Hong Kong Human Rights Monitor

Privacy Ordinance at Stake

Following the lead of 27 jurisdictions, including Australia, New Zealand, Japan and countries in Western Europe and North America, Hong Kong government finally enacted the Personal Data (Privacy) Ordinance in December 1996.

The initiation of the bill was based on the recommendations of the Law Reform Commission, who saw the existence of such bill essential. Before 1996, the existing statutory and common law that protect information privacy is scattered and incidental in nature. Article 14 of the Bill of Rights Ordinance is the sole legislative provision specifically providing for privacy of information. However, it only focuses on information relating to a person's private life, but not any information relating to an individual. Also, it is limited in the sense that the Bill of Rights Ordinance only applies to the public sector, but not the private sector and therefore a person whose privacy has been violated by a private body cannot rely on the Bill of Rights for legal remedies.

The main objective of the Personal Data (Privacy) Ordinance ("Privacy Ordinance" is to protect the individual's right to privacy with respect to personal data. It is based on the view that individuals have privacy interests in their personal data. They look for the fair collection, use, holding and disclosure of personal data to Hong Kong from restrictions imposed by countries that have data protection laws. To ensure these objectives can be reached, six data protection principles are recognised.

Principle 1 provides for the fair collection of personal data, including a requirement that a data subject be informed of the purposes for which the data are collected from him. Under this principle, unfair collection of personal data should not be adopted by data users. Situations would be considered as unfair if persons collecting personal data not to identify themselves or to give false or misleading information about their identity.

Principle 2 requires all practicable steps to be taken to ensure the accuracy of personal data. This principle suggests any data users when accepting personal data, such as copies of identity cards provided by individuals, should check its accuracy and authenticity. Thus, in the case of an application for a vacancy in the civil service, the identity card number of the applicant as shown on the application form should not be used for integrity checking until it has been verified by examination against the ID card produced by the applicant at a subsequent occasion.

Principle 3 limits the use of personal data to the purposes, or directly related purposes, for which they were collected or for which the data subject has given consent. A requirement on credit providers based on this principle would be demanding them to provide to debt collection agencies information only directly relating to an individual in default, which enables the identification and location of the individual.

Principle 4 requires all practicable steps to be taken to ensure the security of personal data. In this way, data users should take all reasonably practicable steps to ensure that an identity card number and the name of the holder are not displayed together publicly. One example will be displaying the ID card numbers and the names of the holders in newspaper notices.

Principle 5 provides for the information that a data user must make available concerning his use of personal data. This means that any person should be informed of the kind of personal data held and the purposes of keeping the data by a data user.

Principle 6 provides for the data subject's rights of access and correction with respect to his personal data. It was under this principle that Emily Lau, requested access of her personal information held by the News China News Agency (NCNA). For the general public, for instance, if they suspect their personal information held by credit reference agencies is incorrect, they can made access requests to credit records.

An act in contravention of the principles does not amount to an offence by itself. The Privacy Commissioner has the power to require the one who breaches the principles to do or refrain from doing certain acts. It is an offence to violate such an order.

With the presence of this ordinance, however, it doesn't mean that every aspect of personal privacy are being protected. One of the examples is that currently stalking or surveillance is not subject to any statutory or common law control in Hong Kong. The Personal Data (Privacy) Ordinance comes into operation only if such acts involve the collection of personal data. The issue of regulating stalking and surveillance are now being reviewed by the Law Reform Commission.

Another aspect that may limit the power of the Ordinance concerns with its application. The Ordinance binds the Government and the private sector. The General and Interpretation Ordinance, as amended by the controversial Adaptation of Laws Ordinance enacted by the SAR Government during the last days of the Provisional Legislative Council, provides for an assumption retrospectively (back to the handover) that unless a Hong Kong statue prescribes expressly or by necessary implication that it binds the "state" the "state" is assumed to be not bound by it. The Personal Data (Privacy) Ordinance provides explicitly that it binds the "Hong Kong Government" and silent on the "state" it therefore no longer binds the state.

The definition of "the state" is wide and vague. It includes,

(a) the government of the Hong Kong Special Administrative Region
(b) the Central Authorities of the People's Republic of China that exercise
    (i) executive functions;
    (ii) functions for which the Central People's Government has responsibility under the Basic Law; or
    (iii) any combination of any of those functions; and
(c) subordinate organs of any of those Central Authorities that
    (i) exercise any of those functions on behalf of those Central Authorities; and
    (ii) do not exercise commercial functions, when acting within the scope of delegated functions, of the subordinate organ concerned.

The definition of subsidiary of the Central Authorities is particular vague. We cannot tell for sure whether, for example, the Hong Kong branch of Xinhua falls within that definition, because it is a branch of a news agency, a de facto PRC mission in Hong Kong and the Hong Kong Work Committee of the Chinese Communist Party. Daniel Fung, the Solicitor General of the Hong Kong SAR Government, considers it does because it was professed to be discharging functions delegated to it liaise Hong Kong people, to handle issues related to Taiwan and to co-ordinate state enterprises in Hong Kong. There are however strong evidence to the contrary. It also engages in business transactions of news and information as a news agency. Moreover, the work it has taken up by the Communist Party cannot be within the definition of state functions. Suffice to say here that there are no good policy reasons to excempt the "state" when the SAR Government is itself bound by the Privacy Ordinance and Article 22 of the Basic Law requires all branches of the state to be bound by the laws of Hong Kong. Xinhua and other "Big Brother" state organs in Hong Kong are exactly some of those bodies the Privacy Ordinance seeks to bring under proper control.

Not only that the Adaptation of Law Ordinance has confused the applicability of the Privacy Ordinance to bodies of the Central Authorities in Hong Kong, it has also led to various legal and constitutional issues which will be discussed in our next issue of this newsletter.

1998 (c) Hong Kong Human Rights Monitor