PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Press ReleasesSpeeches and Articles & PapersAnnouncement of Public Interest
Exhibition MaterialsOther Related WebsitesArchiveOther Resources
On-line Self TrainingSubmissions to Public Consultation
image

Information Centre
speeches and Articles

 
 
Date: September 17 - 19, 1997

The Asian Status with respect to the observance of the OECD Guidelines and the EU Directive (cont.)

EU Directive- Personal Data Filing Systems

The definition of Personal Data Filing Systems including "any structured set of personal data" intends to cover both computer and manual processing of data.

Hong Kong: Personal Data System is defined as "any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system".

Observation: General conformance.

Taiwan: The law is to "govern the processing of personal data by computers" (Article 1).

Observation: Manual processing of personal data is not covered by the law.

Japan: The act applies to "computer processed personal data".

Observation: Manual processing of personal data is not covered.

EU Directive- Purpose Specification

Article 7 requires that personal data may only be processed if

  1. the data subject gives consent
  2. processing is necessary for contract performance
  3. processing is necessary for legal compliance
  4. processing is necessary to protect the vital interests of the data subject
  5. processing is necessary for public interest
  6. processing is necessary for legitimate interests

Hong Kong: There is no provision for purpose specification.

Taiwan: General conformance through Articles 7 and 18 which require that personal data may only be processed if

  1. the data subject gives consent
  2. the processing is within the scope of job functions provided by law and regulations
  3. there is no possibility it shall infringe upon the rights and interests of the data subject
  4. there is a contractual relationship
  5. the information is public knowledge
  6. there is a need for academic study

Observation: General conformance

Japan: Processing of data by a government agency is "confined to the extent necessary to perform the competent function provided by law" (Article 4).

Observation: Partial conformance.

EU Directive- Sensitive Data

Article 8 requires "member states to prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life except:

  1. with the explicit consent of the data subject
  2. in line with employment law
  3. for the vital interests of the data subject
  4. for non-profit making bodies for their members
  5. for defence of legal claims

Hong Kong : There is no provision specifying categories of sensitive data.

Taiwan : Ditto.

Japan : Ditto.

EU Directive- Supervisory Authority

Article 28 requires member countries to have "one or more public authorities to be responsible for monitoring" the compliance of legal provisions to protect personal data. These authorities "shall act with complete independence in exercising the functions entrusted to them", and be endowed with "investigative powers", "effective powers of intervention", and "the power to engage legal proceedings" against violations. The authority should also publish and make public reports on its activities at regular intervals.

Hong Kong : The law explicitly establishes the Office of the Privacy Commissioner for Personal Data, and the Commissioner "shall monitor and supervise compliance with the provision of the Ordinance". That "the Commissioner shall not be regarded as a servant or agent of the Government" [Article 5 (8)] provides his independent status. The Commissioner has the power to carry out inspections of any personal data systems, and to receive and investigate complaints with powers of entry and summons. He also has the power to issue "enforcement notices" to data users to remedy any contravention of the law. As a regulatory authority, the Commissioner can initiate legal proceedings on offences through referral to the Department of Justice for prosecution. The Commissioner is required to furnish an annual report to the legislature on activities relevant to his functions. This annual report is made available to the public.

Observation : General conformance.

Taiwan : "The Ministry of Justice is responsible for coordinating and contacting matters relevant to the enforcement of the law" (Article 42) and prescribing "the enforcement rules of the law" (Article 44).

Compliance with the law by a non-government agency (private sector) is supervised by the government authority in charge of the industry to which the non-government agency belongs. These government authorities have powers including the granting and revoking of registered licence to process personal data systems (Article 19), prescribing criteria for fee charging for data access and correction requests by data subjects (Article 26), handling appeals by data subjects (Article 32), investigation and enforcement (Article 25), and imposition of fines on the non-government agencies (Article 38 - 41).

Appeals against a government agency by data subjects can be lodged with the supervisory agency of the said government agency (data user). The supervising agency is required to respond to the appeal in writing (Article 31).

Observation : There does not seem to be an independent supervisory body from the perspective that there is not a public supervisory body independent of government.

Apart from this issue of independence, the private sector's supervisory government agencies have the powers to conform generally to the Directive, whereas the public sector's data users (government agencies) do not seem to be supervised in terms of compliance. May be the role played by the overall co-ordinating Ministry of Justice might cover this supervisory aspect through its prescribed enforcement rules of the law, though such rules are not specified in the law.

Japan : The Management and Coordination Agency (MCA) is the body responsible for receiving notifications from federal agencies regarding their personal data systems. MCA also has the authority to request the federal agencies to provide information and explanation when MCA finds it necessary to do so with regard to the operations concerning the computer processing of personal data, and to give an opinion to the Prime Minister or to the federal agencies on such operations (Articles 21 and 22).

Observation : There does not seem to be an independent supervisory authority from the perspective that there is not a public supervisory body independent of government. Also, it seems that MCA is more a co-ordinating body than a supervisory body, with authority to request for information and advise the agencies rather than the legal power to investigate, intervene and sanction.

EU Directive- Transborder Data Flow

Article 25 provides "that the transfer to a third country of personal data may take place only if .......... the third country in question ensures an adequate level of protection". Exemptions from Article 25 are:

  1. unambiguous consent from the data subject
  2. the transfer is necessary for the performance of a contract
  3. the transfer is in the vital interest of the data subject
  4. the transfer is in the public interest
  5. the transfer is made from a public register
  6. the state may authorise data transfers if there are appropriate protection through contractual clauses between the data user and the data recipient

Hong Kong : Article 33 requires that no data should be transferred to a place outside Hong Kong unless:

  1. the place has a law "equivalent" to the Hong Kong Law as determined by the Commissioner
  2. the data user has reasonable grounds to believe there is an equivalent law
  3. the data subject gives his prescribed consent
  4. the data user believes that the transfer is in the data subject's interest
  5. general exemptions including public interest are applicable
  6. the data user takes all reasonable precautions and exercises due diligence to ensure equivalent protection in the receiving country for data transferred

Observation : The "equivalence" requirement is perceived as "adequacy" to meet with the EU requirements given the breadth and depth of the Hong Kong law. In addition, Article 33 requires compliance to be responsible by data users whose principle place of business is in Hong Kong for data transferred to other places. This requirement closes the EU Directive's loophole for possible off-shore operations to avoid legal data protection.

Taiwan : For government agencies, "the international transmission and utilisation of personal data by the government agency shall be handled in accordance with relevant law and regulations".

For non-government agencies (private sector), the "international transmission and utilisation of personal data may be limited (Article 24)

  • where major national interests are involved;
  • where national treaty or agreement specifies otherwise;
  • where the nation receiving personal data lacks laws which fairly protect the rights and interests of the data subject thereby causing injury to the data subject; and
  • where international transmission and utilisation of personal data are made through a circuitous means in order to evade the provisions of this law.

Observation : Control on data transfer by the public sector "in accordance to relevant law and regulations" is non-specific; the provisions for the private sector are in line with the requirements of the EU Directive except there is no provision for contractual solutions, though the EU's loophole for data havens is closed through Article 24(4).

Japan : There is no provision relating to transborder data flow in the law.

Next Page

Back to top

Archive

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer