I am responding to the Privacy Commissioner’s article in your October edition (the “Article”) and his decision to serve an enforcement notice against the “Do No Evil” App (the “App”).
First, I commend the Commissioner on his general performance as our privacy watchdog - he clearly takes his role seriously.
However, his decision that personal data lawfully in the public domain are not open to unrestricted use is wrong. This letter summarises my views, focusing on personal data made public by the Judiciary, Official Receiver and Companies Registry (the “Agencies”).
The reasons given for sanctioning the App were (1) breach of data protection principle 3 (“DPP3”) – ie. the personal data were not being used for purposes for which they were collected – and (2) exceeding individuals’ “reasonable expectation of privacy” when their data were aggregated by the App.
The Commissioner admitted that certain personal data published by the Judiciary and Official Receiver was not subject to any express restrictions but he argued that implied restrictions applied. For writs and judgments, he said searches could be made for purposes relating to “the spirit of the courts to ensure that court hearings are administered in an open and fair manner”. Yet, this suggested purpose is not obviously restrictive, particularly the reference to justice being administered in an “open” manner. Also, he gave no evidence that data published via the App was actually used in breach of restrictions.
Even where some written restrictions are imposed by Agencies, I am not aware that they have ever taken steps to control use of the personal data they published. Indeed, it would be difficult to take such steps in practice, particularly where data are made available online. Notwithstanding this, the Agencies escaped sanction whilst the operators of the App were criticised for not monitoring/controlling use of data.
The Commissioner stated that the App’s aggregation of personal data exceeded the reasonable expectations of individuals about use of their data. However, Hong Kong law has no such concept – not in the Personal Data (Privacy) Ordinance (“PDPO”) nor the Basic Law (contrary to the Article).
The Bill of Rights Ordinance privacy right only binds the Government. Breach of confidence is, possibly, the closest thing to it – but this is a private right, unrelated to the Commissioner’s powers. The Commissioner probably got the idea from the Australian Information Commissioner’s Information Privacy Principle Guidelines. However, he is taking these principles out of context - they only apply to Australian public bodies if no specific legal requirements on disclosure apply. In any event, why should Australian privacy guidelines apply in Hong Kong?
Even if the concept applies, surely once the Agencies lawfully make personal data public, no one can have reasonable/realistic expectations of restrictions on their use. The inability/failure of the Agencies to control use of these personal data is a stark illustration of this reality.
The Commissioner’s failure to consider the exemptions in Sections 51A or 60B, PDPO, further undermines his decision.
Section 51A exempts personal data held by courts when performing judicial functions from DPP3. If courts’ use of personal data is unrestricted, should not that effect be transferred to any subsequent use of the same data if lawfully published?
Section 60B exempts personal data from DPP3 if use of the data is required/authorised by enactment or law. The Agencies’ publication of personal data was so required/authorised. Arguably, any such data published via the App were also exempt.
Two other points:
- Concerns about direct marketing are otiose as the PDPO prohibits use of personal data for direct marketing without consent.
- Other companies aggregate information published by the Agencies and make it conveniently available, like the App. Banks engage their services to conduct mandatory due diligence into individuals. Is it fair that banks access such services but not the “man in the street”?
The Commissioner should reconsider his position. There are no effective legal restrictions on use of personal data lawfully put into the public domain by the Agencies, so they should be treated as freely available. The Commissioner should focus his attentions on more egregious abuses.
By Simon Deane, Partner Deacons