1 / 33

Privacy law in Hong Kong: An overview

Privacy law in Hong Kong: An overview. Professor Graham Greenleaf g.greenleaf@unsw.edu.au Topic 1 - January 2005. Overview of HK privacy law. General law protection of privacy Constitutional Torts - common law and statutory Breach of confidence

booth
Download Presentation

Privacy law in Hong Kong: An overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy law in Hong Kong: An overview Professor Graham Greenleaf g.greenleaf@unsw.edu.au Topic 1 - January 2005

  2. Overview of HK privacy law • General law protection of privacy • Constitutional • Torts - common law and statutory • Breach of confidence • Data protection laws - Personal Data (Privacy) Ordinance • Data Protection Principles (DPPs) • Exceptions • Enforcement • Relevant international standards

  3. HK Privacy Resources • Berthold & Wacks Data Privacy Law in Hong Kong - 2nd Ed (2003) • HKLRC Report Civil Liability for Invasion of Privacy (2004) • Personal Data (Privacy) Ordinance • Summaries of the Ordinance • M Berthold’s article (1995) 2 PLPR 164 • R McLeish’s ‘country report’ (1999) • Web site of the Privacy Commissioner for Personal Data, particularly: • Enquiries, complaints and AAB appeals • Annual reports • Guidelines to DPPs still being developed

  4. General law on privacy • Why is special privacy legislation needed? • Constitutional protection • ‘Privacy torts’ • Other tortious protection • Breach of confidence

  5. Constitutional law (I) • ICCPR A17(1). No one shall be subjected to arbitrary or unlawful interference with his privacy,…’ (UK acceded for HK) • A39 Basic Law in effect entrenches ICCPR as part of Hong Kong law; legislation cannot be inconsistent with the ICCPR • HK Bill of Right Ordinance A14 gives this a statutory basis; but this only gives a right of defence against State actions (cf US Bill of Rights)

  6. Constitutional law (II) • A28 Basic Law- 'The freedom of the person of Hong Kong residents shall be inviolable. …. Arbitrary or unlawful search of the body … shall be prohibited’ • A29 Basic Law: ' The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited.' • All are little tested as yet, but European Court of Human Rights and US Bill of Rights decisions may be relevant (weaker than 1st Amendment) Eg US SC 2001 - thermal imaging violated search and seizure

  7. ‘Privacy torts’ (i) • Since Warren and Brandeis’ “The Right to Privacy” (1890) US law has developed 4 ‘privacy torts’: 'intrusion', 'public disclosure of private facts', 'appropriation' and 'false light' torts • Many common law jurisdictions have not followed. • HK Law Reform Commission recommended (2004) statutory versions of ‘intrusion’ and ‘public disclosure’ torts (partly to comply with ICCPR A17). • HKLRC was due to report 2002 on surveillance in public places

  8. ‘Privacy torts’ (ii) • Common law courts are undecided on an explicit ‘privacy tort’: • UK - Wainwright [2004] P required to undress to visit prisoner - HL held no intrusion tort in UK common law • NZ - Hosking v Runting [2004] - NZ CA held there is a disclosure of private facts tort in NZ common law • Australia - Lenah v ABC [2001] HCA 63 - Information obtained by trespassers in a possum abbatoirs; restraint on media publication sought • HC refused to restrain publication because no breach of confidence; unlawful obtaining of information not sufficient • 6/7 HC Js considered the question of a tort of invasion of privacy still open - but not in this case

  9. Other piecemeal torts • All existing torts have significant defects in protecting privacy • Defamation • Requires falsity; qualified privilege does not require fair practices; expensive • Negligence • Liability for negligent statements is very limited - even more so to 3rd parties • Eg Sullivan v Moody [2001] HCA 59 - investigators of sexual assault did not owe duty of care to one parent concerning information about the other

  10. Breach of confidence • Three elements (Coco v Clarke) • Information having the quality of confidence • Disclosure under circumstances of confidence • Unauthorised use (including disclosure) • Scope of relationships covered is uncertain • Duty uncertain for most modern commercial relationships • Duty only owed to the discloser of the information • No duty owed to the ‘data subject’ per se (seeFraser v Evans [1969] 1 QB 349) • Third party recipients of information will owe a duty once they become aware of the original circumstances of confidence

  11. BOC - ‘Improperly obtained information’ • Breach of confidence is expanding to cover (unconscionable?) ‘obtaining’ of information • Franklin v Giddens [1978] 1 Qd R 72 (Qld SC) - theft of budwood from orchard gave rise to BoC action • Campbell v MGN [2004] HL - Naomi Campbell filmed leaving Narcotics Anonymous meeting (ie in a public place); breach of confidence (disclosure of NA attendance) by a person unknown (assumed to be her staff or NA staff) was enough to make the Mirror liable as 3rd P for photographing.

  12. Data protection laws • Since 1970 (Swedish Data Act), all European countries have enacted data protection laws based on: • ‘information privacy principles’ (IPPs) • A Data Protection/ Privacy Commissioner • NZ, Aust, Canada, and HK also: an Asia-Pacific approach of common law countries • Civil law countries (Taiwan, Japan) have not adopted Privacy Commissioner approach, but Korea has a central complaint mediation body

  13. Data protection as a bundle of rights

  14. Data surveillance laws • data protection laws

  15. HK’s privacy Ordinance • Personal Data (Privacy) Ordinance(PDPO) • Schedule 1 - Data Protection Principles • Key concepts • "data" means ‘any representation of information (including an expression of opinion) in any document, and includes a personal identifier;’ (s2) • Q: requirement to show an ID card to enter a building • Q: a video camera in a lift • Distinguishes surveillance from data protection • “personal data”….

  16. International standards • OECD privacy Guidelines (1980) • Basis of many national laws • Allowed but attempted to limit data export restrictions • EU privacy Directive (1995) • Higher standard, basis of revisions of European national laws • Required data export restrictions • APEC Privacy Framework (2004) • Are its standards ‘OECD Lite’? • Position on data export restrictions uncertain

  17. ‘Personal data’ • "personal data" means ‘any data - (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable;’ (s2) • Other information may be used to identify • What is practicable changes with technology • What is practicable depends on the holder • Q: Consider CCTV tapes and web cams • Eastweek [2000] HKCA 186 - • CA majority held intention to identify required • Contrary view: capacity to identify is sufficient

  18. DPP1 - Collection limitation • DPP1(1) - for a lawful purpose and not excessive • Not a general ‘legitimate purpose’ requirement • DPP1(2) - by means lawful and fair • Unlawful surveillance also breaches DPP1 • DPP1(3) - if collected from the data subject, notice is given of obligations, purposes, intended disclosures, and rights • Includes unsolicited information but only at the point of retention • Not if from observation of the person (surveillance law may apply)

  19. What types of obtaining information are ‘collection’? • Information solicited from another person • Is covered (whether from data subject or 3rd parties) • Unsolicited information • Is covered (whether from data subject or 3rd parties), but may only be collection at point of retention • Information obtained from observations ('surveillance') of the data subject; • Is covered, on a purposive construction • Information extracted from documentary or other sources • Is covered, on a purposive construction • Collection may be in any medium

  20. DPP1 - Collection limitation • DPP1(1) - for (I) a lawful purpose (ii) relevant to functions of collector and (iii) not excessive • Not a positive ‘purpose justification’ requirement • Allows private sector organisations wide latitude to define their purposes • Some special cases: • Credit reporting Code revised (2003) to allow ‘positive’ reporting • Workplace monitoring Code not yet completed

  21. DPP1 - Collection limitation • DPP1(2) - by means lawful and fair • Purpose may be lawful, but means unlawful/unfair • Deception, trickery, undue pressure will be unfair • Unlawful surveillance also breaches DPP1 • Legal but covert surveillance may be unfair • HKPCO examples of surveillance of domestic helpers, secret recording of staff or customers • No requirement of consent to collect, only fairness

  22. DPP1 - Collection limitation • DPP1(3) - if collected from the data subject, notice is given of obligations, purposes, intended disclosures, and rights • Does not include where collected from 3rd parties • Includes unsolicited information but only at the point of retention • Not if from observation of the person (surveillance law may apply) • Not if collection from documentary sources • Notice of purposes is vital • in setting limits of use/disclosure • In discouraging excess collection • In putting data subjects on notice of potential abuses

  23. DPP3 - Use/ disclosure limitation • Data can only be used / disclosed in 4 ways: • (I) For the purpose for which it was collected; • DPP 1 allows fairly broad purposes; note DPP 1(3) • (ii) For a directly related purpose; • Direct marketing ‘opt out’ exception (s34) • (iii) With ‘prescribed consent’; • ‘express consent given voluntarily’ (s2(3)) • Narrower than implied consent allowed in Aust/NZ - cannot include a failure to opt out • (iv) Subject to exceptions (eg s58 law enforcement) • Disclosure can be verbal or by inspection • Can mere inspection be ‘use’? (B&W - ‘yes’)

  24. DPP3 - Use/ disclosure limitation • Are recipients tied to the same purpose as the proper purposes of the discloser? • Best answer is that collection must be by ‘fair’ means (DPP 1(2)) - fairness is an objective test in relation to data subject • This covers both legitimate disclosures (wider purposes of collection unfair), and illegitimate disclosures (any collection unfair) • Necessary answer to support the policy of the Ordinance • Once unlawfulness of discloser is known, collector’s use may also be a breach of confidence (‘unlawfully obtained info’) • Common complaint: Disclosure was within purpose of collection, but notice was not given under DPP 1(3) • Eg Disclosure of skating competitors OK as a purpose of collection, but no DPP 1(3) notice given

  25. DPPs - Disclosure and data exports • DPP 3 does not prevent overseas transfers • S33 only Ordinance provision not in force • Privacy Commissioner • ‘Exploratory survey’ began 2004

  26. DPP2 - Data quality & retention • DPP2.1 - Accuracy in relation to purpose of use • Does not specify ‘complete’ or ‘up-to-date’ • DPP 2.2 - Data retained no longer than necessary • ‘shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used' • s26 - Erasure of personal data no longer required, except where: (a)prohibited under any law; or (b) non-erasure is in the public interest

  27. DPP4 - Security • ‘All practicable steps … to ensure … protected against unauthorized or accidental access, processing, erasure or other use’ • Possibilities • If hackers access data, data user may be liable for inadequate security • Mailouts in error of sensitive data may breach DPP4

  28. DPP5 - Information generally available • Rights to obtain information not restricted to data subjects (contra DPP 6), allowing anyone to: • " (a) ascertain a data user's policies and practices in relation to personal data; • (b) be informed of the kind of personal data held by a data user; • (c) be informed of the main purposes for which personal data held by a data user are or are to be used." • ‘Openness’ principle which should be important to the media and community organisations

  29. DPP6 - Access & correction • DPP6 - Access and correction rights • Right to access and correct your own data • Exceptions to access (Pt VIII) • Many exceptions apply (see Berthold summary) • Exemptions relate to data, not specific data users • Privacy Commissioner can access on reasonable grounds (s38), as an intermediary • Problem: correction is tied to right of access

  30. Enforcement of the DPPs • Enforcement notices (s50) • PC can issue, requiring contraventions to be remedied (4 in 2000), or warning notices (21) • Failure to comply is a criminal offence • No systematic publication of these serious complaints • S48 allows PCO to issue formal reports naming data users (but not others), but has only done so once • Appeals (s50(7)) to Admin. Appeals Board • Either complainant or data user can appeal • No further right of appeal to a Court against AAB decision, only judicial review

  31. Enforcement of the DPPs (II) • Compensation (s66) • only by separate Court proceedings, not by PC • Only 1 reported case, and it was dismissed • PCO cannot award damages (contra Australia) • HKLRC recommends PC be able to assist complainants • Criminal offences • S64 creates criminal offences by data users • Supplying false information • Contravening matching requirements, enforcement notices, or any other provision of the Ordinance • S64 creates offences by other persons • Supplying false information • Hindering Commissioner’s investigations

  32. Enforcement of the DPPs (III) • Judicial review of PC decisions (2 in 2003) • Other duties of Privacy Commissioner: • Review legislation (s8) • Data matching application approvals • Compliance checks (10 in 2003) (s81(e)) • Issuing Codes of conduct • Now stressing need for PIAs

More Related