Protecting Your Right to Privacy

Hong Kong Lawyer talks to the Commissioner for Personal Data about changing attitudes on the issue of privacy

Stephen K M Lau, Hong Kong's first Privacy Commissioner for Personal Data, was appointed in July of 1996 and charged with responsibility for promoting and enforcing compliance with The Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance). The Ordinance, which was enacted in August of 1995 and came into operation in December of 1996, is aimed at providing legal protection in the use of an individual's personal data both in the public and private sectors. The Ordinance defines personal data as essentially any data relating directly or indirectly to a living individual, from which it is practical to ascertain the identity of said individual. Thus, use of a persons name, telephone or fax number, address, age, gender, occupation, employment records, income, etc are all subject to regulation. Under the Ordinance, a person has the right to confirm whether their data is being held; the right to access the data in question; the right to correct inaccurate data; the right to be informed of the purpose for which the data is being held; the right to give only that data that is necessary to the purpose for which it is being collected; the right to consent to any change of use of the data; and the right to expect that your data will be kept accurate, secure and for no longer than is necessary.

Commissioner Lau believes that the enactment of the Ordinance was very much a reflection of changing attitudes in Hong Kong regarding the importance of personal privacy. 'In a progressive and evolving society, the issue of privacy and personal data is increasingly being recognised and expectations are high.' Recent opinion surveys bear this out. In a 1998 survey conducted by the Social Sciences Research Centre of the University of Hong Kong, the importance of privacy as a social issue ranked higher than both noise pollution and the provision of health services and was essentially the same as that for the environment. Unemployment ranked only slightly higher in importance. 'That was a pleasant surprise' admits Lau 'because in Asian societies, privacy has not been of traditional importance.'

Much of his work as Commissioner has involved being in contact with the private business sector and educating them about their responsibilities under the Ordinance.

Most of the larger companies now have at least one employee in place that is responsible for ensuring that the requirements for data privacy are met. But the Commissioner admits that the process of educating both the general public and private businesses is an ongoing one. 'What we are doing is actually requiring a cultural shift. It takes a lot of education to make something an actual part of the culture.' Having worked in both the private and public sector, Lau is well aware that data, like any other information, is an asset. 'I know that any information, like any other asset that I have, I will want to use if it will advance the course of my business. But what we are saying now to everybody is that there is an additional dimension. That additional dimension is regard and respect for the person.'

Electronic Commerce

A recent survey done by the Commissioner's office indicates that Hong Kong based business Web sites may in fact be the least likely to comply with the law on data privacy. The situation is clearly not unique to Hong Kong.

The massive growth of the Internet over recent years and the corresponding development of electronic commerce (e-commerce) have led to increasing concern over the use and world-wide transfer (via the Internet) of private data. E-commerce, which is essentially the buying and selling of goods and or services over a network such as the Internet, is, according to many experts, the major business trend of the future. While exact figures are hard to determine, it has been estimated that in 1998 alone, e-commerce transactions totalled US$ 8 Billion. This figure is expected to rise to US$ 327 billion in the year 2001 (eMarketer, July 1998).

Concerns over privacy emerge when companies request personal details (name, address, age, income, credit status, etc) as part of a transaction and then use (or sell) this information as part of its marketing strategy. The response to this issue by various governments has been a source of great contention. The US Government has consistently maintained that it will not regulate privacy on the Internet but instead calls upon industry to regulate itself. The European Union, on the other hand, has taken the opposite approach. The EU's Directive on data protection, which took effect in October of 1998, gives individuals the right to know and in some cases control how their personal data is being used. Perhaps more important from a business point of view, the Directive requires governments to pass legislation that would prevent the transfer of personal data to third countries who do not provide 'adequate' protection.

The specific section of the Hong Kong Ordinance dealing with the issue of e-commerce and the transfer of personal data outside of Hong Kong has yet to be commenced although it is very much in line with the requirements of the EU Directive. Its commencement date is yet to be determined and is somewhat dependent on the EU's speed of and approach to the implementation of its Directive. As Commissioner Lau points out, 'Hong Kong is a small place and our economic life-blood is our global commerce and global business. Therefore, we cannot afford to be competitively disadvantaged ... we would really like to see what the EU is going to do so we are taking a rather pragmatic approach.'

Much of the Commissioner's concern relates to how the EU will ultimately deal with the issue of defining what is meant by the term 'adequate' contained in the EU Directive. 'We would rather follow the "big brother" than have us charging ahead with this ... let's see what the Europeans are going to do in terms of defining what is "adequate" and have them draw up a list of countries that are perceived as abiding by that standard. Then we can follow suit.' The need for caution seems obvious when one considers the potential impact on those countries that are not on the 'safe' list. Adds Lau, 'any list of countries that have or do not have 'adequate' protection could be used as a bargaining chip in trade discussions. Such a list might even be seen as an excuse for trade barriers. So the issue goes beyond personal data and can spill into the area of trade and trade negotiations. A country has to be very careful. It is a side issue, but an important issue.'

In the meantime, Lau is quick to point out that 'although the specific section on transfer of personal data outside of Hong Kong is not yet commenced, the transfer of data, including the transfer of data overseas, must still comply with the general principles of data protection as specified in the Ordinance in terms of use, security and accuracy. The specific section when effected will provide a greater degree of protection in line with the EU's Directive.'

Good Business Sense