AustLII Home | Databases | WorldLII | Search | Feedback

ALTA Law Research Series

ALTA
You are here:  AustLII >> Databases >> ALTA Law Research Series >> 2009 >> [2009] ALRS 20

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Greenleaf, Graham --- "Making Hong Kong's data protection law effective" [2009] ALRS 20

Last Updated: 19 July 2010

Making Hong Kong’s data protection law effective

A submission to the Hong Kong Constitutional and Mainland Affairs Bureau

Professor Graham Greenleaf
Co-Director, Cyberspace Law & Policy Centre
Faculty of Law, University of New South Wales
Formerly Distinguished Visiting Professor (2001-2)
Faculty of Law, University of Hong Kong

30 November 2009

The Hong Kong Constitutional and Mainland Affairs Bureau has released a Consultation Document on Review of the Personal Data (Privacy) Ordinance (August 2009), calling for submissions. The following submissions address only the proposals raised in the Consultation Document, not other issues under the Ordinance that need reform, such as the question of data exports and the need to bring s33 into force.

Proposal No 1 – Biometric information

The Consultation Document says ‘Given the challenges posed by the development of biometric technology on an individual’s privacy, as a start we may consider classifying biometric data (such as iris characteristics, hand contour reading and fingerprints) as sensitive personal data’. It is not clear whether they propose to consider other categories, but since they do not mention any, it seems unlikely.

The approach suggested is only to limit the collection of what is deemed ‘sensitive’, not to impose more stringent requirements on use and disclosure once collected, so it is a very limited proposal.

Submission 1(a): Other categories of information should be included under ‘sensitive information’, not only biometric data, as is common in the data protection legislation of other jurisdictions. This should at least include medical data, and information about sexual practices, sexual orientation, race and ethnicity.
Submission 1(b): More stringent requirements on use and disclosure should be imposed on sensitive information once it is collected.

Proposal No. 2: Data Processors

The Discussion Paper says that ‘at present, the [Ordinance] does not regulate processors which process personal data for data users’, and therefore proposes that

... a data user who transfers personal data to a data processor for holding, processing or use, would be required to use contractual or other means to ensure that his data processor and any sub-contractors will take all practicable steps to ensure the security and safekeeping of the personal data, and to ensure that the data are not misused and are deleted when no longer required for processing.

This would be valuable, but only of limited use in Hong Kong because it retains the doctrine of privity of contract, and the data subject will not be able to sue to enforce the contract or obtain remedies for its breach, particularly if the processor is outside Hong Kong.

A more robust option under consideration is

... we can consider directly regulating data processors by imposing obligations on them. They would be required to exercise the same level of due diligence as the data user with regard to security, retention and use of the personal data thus entrusted.

Imposing obligations directly on the processor is a much more direct solution, and much more valuable to data subjects if they can simply enforce the data protection Principles against the processor, but that is subject to the processor being within the territorial or extra-territorial scope of the Ordinance. A further strengthening would be to make the principal vicariously liable for the actions of the processor.

Submission 2(a): Data subjects should be able to enforce the data protection Principles directly against the processor.
Submission 2(b): In order to deal with the problem of processors located outside the jurisdiction of the Ordinance, it should make the principal (data user) vicariously liable for the actions of the processor.

Proposal No. 3: Personal Data Security Breach Notification

The Consultation Paper merely says ‘we consider it more prudent to start with a voluntary breach notification system’, a conclusion which seems at odds with the very high levels of large scale data breaches in both the public and private sectors that have taken place in Hong Kong over the last three years.

Submission 3: Data breach notification should be made compulsory.

Proposal No. 4: A role in criminal offences for the Commissioner

The Consultation Document does ‘not see a strong case to give the PCPD the power to investigate into and prosecute criminal offence cases’ and this seems correct.

Submission 4: The PCPD should not be given the power to investigate into and prosecute criminal offence cases.

Proposal No. 5: Legal Assistance to Data Subjects under s66

The Consultation Document invites views ‘on whether the PCPD should be conferred the power to provide legal assistance to an aggrieved data subject’. The New Zealand Commissioner can recommend that legal aid be provided to complainants. However, the main issue in Hong Kong is the provision of some alternative forum in which compensation can be obtained without complainants having to go to a Court.

Submission 5: The PCPD should be conferred the power to provide legal assistance to an aggrieved data subject.

Proposal No. 6: Award Compensation to Aggrieved Data Subjects

The Consultation Document invites views on ‘whether it is appropriate to introduce an additional redress avenue by empowering the PCPD to award compensation to aggrieved data subjects’ while being clearly of the opinion that this is not appropriate.

Although allowing the PCPD to award compensation would be better than the current non-functioning system via the Courts, there are good reasons not to combine the mediating function and the adjudicative function. The real problem, which the Constitutional and Mainland Affairs Bureau does not seem to appreciate, is that the Hong Kong Commissioner does not mediate in complaints, particularly not to obtain compensation, in contrast to Commissioners in most other jurisdictions. The Ordinance needs to be changed to give the Commissioner a specific function of mediating in this way.

An alternative to allowing the Commissioner to award compensation, one which works best in New Zealand with its Human Rights Review Tribunal (HRRT), is to have a low-cost quasi-judicial tribunal that can make compensation payments, with the Commissioner referring matters to it that cannot be mediated, and preferably with some agreed statement of facts etc so that the matter does not have to be heard ab initio. A similar approach operates in New South Wales and Victoria with their administrative tribunals (NSWADT and VCAT). One quasi-judicial tribunal in Hong Kong that could be empowered to award damages may be the Administrative Appeals Board. This would involve giving a body which normally deals with appeals a ‘first instance’ function of deciding damages, but there is no obvious alternative in Hong Kong if the Commissioner is not considered appropriate, and the existing provision before a Court under s66 has failed.

Submission 6(a): Consideration should be given to whether the Administrative Appeals Board or another low-cost tribunal in Hong Kong could be given the function of deciding compensation claims for breaches of Principles in the Ordinance.
Submission 6(b): If the proposal in Submission 5(a) cannot be met, the Commissioner should be empowered to award compensation.

Proposal No. 8: Unauthorized dealings in Personal Data

The Consultation Document says that ‘to curb irresponsible dissemination of leaked personal data, we may consider making it an offence if a person obtains personal data without the consent of the data user and discloses the personal data so obtained for profits or malicious purposes’. A reform such as this should not be very contentious. The PRC and Vietnam have already passed such laws during 2009.

Submission 8(a): It should be an offence if a person obtains personal data without the consent of the data user and (i) discloses the personal data so obtained for profits or malicious purposes; or (ii) holds the data with such intent.
Submission 8(b): It should be presumed that a person who obtains personal data without the consent of the data user did so with the requisite intent, so the onus is on the defendant to rebut such a presumption.
Submission 8(c): It should also be an offence for anyone to sell such personal data for profit whether or not they obtained it from the data user (if this is not already implied in the proposal).

Proposal No. 9: Repeated Contravention of DPPs

The Consultation Document proposes the hypothetical problem of a data user who breaches a DPP but then complies with subsequent enforcement notice, but then subsequently breaches the DPP again in the same way. It would seem reasonable that such a subsequent breach of a DPP could be an offence.

Submission 9: Subsequent breach of a DPP could be an offence, as proposed.

Proposal No. 10: Monetary Penalty for Serious Contravention

Although it is not common for non-judicial bodies to have the statutory power to impose monetary penalties, the Consultation Document proposes consideration being given to empowering the PCPD to require data users to pay monetary penalty for serious contravention of DPPs. Again, this type of ‘administrative penalty’ is not uncommon in other jurisdictions, and is found in Macao and in the current proposals by the Australian government.

Submission 10: The PCPD should be empowered to require data users to pay monetary penalty for serious contravention of DPPs.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/ALRS/2009/20.html