is that the PC is tackling a wide variety of compliance issues in spite of the limitations on his formal powers of enforcement and absence of powers to order compensation or other remedies.
 See Greenleaf G and Evans K ‘Privacy enforcement strengthens in Australia & New Zealand’ (2012) 115 PLBIR 8-13
 By ‘significant examples of privacy enforcement actions’ we mean as follows. First, the action results from complaints to an authority/Court, or 'own motion' actions by an authority responding to a specific situation. (General investigations or reform proposals by authorities are not included.) Secondly, the authorities concerned could be Data Protection Authorities/Privacy Commissioners but they could also be telecommunications regulators, financial regulators, government agencies and so on. Independent industry self-regulatory bodies could also be included. Court or Tribunal decisions of any type are also included. Third, the result is a significant remedy for an individual; or a remedy for a group of people; or a significant change in the interpretation of the law; or a significant change in business/government practices.
 See Greenleaf, G ‘Country Studies: B.3 - Hong Kong (Information privacy in Hong Kong’, Comparative Study On Different Approaches To New Privacy Challenges, In Particular In The Light Of Technological Developments, D. Korff, ed., May 2010, at <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2025550>
 Section 48(2) reports may be found at <http://www.pcpd.org.hk/english/publications/invest_report.html>
 See Greenleaf, G ‘Octopus scandal exposes Hong Kong privacy deficiencies’ Privacy Laws & Business International Newsletter Issue 108, December 2010
 The PC’s s48(2) reports are at <http://www.pcpd.org.hk/english/publications/invest_report.html>
 The bank is not named this s48(2) report, which predated the public announcement of the PC’s ‘naming and shaming’ practice,
 Neither the finance company nor the debt collection agency is named in this s48(2) report, which predated the public announcement of the PC’s ‘naming and shaming’ practice,.
 By virtue of s65(2) of the Ordinance.
 As required by s50(1)(b) of the Ordinance before an enforcement notice may be served on a data user found to have breached a requirement of the Ordinance.
 See McLeish R and Greenleaf, G ‘Reform of Hong Kong’s Privacy Ordinance After 15 Years’, Privacy Laws & Business International Report, Issue 113, pp. 15-17, October 201, available at <http://papers.ssrn.com/abstract_id=1972669>