Hong Kong’s Privacy Enforcement: Issues Exposed, Powers Lacking
Privacy Laws & Business International Report, Issue 116: 25-28, April 2012
6 Pages Posted: 14 May 2012
Date Written: April 25, 2012
This article concerning the Hong Kong SAR is the second in a series surveying significant recent examples of data privacy enforcement actions in the Asia-Pacific. Hong Kong’s Privacy Commissioner for Personal Data (the PC) does not have any power under the Personal Data (Privacy) Ordinance (the Ordinance) to award compensation or order other remedies. His most significant legal power is the power to serve an enforcement notice when he concludes that a data user is likely to repeat or continue a contravention of the Ordinance. Where a suspected breach of the Ordinance may constitute a criminal offence he may refer the matter to the Police and the Department of Justice for investigation and prosecution. Where the PC completes investigations of more serious cases of breaches of the Ordinance, it is now common for him to issue detailed reports on the outcomes under s48(2), and in 2010 and 2011 he issued thirteen such reports.
One of the s48(2) reports issued in 2010 was on the ‘Octopus’ case, which involved the transfer of personal data of users of the widely-used Octopus contactless-card payment system to third-parties for direct marketing purposes. The PC issued s48(2) reports in June 2011 in respect of four of the bank cases in which he named the banks, and announced that such naming ‘will henceforth be adopted for all investigation reports published under section 48(2) of the Ordinance’, subject to certain exceptions. He is is the first personal data authority in the Asia-Pacific to explicitly adopt ‘naming and shaming’ of data users found to have been in breach as a means of promoting compliance with personal data legislation.
This article examines a wide variety of s48(2) reports on the following issues: the CITIC Bank case, where there was mass infringement, but no real penalty, on data retention, on fees for data access which were excessive, on disclosure of details of a debtor’s relatives, on unfair collection practices and improper use of public register information, and where covert monitoring was unfair collection. Other than in the debt collection case, the PC did not serve an enforcement notice in any of the cases summarised above because he was not of the opinion that the breaches found by him had occurred in circumstances that made it likely they would continue or be repeated.
The most recent s48(2) reports relate to “paparazzi” style photo journalism using systematic surveillance and telescopic lens photography to take clandestine photographs of TV personalities within their private residences. In both cases, the PC found that the taking of the photographs amounted to collection of their personal data by unfair means contrary to DPP1(2). He served enforcement notices directing the magazines to remedy their contraventions and the matters occasioning them. The details of the enforcement notices are, however, omitted from the published versions of the PC’s reports.The two magazines have appealed to the Administrative Appeals Board.
The article also examines a number of criminal prosecutions resulting from breaches of the Ordinance which have resulted in small fines. The PC commented that ‘the current level of fine is too low to be of deterrent effect, especially for organizational data users’. The overall conclusion is that the PC is tackling a wide variety of compliance issues in spite of the limitations on his formal powers of enforcement, and the absence of powers to order compensation or other remedies, as well as the inadeuqate penalties imposed by Courts.
Keywords: privacy, data protection, Asia, Hong Kong, legislation
Suggested Citation: Suggested Citation