Privacy law in Hong Kong: An overview

Professor Graham Greenleafg.greenleaf@unsw.edu.au

Topic 1 - January 2005

Overview of HK privacy law

General law protection of privacy Constitutional Torts - common law and statutory Breach of confidence

Data protection laws - Personal Data (Privacy) Ordinance Data Protection Principles (DPPs) Exceptions Enforcement Relevant international standards

HK Privacy Resources

Berthold & Wacks Data Privacy Law in Hong Kong - 2nd Ed (2003)

HKLRC Report Civil Liability for Invasion of Privacy (2004) Personal Data (Privacy) Ordinance Summaries of the Ordinance

M Berthold’s article (1995) 2 PLPR 164 R McLeish’s ‘country report’ (1999)

Web site of the Privacy Commissioner for Personal Data, particularly: Enquiries, complaints and AAB appeals Annual reports Guidelines to DPPs still being developed

General law on privacy

Why is special privacy legislation needed?

Constitutional protection‘Privacy torts’ Other tortious protectionBreach of confidence

Constitutional law (I)

ICCPR A17(1). No one shall be subjected to arbitrary or unlawful interference with his privacy,…’ (UK acceded for HK)

A39 Basic Law in effect entrenches ICCPR as part of Hong Kong law; legislation cannot be inconsistent with the ICCPR

HK Bill of Right Ordinance A14 gives this a statutory basis; but this only gives a right of defence against State actions (cf US Bill of Rights)

Constitutional law (II)

A28 Basic Law- 'The freedom of the person of Hong Kong residents shall be inviolable. …. Arbitrary or unlawful search of the body … shall be prohibited’

A29 Basic Law: ' The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited.'

All are little tested as yet, but European Court of Human Rights and US Bill of Rights decisions may be relevant (weaker than 1st Amendment) Eg US SC 2001 - thermal imaging violated search and seizure

‘Privacy torts’ (i)

Since Warren and Brandeis’ “The Right to Privacy” (1890) US law has developed 4 ‘privacy torts’: 'intrusion', 'public disclosure of private facts', 'appropriation' and 'false light' torts

Many common law jurisdictions have not followed.HK Law Reform Commission recommended (2004)

statutory versions of ‘intrusion’ and ‘public disclosure’ torts (partly to comply with ICCPR A17).

HKLRC was due to report 2002 on surveillance in public places

‘Privacy torts’ (ii)

Common law courts are undecided on an explicit ‘privacy tort’: UK - Wainwright [2004] P required to undress to visit

prisoner - HL held no intrusion tort in UK common law NZ - Hosking v Runting [2004] - NZ CA held there is a

disclosure of private facts tort in NZ common law Australia - Lenah v ABC [2001] HCA 63 - Information

obtained by trespassers in a possum abbatoirs; restraint on media publication soughtHC refused to restrain publication because no breach of

confidence; unlawful obtaining of information not sufficient6/7 HC Js considered the question of a tort of invasion of privacy

still open - but not in this case

Other piecemeal torts

All existing torts have significant defects in protecting privacy

Defamation Requires falsity; qualified privilege does not require

fair practices; expensiveNegligence

Liability for negligent statements is very limited - even more so to 3rd parties

Eg Sullivan v Moody [2001] HCA 59 - investigators of sexual assault did not owe duty of care to one parent concerning information about the other

Breach of confidence

Three elements (Coco v Clarke) Information having the quality of confidence Disclosure under circumstances of confidence Unauthorised use (including disclosure)

Scope of relationships covered is uncertain Duty uncertain for most modern commercial relationships

Duty only owed to the discloser of the information No duty owed to the ‘data subject’ per se (see Fraser v Evans

[1969] 1 QB 349)

Third party recipients of information will owe a duty once they become aware of the original circumstances of confidence

BOC - ‘Improperly obtained information’

Breach of confidence is expanding to cover (unconscionable?) ‘obtaining’ of information Franklin v Giddens [1978] 1 Qd R 72 (Qld SC) - theft of

budwood from orchard gave rise to BoC action Campbell v MGN [2004] HL - Naomi Campbell filmed leaving

Narcotics Anonymous meeting (ie in a public place); breach of confidence (disclosure of NA attendance) by a person unknown (assumed to be her staff or NA staff) was enough to make the Mirror liable as 3rd P for photographing.

Data protection laws

Since 1970 (Swedish Data Act), all European countries have enacted data protection laws based on: ‘information privacy principles’ (IPPs) A Data Protection/ Privacy Commissioner

NZ, Aust, Canada, and HK also: an Asia-Pacific approach of common law countries

Civil law countries (Taiwan, Japan) have not adopted Privacy Commissioner approach, but Korea has a central complaint mediation body

Individual

concerned3rd parties

Collection

ProcessingStorage Destruction

Use

DisclosureSubject access

& correction

Individual

concerned

3rd parties

Public knowledge System justification

Information privacy principles in the information system lifecycle

(derived from a diagram by Roger Clarke)

s

Data protection as a bundle of rights

Information privacy law Copyright law

No simple definition No simple definition

‘Bundle of rights’ eg access, correction, fair collection, ‘finality’, security

‘Bundle of rights’ eg control copying, performance etc, ‘make available’, fair attribution

Subject matter is ‘personal information’ (‘about’ a person)

Subject matter is ‘expressions’ (‘by’ a person)

Holder is the subject of the information

Holder is the author/creator of the information

Data surveillance laws

data protection laws

HK’s privacy Ordinance

Personal Data (Privacy) Ordinance (PDPO)Schedule 1 - Data Protection PrinciplesKey concepts

"data" means ‘any representation of information (including an expression of opinion) in any document, and includes a personal identifier;’ (s2)

Q: requirement to show an ID card to enter a building

Q: a video camera in a lift

Distinguishes surveillance from data protection

“personal data” ….

International standards

OECD privacy Guidelines (1980) Basis of many national laws Allowed but attempted to limit data export restrictions

EU privacy Directive (1995) Higher standard, basis of revisions of European

national laws Required data export restrictions

APEC Privacy Framework (2004) Are its standards ‘OECD Lite’? Position on data export restrictions uncertain

‘Personal data’

"personal data" means ‘any data - (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable;’ (s2)

Other information may be used to identify What is practicable changes with technology What is practicable depends on the holder

Q: Consider CCTV tapes and web cams Eastweek [2000] HKCA 186 -

CA majority held intention to identify requiredContrary view: capacity to identify is sufficient

DPP1 - Collection limitation

DPP1(1) - for a lawful purpose and not excessiveNot a general ‘legitimate purpose’ requirement

DPP1(2) - by means lawful and fairUnlawful surveillance also breaches DPP1

DPP1(3) - if collected from the data subject, notice is given of obligations, purposes, intended disclosures, and rightsIncludes unsolicited information but only at the point of

retentionNot if from observation of the person (surveillance law may

apply)

What types of obtaining information are ‘collection’?

Information solicited from another person Is covered (whether from data subject or 3rd parties)

Unsolicited information Is covered (whether from data subject or 3rd parties), but may

only be collection at point of retention Information obtained from observations ('surveillance') of

the data subject; Is covered, on a purposive construction

Information extracted from documentary or other sources Is covered, on a purposive construction

Collection may be in any medium

DPP1 - Collection limitation

DPP1(1) - for (I) a lawful purpose (ii) relevant to functions of collector and (iii) not excessiveNot a positive ‘purpose justification’ requirementAllows private sector organisations wide latitude to

define their purposes

Some special cases:Credit reporting Code revised (2003) to allow

‘positive’ reportingWorkplace monitoring Code not yet completed

DPP1 - Collection limitation

DPP1(2) - by means lawful and fair Purpose may be lawful, but means unlawful/unfair

Deception, trickery, undue pressure will be unfair Unlawful surveillance also breaches DPP1 Legal but covert surveillance may be unfair

HKPCO examples of surveillance of domestic helpers, secret recording of staff or customers

No requirement of consent to collect, only fairness

DPP1 - Collection limitation

DPP1(3) - if collected from the data subject, notice is given of obligations, purposes, intended disclosures, and rights Does not include where collected from 3rd parties Includes unsolicited information but only at the point of retention Not if from observation of the person (surveillance law may

apply) Not if collection from documentary sources

Notice of purposes is vital in setting limits of use/disclosure In discouraging excess collection In putting data subjects on notice of potential abuses

DPP3 - Use/ disclosure limitation

Data can only be used / disclosed in 4 ways: (I) For the purpose for which it was collected;

DPP 1 allows fairly broad purposes; note DPP 1(3) (ii) For a directly related purpose;

Direct marketing ‘opt out’ exception (s34) (iii) With ‘prescribed consent’;

‘express consent given voluntarily’ (s2(3))Narrower than implied consent allowed in Aust/NZ - cannot include

a failure to opt out (iv) Subject to exceptions (eg s58 law enforcement)

Disclosure can be verbal or by inspection Can mere inspection be ‘use’? (B&W - ‘yes’)

DPP3 - Use/ disclosure limitation

Are recipients tied to the same purpose as the proper purposes of the discloser? Best answer is that collection must be by ‘fair’ means (DPP 1(2))

- fairness is an objective test in relation to data subject This covers both legitimate disclosures (wider purposes of

collection unfair), and illegitimate disclosures (any collection unfair)

Necessary answer to support the policy of the Ordinance Once unlawfulness of discloser is known, collector’s use may

also be a breach of confidence (‘unlawfully obtained info’) Common complaint: Disclosure was within purpose of collection, but

notice was not given under DPP 1(3) Eg Disclosure of skating competitors OK as a purpose of

collection, but no DPP 1(3) notice given

DPPs - Disclosure and data exports

DPP 3 does not prevent overseas transfers

S33 only Ordinance provision not in forcePrivacy Commissioner

‘Exploratory survey’ began 2004

DPP2 - Data quality & retention

DPP2.1 - Accuracy in relation to purpose of use Does not specify ‘complete’ or ‘up-to-date’

DPP 2.2 - Data retained no longer than necessary ‘shall not be kept longer than is necessary for the

fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'

s26 - Erasure of personal data no longer required, except where: (a)prohibited under any law; or (b) non-erasure is in the public interest

DPP4 - Security

‘All practicable steps … to ensure … protected against unauthorized or accidental access, processing, erasure or other use’

Possibilities If hackers access data, data user may be

liable for inadequate security Mailouts in error of sensitive data may breach

DPP4

DPP5 - Information generally available

Rights to obtain information not restricted to data subjects (contra DPP 6), allowing anyone to: " (a) ascertain a data user's policies and practices in

relation to personal data; (b) be informed of the kind of personal data held by

a data user; (c) be informed of the main purposes for which

personal data held by a data user are or are to be used."

‘Openness’ principle which should be important to the media and community organisations

DPP6 - Access & correction

DPP6 - Access and correction rights Right to access and correct your own data

Exceptions to access (Pt VIII) Many exceptions apply (see Berthold summary) Exemptions relate to data, not specific data users Privacy Commissioner can access on reasonable

grounds (s38), as an intermediaryProblem: correction is tied to right of access

Enforcement of the DPPs

Enforcement notices (s50) PC can issue, requiring contraventions to be remedied

(4 in 2000), or warning notices (21) Failure to comply is a criminal offence No systematic publication of these serious complaints S48 allows PCO to issue formal reports naming data

users (but not others), but has only done so onceAppeals (s50(7)) to Admin. Appeals Board

Either complainant or data user can appeal No further right of appeal to a Court against AAB

decision, only judicial review

Enforcement of the DPPs (II)

Compensation (s66) only by separate Court proceedings, not by PC Only 1 reported case, and it was dismissed PCO cannot award damages (contra Australia) HKLRC recommends PC be able to assist complainants

Criminal offences S64 creates criminal offences by data users

Supplying false informationContravening matching requirements, enforcement notices, or any

other provision of the Ordinance S64 creates offences by other persons

Supplying false informationHindering Commissioner’s investigations

Enforcement of the DPPs (III)

Judicial review of PC decisions (2 in 2003)Other duties of Privacy Commissioner:

Review legislation (s8) Data matching application approvals Compliance checks (10 in 2003) (s81(e)) Issuing Codes of conduct Now stressing need for PIAs