Hong Kong Human Rights Monitor

Privacy Ordinance does not safeguard privacy

In 1995 the Legislative Council passed the Personal Data (Privacy) Ordinance. The purpose of this law is to prevent misuse of personal data for improper purposes. The need for such a law became urgent because of the vast growth in the use of computers, which made it very easy to collect and store personal information. However the law is not limited to information held on computer. It applies to all "data" which is defined to include both written data and computer data.

The Ordinance sets out 6 "data protection principles" These are designed to ensure that personal data is only collected for a lawful purpose; that it is accurate; that it is not used for purposes other than the purpose for which it was provided without the permission of the person it relates to; that it is kept secure; that the type of data held by a particular organisation should be publicly known; and that people about whom data is held should be able to have access to it. Extensive powers of regulation are given to an official, the Privacy Commissioner, who can serve enforcement notices on data users requiring them to comply with the data protection principles. In addition the law creates various criminal offences, including an offence of failing to comply with a data access request not later than 40 days after receiving the request.

Part of the reason for this law is fear of Government Departments or other large organisations misusing information given for one purpose for another purpose. Another reason is that if data users cannot check that the information held about them is accurate they may suffer serious consequences, for example if they have been wrongly recorded as having been convicted of a criminal offence. Underlying the concern, which has led to legislation in many countries, is a fear of powerful, sinister organisations, accountable to no-one, collecting so much data on individuals that they are able to subject them to improper pressure.

The New China News Agency in Hong Kong would seem to be exactly the kind of organisation which the Personal Data (Privacy) Ordinance was designed to protect the citizen against. It is an information gathering agency for the Government of the People's Republic of China, although it never had any diplomatic status while Hong Kong was under British rule. Its operating methods are often secret, and as it is not part of the Hong Kong Government it is not accountable to the Hong Kong public. However Xinhua and its staff are, in theory, subject to the same rule of law as the rest of us.

In these circumstances it was very natural for Emily Lau, one of Hong Kong's most well-known pro-democracy politicians, to take advantage of the new law to ask Xinhua what data it held on her. Only after 10 months did Ms Lau receive a reply stating that it did not hold any such data.

This response is incredible. Xinhua officials have been known to boast about the vast extent of the information which it holds about Hong Kong people. When a member of Human Rights Monitor asked a representative of Xinhua in 1996 if the organisation was aware of the Monitor he received the answer "We know about every group in Hong Kong" The statement that Xinhua does not hold data on someone as well-known and as critical of the Chinese Government as Emily Lau cannot be true.

In addition the failure of Xinhua to reply to Emily Lau's information request is a clear breach of Section 19 of the Personal Data (Privacy) Ordinance, which requires replies within 40 days.

The Government has ample legal powers to deal with this situation and ensure that the law is enforced. Under Section 36 of the Ordinance the Privacy Commissioner may carry out an inspection of any personal data system used by a data user for the purpose of ascertaining information to assist him in making recommendations for promoting compliance with the Ordinance. Under section 38 he may carry out an investigation in relation to a complaint. Emily Lau complained to the Commissioner about Xinhua. He upheld her complaint and passed the papers to the Department of Justice to consider prosecution.

The activities of Xinhua are a matter of the utmost concern to Hong Kong. Since 1 July Xinhua no longer has any justification for the role which it adopted under British rule. Its political and information gathering activities have no place under "One Country, Two Systems" Anything which it does now must be subject to exactly the same legal regulation as applies to any other organisation.

Regrettably, the Hong Kong Government has failed the Xinhua test. The Department of Justice has announced that there will be no prosecution, and the Chief Executive has stated that the breach of the law by Xinhua was technical, not substantial. This is clearly wrong. A delay of months in responding to a request is not like being one or two days late. The message which will be drawn from the Chief Executive's statement is twofold. Firstly, Xinhua is above the law and can do what it likes. Secondly, the time limits in the Personal Data (Privacy) Ordinance do not really matter and no-one needs to take them seriously.

To retrieve this situation the Privacy Commissioner, Mr Stephen Lau, should now exercise his powers under Section 36 to carry out a full investigation of Xinhua's use of data. If on completion of the investigation it is clear that Xinhua is collecting data in ways which breach the data protection principles Mr Lau should serve an enforcement notice under Section 50 of the Ordinance requiring Xinhua to correct the breaches. Breach of an enforcement notice is by any standards a serious crime. It carries a maximum penalty of 2 years imprisonment, a $50, 000 fine, and a daily fine of $1000 for every day that the breach continues. Only an inquiry under Section 36 will maintain the credibility of the Privacy Commissioner and the privacy laws, and reassure the rest of us that Xinhua is not above the law.

Paul Harris

17.3.98 Chairman, Hong Kong Human Rights Monitor

1998 (c) Hong Kong Human Rights Monitor