PCPD - The Privacy Commissioner's clarification on criminalizing data leakage

The Privacy Commissioner's clarification on "criminalizing data leakage"

1.    The Privacy Commissioner for Personal Data Mr. Roderick B Woo issued the following statement in response to today’s news reports that he proposed to criminalize data leakage.

2.    The Commissioner wishes to stress that the proposal he made to the Government last year was not to "criminalize data leakage".

3.    Mr Woo said, "I do not advocate criminalizing data leakage and I abhor the thought that an inadvertent act or omission on the part of a data user could turn him into a criminal. It has never been part of my proposal to the Government that a simple act of data leakage should be treated as an offence."

4.    What the Commissioner is proposing to the Government is to consider amending the law to provide appropriate sanction along the line of section 55 of the Data Protection Act in the UK. The section, which has been in force for more than seven years, makes it an offence (with certain exemptions) for any person who knowingly or recklessly, without the consent of the data user, obtain, disclose or procure the disclosure of personal information. A person who sells personal data obtained in such circumstances also commits an offence. Like most other offences, an intent to commit the offence is an essential component of the offence. Offenders are liable to pay a fine. Currently the offence does not carry a prison sentence although it is reported that the UK Commissioner is asking for the Act to be amended so as to give it more "teeth". However, it is not part of Mr. Woo's proposal that there be any imposition of a prison sentence in the proposed new offence.

5.    The main rationale behind the Commissioner's proposal is that there should be a penalty for the irresponsible behaviour of persons who, in flagrant disregard of personal data privacy, obtain or disclose personal data leaked by data users. Mr. Woo said: "The proposal is aimed at deterring acts such as downloading or disseminating sensitive personal data on the Internet after an accidental leakage of the data by a data user. For example, the unauthorized access and collection of customers' personal data by a staff of a bank or a telecommunications company for the purpose of selling them to debt collection agents or third parties for profits; or the sale of such data to direct marketing companies or for perpetuating crime by theft of identity."

6.    Knowing that the proposed amendment would have a significant impact on data subjects and data users as well as society at large, the Commissioner strongly suggested to the Government that the public should be widely consulted before any legislative procedure is to be carried out.

END