Privacy Protection rom an International Perspective

Privacy has never been a private matter. Having taken up the Office for two years, I am glad I don't work alone in protecting personal data privacy.

My Office plays a vital role in protecting personal data privacy, which is a human rights issue of significance to people who live in developed economies. We also strive to ensure that our privacy laws are compatible with the requirements of our international business partners-especially in e-commerce so that Hong Kong can thrive as an international business hub.

Locally, our efforts in dealing with social issues that impact on individuals' personal data privacy have won widespread support from different sectors of the community. Internationally, I have been exchanging and sharing information on topical privacy issues with my counterparts in other jurisdictions. It is one of my statutory duties to liaise and co-operate with overseas privacy authorities on matters of mutual interest concerning personal data privacy.

My Office has built a sustainable network with privacy officials in other jurisdictions. From 1992, we started partnerships with Australia and New Zealand to exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints. In 2005, the partnerships were officially re-named Asia Pacific Privacy Authorities, comprising of privacy authorities from Australia (including federal and state offices), New Zealand, South Korea and Hong Kong. Our most recent meeting was held in Hong Kong for the first time and members agreed to achieve our common objectives through a regional promotional programme, Privacy Awareness Week, from 26 August to 1 September, 2007. A series of exciting activities will take place to raise privacy awareness in the Asia Pacific region.

At the inter-government level, my Office has been actively involved in the Data Privacy Subgroup (DPS) of the Electronic Commerce Steering Group (ECSG) under the Asia Pacific Economic Cooperation (APEC). In 2004, the DPS developed a Privacy Framework, which was endorsed by APEC ministers. Currently, the DPS is working to implement the Privacy Framework in relation to cross-border transfers of personal information. I have joined the Cross Border Privacy Rules Study Group which aims at developing a set of Cross Border Privacy Rules (CBPR). These rules comply with and implement the APEC Privacy Principles that govern cross-bordertransfers of or access to personal information of individuals by private organizations. The efforts are particularly beneficial in establishing a foundation of trust in the digital age among member economies.

Earlier this year, government privacy experts, data protection authorities, academics, as well as business and consumer representatives discussed the development and use of CBPR by the business community at the First Technical Assistance Seminar on International Implementation of the APEC Privacy Framework. Since member economies are at varying stages of implementing the APEC Privacy Framework, a highly flexible "Choice of Approach" implementation model has been adopted. In June, members will meet for the Second Seminar and decide what steps to take in the implementation of these cross-border cooperation mechanisms.

All of the above approaches, to the extent that they are relevant to Hong Kong, can provide us with valuable insight. By looking at privacy matters from an international perspective, we gain a balanced outlook on the development of data privacy rights.

Roderick Woo
Privacy Commissioner for Personal Data
June 2007

As recently as 10 years ago, few people could have imagined just how popular or prevalent the practice of uploading videos or personal files on the Internet would be. Even fewer people could have anticipated how this would affect personal privacy.

Today, the seemingly simple and innocent method of posting home videos or personal pictures online might result in a less-than favourable response. Suppose you attended a friend's birthday party one weekend but found out later that an embarrassing moment you were in was captured on camera using a mobile phone and posted online for everyone to see. When your personal information is made publicly available online, there is no control over who will have access to it or what the consequences will be.

These days, social networking websites or personal web pages are increasingly common, especially among the younger generation. Websites such as YouTube, My Space and Facebook feature lots of personal information, including photos and journals, and are the preferred medium by which people communicate with friends and family or meet other people.

Last November, the Hong Kong Christian Service conducted a survey¹ of primary school students from Year 4 to 6 to gauge their online communication activities. The results showed that 19.9% of the respondents communicated with friends by blogging. Some 23.4% of girls and 16.6% of boys wrote about their personal life. The majority of blog writers targeted friends (78.9%), followed by on-line friends (32.6%). Similarly, Breakthrough conducted a survey² in 2005 of people aged 10 to 29 about their online diary habits. It indicated that 99.7% of the respondents had read online diaries while 75.5% had written them.
Topics included the littlethings in life, at 72.8%; social life, 70.8%; and academic or career issues, 62.4%. The diary contents covered emotions, 88%; the little things in life, 85.1%; and happenings, 75.4%. The survey found that young people allow others to read their diary - 88.5% of them let people read all or most of the contents while 66.2% let web surfers read their diaries.

Both surveys showed that young people perceive blogging as a communication tool to express their feelings, thoughts and everyday events. "Privacy is about how you respect other people's information. It is a good thing to see how young people open their hearts and communicate with the outside world. However, disclosing sensitive personal information should be handled with great care," Privacy Commissioner Mr. Roderick Woo said.

There has been an upward trend in the number of complaints in relation to improper disclosure of personal information via electronic means, from 22 cases in 2005 to 37 cases in 2006. In the first quarter of this year, 26 cases have been received. In terms of the nature of the cases, most of them (52 cases) are against individuals, whilst the rest (18 cases) against companies. In one case, the complainant quarreled with someone in a shop only to discover later that a video of the incident has been uploaded on a public website. In some cases, the complainants were unhappy to find their personal information posted on websites without their consent and therefore lodged complaints with the Commissioner's Office against the website administrators. The Australian Law Reform Commission (ALRC) has been consulting with young people in Australia as part of a current review of privacy laws, and has found varying views about posting photos online. Based on their experiences, some young people have suggested that by posing for a photo you more or less consent to it being posted online³.

This is a controversial issue. The traditional way of sharing photos tends to be confined to close friends and family members. You would never go out on the street and show total strangers your wedding photos, for example. It would also be absurd to seek your friend's consent to share the photos before taking them.

The Internet has fundamentally transformed the mode of sharing photos. You may argue that it is my right to post my photos on my web page. But do your friends have the right to stop you from revealing their personal information on the Internet?

To encourage young people to respect people's privacy, the PCPD is joining hands with Australia, New Zealand and South Korea to organize Privacy Awareness Week 2007 this summer. One of the activities is a Writing Competition about young people's perception about privacy. Young people are encouraged to express their feelings about personal data privacy, especially online privacy. What would you feel if someone posts your personal information online? Do you expect people seeking your consent before posting your information online? If privacy rules are set for blogs, what should they be for disclosing information online? These are questions that worth young people's deep thoughts.

¹The full survey report is accessible from the Hong Kong Christian Service website at www.hkcs.org/news/press/2007press/press20070420.htm.

²The full survey report is accessible from the Breakthrough website at
www.breakthrough.org.hk/ir/researchlog.htm.

³More information can be found from ALRC website at
www.alrc.gov.au/inquiries/current/privacy/talk/youngpeople1.htm.

First Case

A debt collection agent (the Agent) was convicted of an offence under section 64(7) of the Personal Data (Privacy) Ordinance (the Ordinance) for contravening an enforcement notice (EN) issued by the Privacy Commissioner for Personal Data. The case was heard in Tsuen Wan Magistrates' Courts on 27 December 2006. The Agent pleaded guilty to the charge and was fined HK$5,000.

The complainant was the referee named by a debtor who had borrowed money from a financial institution which appointed the Agent to recover the debt. In pursuing debts of the borrower, the Agent posted notices containing the complainant's name in public places.

The Privacy Commissioner was of the view that the Agent had contravened Data Protection Principle 3 (DPP3) by displaying the complainant's personal data publicly. DPP3 of the Ordinance stipulates that personal data shall not be used for a purpose other than its original purpose of collection or a directly related purpose unless it is done with the prescribed consent of the data subject.

After investigating, the Privacy Commissioner served the EN to the Agent in June 2006. The Agent did not respond to the EN. As a result, he contravened section 64(7) of the Ordinance. In July 2006, the Privacy Commissioner referred the case to the police.

In accordance with DPP3, a debt collector should only use the personal data of the referee in contacting or seeking information concerning the whereabouts of the debtor rather than exerting pressure on the referee to repay the debt. The PCPD hopes this conviction will deter misuse of personal data for debt collection.

Second Case

The complainant protested against a telecommunications company ("the Company") for repeatedly making direct marketing calls to his office telephone, even after verbal and written opt-out requests have been made.

The Company began contacting the complainant by phone to promote its IDD services in July 2005. The complainant requested the Company several times to stop the calls. However, the Company continued to call him on a number of occasions for direct marketing purposes despite his opt-out requests. In February 2006, the complainant lodged a complaint with the PCPD.

In July 2006, the PCPD issued a written warning to the Company requiring it to stop making direct marketing calls to the complainant. In August 2006, the complainant received at least four marketing calls from the Company. The Privacy Commissioner concluded that this was contrary to section 34(1) (ii) of the Ordinance and referred the case to the police for prosecution.

Four summonses were issued against the Company for contravening section 34 of the Ordinance. The magistrate convicted the Company of the four summonses in the Kwun Tong Magistrates' Courts on 17 January 2007. In mitigation, the Company stated that the marketing calls were made by employees of its Shenzhen sub-contractor, who failed to check the opt-out list before making the calls. The magistrate remarked that the marketing calls were "disgusting and annoying" and imposed a total fine of HK$14,000.

"Privacy is Your Business" Writing Competition

People are increasingly concerned about "privacy". In fact, everybody has different views about privacy. But what about the younger generation? What are their views?

In an effort to raise awareness of privacy issues among young people, the Office of the Privacy Commissioner for Personal Data, Hong Kong, will jointly organize a regional writing competition with members of Asia Pacific Privacy Authorities (APPA), including the Australian and New Zealand Privacy Commissioner's Offices. The writing competition is one of the joint activities of "Privacy Awareness Week" from 26 August to 1 September 2007.

The topic of the writing competition is "Privacy is Your Business ". It is open to all secondary school students. Entries can be in any form of writing, including poetry, prose or an internet blog, in English or Chinese. Prizes for winners include laptop computers, gift vouchers and prize certificates.

The deadline is 3 August 2007. For details, please call the PCPD hotline on 2827 2827 or visit the PCPD website (www.pcpd.org.hk).

Privacy Commissioner Issues Consultation Paper on Proposed Amendments to the Consumer Credit Data Code

The Privacy Commissioner for Personal Data, Mr. Roderick Woo issued a consultation paper on 22 May 2007 to seek the public's views on his proposal to amend the Code of Practice on Consumer Credit Data ("the Code").

The proposed amendments to the Code can be divided into (a) amendments relating to the retention of data in relation to write-off accounts due to a bankruptcy order being made; and (b) minor technical amendments. Interested parties are invited to send their comments in writing to the PCPD by 29 June 2007. Copies of the consultation paper are available at the PCPD at 12/F, 248 Queen's Road East, Wanchai, Hong Kong; or from PCPD's website at www.pcpd.org.hk.

Guidance Note on Property Management Practices

The PCPD has published a new guidance note, titled "Personal Data Privacy: Guidance on Property Management Practices".

In response to enquiries and complaints in relation to property management activities, the PCPD finds it necessary to provide a clear set of good practices to assist property management bodies in better understanding the application of the Personal Data (Privacy) Ordinance ("the Ordinance") to specific situations commonly encountered by them.

In the course of property management, personal data of flat owners, residents and other individuals are often collected and used by property management bodies like owners' corporations, owners' committees, mutual aid committees or property management agents. These activities are subject to the requirements of the Ordinance. The guidance note covers major property management activities, namely the application of building entry pass or smart card, recording of names and identity card numbers of visitors, recording of personal data of car park users, proxy form for owners' meeting, minutes of meeting or notices to residents relating to building management affairs, and handling of complaints from owners or other individuals.

The guidance note is available for downloading from the website of the Commissioner's Office (www.pcpd.org.hk). Copies are also available from the PCPD at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong.

The 26th Asia Pacific Privacy Authorities Forum

Attendees of the 26th APPA Forum.

From 8th to 10th November 2006, the PCPD hosted the 26th Asia Pacific Privacy Authorities (APPA) Forum in Hong Kong. The APPA was established in 1992 (formerly known as PANZA) as a platform for regional privacy authorities to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints. APPA convenes twice a year and members take turns to host the Forum. This was the first time it was held in Hong Kong. In hosting the Forum, the PCPD showed its commitment to the protection of personal data privacy.

Hotel Privacy Campaign Prize Presentation Ceremony

Organized for the hotel industry, a campaign entitled "Pursuing Excellence - Protecting Personal Data" was successfully implemented in November 2006. A prize presentation ceremony was held on 14 December 2006. Mr. Roderick Woo, Privacy Commissioner (second from right, first row), Mr. James Lu, the Executive Director of the Hong Kong Hotels Association (middle, first row) and winners took group photos at the prize presentation ceremony.

One of my duties involves giving legal advice on the application of the provisions of the Personal Data (Privacy) Ordinance ("the Ordinance"). The challenge is how the word and spirit of the Ordinance are meaningfully interpreted and applied.

Prevention is always better than the cure. One of the more effective ways to achieve this is by giving practical guidance to data users. For example, I have been involved in developing the Privacy Guidelines: Monitoring and Personal Data Privacy at Work ("the Guidelines"), which is issued by the Commissioner. It recommends practices to be followed by employers who wish to monitor their employees. The Guidelines introduced a simple "3A" and "3C" approach with ample practical examples to illustrate the concepts of fairness and transparency in data protection. The approach is user friendly and can be easily applied by employers.

I have to handle administrative appeal cases and legal proceedings brought against the Commissioner. Decisions handed down by the Judicial and Administrative Appeals Board ("AAB") are useful references that I use to support legal advice. An AAB hearing is an appeal channel available under the Ordinance to a party who is dissatisfied with the decision made by the Commissioner. Unlike judicial court hearings, the AAB proceedings are conducted in a simple and informal manner with the parties taking turns to make their submissions. The Board is made up of three members, one of whom is the presiding chairman. Since the Commissioner plays the role of respondent in the appeal, I have to defend and explain the decisions made by the Commissioner. Issues might include the interpretation of certain provision of the Ordinance and how the discretion of the Commissioner was properly exercised in a case. Sometimes it can be an uphill battle. The decisions of the AAB are useful precedents as they either reinforce the views adopted by the Commissioner or correct them. The relatively high rate these appeal cases are dismissed indicates the Commissioner is usually correct.

I also have to keep updated on international and local privacy developments and the impact of any technological advancement on personal data privacy. There are constantly new IT breakthroughs, such as RFID, e-health, GPS, Smart ID and others that raise privacy issues. As Legal Counsel, I assist the Commissioner in reviewing and assessing the adequacy of the Ordinance to uphold personal data privacy rights. Appropriate amendments will be proposed to the Government.

Author: Ms Margaret Chiu
Legal Counsel of the PCPD

Luncheon-cum-sharing gathering

In order to foster better communication between the PCPD and its members, the DPOC organized four informal luncheon meetings in February and March 2007.Members from different sectors were grouped into separate luncheons so they could share their work experience in a relaxing atmosphere.

Representatives from PCPD's Legal, Operations and Compliance Divisions also joined in. Members generally felt the gathering provided them a platform to build up a network with other data protection officers and enhance their work experience and knowledge in personal data protection.