In response to the letter "Privacy Ordinance already gives people enough protection" published in South China Morning Post on 12 March 2008, the Privacy Commissioner Roderick Woo further explained the rationale behind his proposal to the government to consider creating a new offence that anyone obtaining, disclosing, leaking or selling personal data without the consent of the owner is committing an offence:
I note Mr. Eugene R Raitt's concern (letter dated 12 March) about my proposal to the Government to consider creating a new offence in order to deter irresponsible behaviour in handling personal data online. I would first like to state that this proposal predated the recent unfortunate nude photo incident. And the rationale behind it, is mainly to deter people from knowingly or recklessly obtaining personal data without consent from the data user and the disclosure or sale of the data so obtained to third parties. For example, the unauthorized access and collection of customers’ personal data by a staff of a bank or a telecommunications company for the purpose of selling them to debt collection agents or third parties for profits. There is a similar provision in the UK privacy law that has proved to be effective in curbing such offence. The UK Information Commissioner who was recently in town confirmed this.
Like many other jurisdictions where privacy law has been enacted for a period of time, Hong Kong faces the need for a higher level of personal data privacy protection and stronger legislative sanction to properly address the privacy impact brought about by technological advancements. In Australia, the Law Reform Commission issued a discussion paper titled “Review of the Australian Privacy Law: An Overview” in September 2007. In Canada, a Fourth Report of the Standing Committee on Access to Information, Privacy and Ethnics on “Statutory Review of the Personal Information Protection and Electronic Documents Act” was submitted to Parliament for consideration in May 2007. In New Zealand, the Law Reform Commission of New Zealand has also embarked on a phased project entailing the review of the Privacy Act 1993 with a view to updating it as a result of emerging technology. I can cite more examples to illustrate the point that privacy authorities around the world do consider the law relating to data protection is at an evolutionary stage.
It is my responsibility to protect personal data privacy rights as defined in the Personal Data (Privacy) Ordinance. In performing my role, I am obliged to balance the benefits to the society at large and the degree of intrusion that the activities have on personal data privacy of individuals. Mr. Raitt is right in saying that personal data held for domestic or recreational purposes are exempt from the provisions of the data protection principles of the privacy law. However, the selling of unlawfully obtained personal data is a different matter.
Mr. Raitt may find comfort in the fact that the views of the public will be widely sought before my proposal goes any further.
Roderick B. Woo
Privacy Commissioner for Personal Data