Commissioner welcomes AAB’s decision
1. The Privacy Commissioner for Personal Data (“the
Commissioner”) Mr. Roderick B. Woo welcomes a decision made by the
Administrative Appeal Board (“AAB”) on an appeal case pursuant to the
Personal Data (Privacy) Ordinance (“the Ordinance”).
2. The complainant subscribed for an electronic
financial information service with a company (“the Company”) through
its website. In applying for membership, the complainant provided
the company with an e-mail address, firstname.lastname@example.org, where xyz was the
3. The complainant thereafter received numerous SPAM
emails at the said email address. Having learned from the media
that the Company’s security system had been infiltrated by hackers, the
complainant alleged that the Company had failed to protect his personal
information. The complainant complained to the Commissioner that
the Company had breached Data Protection Principle 4 (“DPP 4”) of the
4. DPP 4 provides that a data user shall take all
practicable steps to ensure that the personal data held by it are
protected against unauthorized or accidental access, processing,
erasure or other use.
5. The Commissioner took the view that the
complainant’s email address did not constitute “personal data” within
the meaning of the Ordinance, as the complainant’s identity could not
be ascertained from the email address alone. There was also no
evidence showing that his personal data had been leaked to the spammers
by the Company’s website. In view of this, the Commissioner
refused to carry out an investigation. The complainant appealed
against the Commissioner’s decision.
6. The AAB remarked that the SPAM emails received
through the complainant’s email address contained no information
concerning the identity of the complainant. There was no evidence
that other than the use of the designated email address, there had been
any unauthorized use of the complainant’s personal information or
information which would have revealed the complainant’s identity.
7. The AAB did not preclude the possibility that an
email address, in some circumstances, could be personal data where it
would be reasonably practicable, whether because of the information
revealed in the email address itself or in conjunction with other
information, for the identity of an individual to be ascertained from
such an address. However, in this case, AAB did not accept that
the complainant’s identity could reasonably be ascertained from the
email address notwithstanding the fact that the prefix of the address
“xyz” corresponded to the complainant’s initials.
8. The AAB took the view that there was nothing to
indicate that a contravention by the Company of DPP 4 had occurred and
therefore dismissed the appeal.