Berthold, Mark --- "Hong Kong's data privacy proposals" [1994] PrivLawPRpr 124; (1994) 1(9) Privacy Law & Policy Reporter 165

Hong Kong's data privacy proposals

Mark Berthold examines the data privacy proposals in the first part of a two-part review.

In August 1994, the Hong Kong Law Reform Commission (HKLRC) released detailed proposals providing for data privacy (Report on Reform of the Law Relating to the Protection of Personal Data (Topic 27)). Two months later, in his annual Governor's policy address, Chris Patten said:

We will introduce legislation based on established international principles to safeguard the individual's right to the privacy of personal data, to be enforced by an independent data protection authority.

A government spokesman has subsequently stated that the administration is aiming at introducing a Bill early next year based on the Commission's recommendations. The Commission's proposals are likely to be reflected in legislation. Those proposals echo many of the provisions of existing data protection laws, including the Australian Privacy Act 1988 and NZ's Privacy Act 1993. The influence of the European Union's recent draft Directive on personal data is set out in detail below.

Most importantly, the recommendations reflect the input obtained from an extensive public consultation process. The HKLRC released a 197 page consultation paper in March 1993 and this elicited 82 detailed submissions from data users, data subject representatives, and international experts. Interestingly, only two respondents expressly doubted the need for legislation. The remainder focused on areas where they feared practical problems would result from the proposals. The HKLRC has adjusted a number of its recommendations as a result. It is heartening that the extensive media coverage accompanying the final report's release has been very positive.

The mandate for reform has been further bolstered by a public attitude survey conducted last year by the University of Hong Kong. Of the random sample, 7.3 per cent reported that they had experienced an invasion of their privacy within the last 12 months. This was defined as someone having tried to learn too much about them. Respondents were asked if they would object if specified types of information were made publicly available. The responses were somewhat surprising, with those objecting ranging from 86 per cent for their telephone number to 15 per cent for religious views. Intermediate were: address (83 per cent objecting), financial status (63 per cent), PIN number (62 per cent), HIV status (62 per cent), income (58 per cent), medical history (57 per cent), political views (42 per cent) and passport/nationality details (23 per cent). An overwhelming 94 per cent thought that there should be access and correction rights to data relating to a loan refusal.

Existing protections

A comprehensive review found existing privacy protections to be sparse. The Bill of Rights Ordinance 1990 (HK) gives legislative effect to the terms of the International Covenant on Civil and Political Rights (ICCPR). This includes a provision protecting privacy which, however, falls short of restricting the use of all data relating to the individual. Absent was any sectoral legislation providing access and correction rights, even in such areas as credit reporting. Legislative protections were limited and incidental, such as secrecy provisions under the taxation legislation. Nor did the common law provide much assistance. The duty of confidence limits the disclosure of information entrusted in confidence, but is enforceable only by the confider and not the data subject as such (the Australian Act abolishes this restriction). Only occasionally would privacy interests be furthered by the operation of such other principles as contract, public interest immunity, or copyright.

Adoption of the OECD guidelines

To remedy this lack of comprehensive protections, the HKLRC recommends giving legal force to the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 1981. Those principles were embodied in a set of voluntary guidelines promulgated by the Hong Kong government (to little apparent effect) in 1988. Of course, the OECD guidelines also provided the basis of the Australian and NZ legislation. But the HKLRC's proposals represent an interesting departure in that they also draw on key provisions of the revised draft directive of the European Union issued in October 1992 (the draft EU Directive). The HKLRC's consultation paper borrowed heavily from the draft EU Directive. This was to take advantage of the fact that it effectively represented a distillation of current European thinking on the issue. To the author's knowledge, the HKLRC's consultation process in effect represents the most extensive exercise conducted to date on key provisions of the directive. The following account accordingly highlights those recommendations reflecting this process.

Scope of the proposed law

The proposed scope of the law is similar to the Australian and NZ Acts, namely all data relating to an identifiable individual, whether judgmental or ostensibly factual regardless of storage medium. However, with the exception of the Security Safeguards Principle, it is proposed that the principles should only apply to data that is reasonably readily retrievable. The objective was to target data that poses perils to the individual and not the improvement of records management as such. This application of the law to organised manual data in addition to computerised data also accords with the draft EU directive. Very few respondents argued to the contrary.

Privacy Commissioner

As with most data protection laws, the HKLRC recommends establishing a supervisory authority specifically tasked to monitor compliance. To be appointed by the Governor, the HKLRC recommends that he or she only be removable for grounds pursuant to a resolution of the Legislative Council. A collegial model is envisaged, with the Privacy Commissioner being assisted in policy formulation by a board of part-time commissioners, although several international experts had advised that this approach had failed in Europe.

As compared with the Australian and NZ legislation, the Privacy Commissioner's proposed functions are circumscribed. The main functions proposed are:

1. Investigation of possible breaches of the law, whether upon receipt of a complaint or at the Privacy Commissioner's own initiation.
2. Enforcement of corrective measures where breaches are identified.
3. Conducting on-site audits of data users.
4. Promoting codes of practice.
5. A notification point for declarations from data users.
6. Educational and publicity functions.

Absent from this list is provision for the Privacy Commissioner to have a role in the monitoring or vetting of technical, administrative or legal initiatives with privacy implications. Both the Australian and NZ Acts make comprehensive provision in this regard.

It is recommended that the Privacy Commissioner be conferred comprehensive mandatory powers to ensure compliance. In the first instance efforts will be made to resolve disputes through conciliation. Data users who fail to comply with the remedy ordered face the sanction of an order prohibiting the processing of personal data. This approach is stronger than under the Australian or NZ legislation and resembles the UK approach. As with the UK Act, however, it is balanced by the provision of an appeals system. Appeals on the merits will be entertained by the recently constituted Administrative Appeals Board. This exercises a broad jurisdiction along the lines of the Australian Administrative Appeals Tribunal.

Some disquiet was expressed by respondents about the proposed powers of the regulatory body. While the HKLRC generally concluded that proactive powers of investigation were generally necessary, an exception was recommended for the media. The concern was that the very existence of such powers tended to weaken the press's institutional integrity. The media was also accorded exemptions from several of the data protection principles which are discussed below.

Notification system

Article 18 of the draft EU Directive provides that data users should be required to notify the Privacy Commissioner of contact details, data purposes, categories of data and data subjects, data recipients, transborder data flows and security systems. The Australian Privacy Commissioner publishes a digest of the declarations of Federal data users covering most of these matters. The HKLRC endorsed such a system as it promotes openness. As with Australia, the Privacy Commissioner's approval would not be required for data processing personal data. Nonetheless, a number of submissions were received expressing the concern that such a requirement could be burdensome for small businesses, as well as diverting the resources of the Privacy Commissioner. The HKLRC has accordingly recommended for mainstream users a 'tick-the-box' format focusing on data purposes and contact details of the organisation's officer responsible for data protection matters. Data subjects would have on-line access to these details. Furthermore, private sector declarations would be lodged with business registrations, generating revenue that should largely fund regulation.

Data collection

Unlike under the NZ law, the HKLRC has defined 'collection' as obtaining data from the data subject, as opposed to its 'acquisition' from third parties. Collection in this narrow sense will be with the data subject's knowledge when answering questions put forward, either in person or by questionnaire. Or it may be without the data subject's knowledge, when the data is collected by automated means such as utilities metering. The HKLRC differentiates between these processes in making its recommendations.

Acquisition from third parties or collection from the data subject

The HKLRC recognises that both aspects are subject to the OECD Collection Limitation Principle and should be limited and the data obtained by fair and lawful means. As to the limits on collection, the Australian Act's restriction is recommended for adoption, namely that the data is directly related to a function/activity of the collector.

Collection from an informed data subject

It is recommended that the individual be explicitly informed of data purposes, data recipients, access/correction rights and contact details of the data user's responsible officer. He or she should also be aware of the obligation or otherwise of replying and the consequences of failing to do so, but if this is implicit (for example, a newspaper advertisement) it need not be specified. He or she should be advised upon collection of all those matters directly relevant to the decision whether to furnish the data. This would include all those matters specified above excepting details of access/correction rights and the responsible officer and he or she should be informed of these no later than when the data is first used. To accommodate frequent collections (for example, hospital patients) the individual must be advised of all these matters upon the first collection but only reminded of them at reasonable intervals thereafter. These recommendations follow art 11 of the draft EU directive as modified on the basis of submissions received. The Australian and NZ Acts contain similar requirements, albeit qualified by the 'reasonableness' of having to furnish the information in the circumstances.

Collection from an uninformed data subject

This may occur in a variety of situations, including surreptitious collection through surveillance. The HKLRC's report has deferred its consideration of this difficult topic. Its recommendations are restricted to the collection by automatic metering or automated means which the data user initiates. These recommendations follow those of the Council of Europe. The individual should be informed of the frequency of data collection, their storage time, and the use to be made of the data. The individual's consent should be required for the installation of data gathering equipment in real or personal property under his or her control and only data necessary for service or billing purposes should be collected and stored.

A requirement of collection from the data subject instead of third parties

The NZ Act has such a requirement, although it is heavily qualified. The HKLRC considered this option, but rejected it. It recognised, however, the dangers of excluding the data subject from the data processing cycle through reliance not only on third party data but data previously collected from the individual. These dangers are reduced by the recommended application of the use limitation and data quality principles. They are also addressed by the HKLRC's recommendations on data matching and profiling.

Data matching and profiling

The HKLRC recommends the regulation of investigative matching programs involving the comparison of data to identify discrepancies and take adverse follow-up action. This is in recognition of the intrusive nature of such programs and their susceptibility to error due to their dependence on complex inferential processes in matching ostensibly similar items. The proposed scheme is similar to those provided for under the Australian and NZ Acts, but applies to both the public and private sectors. The Privacy Commissioner's prior approval is required and the onus is on the data user to show a competing social need which overrides the privacy interests of data subjects. The justification should include an outline of why alternative means of satisfying the objectives are less satisfactory and a cost-benefit analysis. The Privacy Commissioner is to issue guidelines which should include procedures according 'hits' the opportunity to contest the results prior to the implementation of an adverse decision.

While the HKLRC's matching recommendations address adverse decisions resulting from investigative programs, it has concluded that procedural safeguards should also be afforded regarding decisions not arising from programs. This potentially seminal recommendation merits setting out in full:

Prior to the implementation of a proposed adverse administrative or private decision based on personal data, the data subject must be provided the opportunity to correct, add to or erase data that form the basis of that decision, except where the proposed decision is made pursuant to, or in the course of entering into or attempting to enter into, a contract.

This recommendation has its genesis in the draft EU directive. While art 18 (4) appears to encompass, albeit obliquely, investigative matching, art 16 specifically addresses automated profiling. It provides that the data subject should be entitled to contest an adverse decision 'which is based solely on automatic processing defining a personality profile'. But the HKLRC queried the relevance of restricting its application to where the decision was made solely on the basis of automated processing. As a social welfare respondent pointed out, many decisions will be taken on the basis of both automated and manual data. Besides, retention

of the restriction would provide ample scope for evading compliance.

The HKLRC recognised that the resultant recommendation is very broad. This is limited somewhat by excluding contracts and contractual negotiations. Nonetheless, the proposal is a significant one. It has some similarity to the common law 'rules of natural justice' providing the right to be heard, but is more limited. The decision maker is not required to divulge relevant factors which are not reduced to data, nor to indicate which data he or she proposes relying on. In data protection terms, the proposal is notable because the data subject is specifically alerted to the need to access and correct the data. The HKLRC concluded that this more proactive approach was warranted to compensate for its not adhering to two other draft EU directive provisions aimed at assisting the individual in keeping track of vital data affecting him or her. In view of submissions received, the HKLRC abandoned its earlier endorsement of art 8's restrictions on processing without data subject consent data of a sensitive nature. The public attitude survey results on data considered sensitive in Hong Kong are set out above. They only partly correspond to the categories of data identified by art 8. More fundamentally, such data may be directly relevant to the legitimate activities of the data user. Nor did the HKLRC believe enforceable art 12's requirement that the data subject be informed at the time of the first disclosure of data relating to that subject. As a result, however, the HKLRC was not proposing any provisions ensuring that the data subject would be aware of third party data and its subsequent dissemination. Providing an opportunity for input prior to implementation of adverse decisions redresses this lack of monitoring mechanisms at least at the point when the data processing reaches a 'crunch' stage.

In the next issue, the second part of Mark Berthold's article will examine the HK approach to transborder data controls and exemptions.

Mark Berthold, a Senior Crown Counsel in Hong Kong, was the Secretary to the subcommittee of the Hong Kong Law Reform Commission that examined privacy protection and made recommendations, and was responsible for drafting its report. The subcommittee was chaired by Mr Justice Mortimer.