Skip to content

Media Statements

Media Statements

Date: 13 August 2013

Investigation Report: Smartphone Application "Do No Evil" Seriously Intruded Personal Data Privacy

(13 August 2013) The Office of the Privacy Commissioner for Personal Data ("PCPD"), after an investigation, decided that a smartphone application known as "Do No Evil" ("the App"), which enabled search for target individuals' litigation and bankruptcy data, had seriously invaded privacy. The PCPD had issued an Enforcement Notice directing the database operator, Glorious Destiny Investment Limited ("GDI"), to cease supplying such data to the App. GDI has complied with this directive since 7 August 2013.

2. Mr Allan Chiang, the Privacy Commissioner for Personal Data ("the Commissioner") remarked at the press briefing today that although litigation and bankruptcy information is available in the public domain, they are personal data which is subject to protection under the Personal Data (Privacy) Ordinance ("the Ordinance"). Any person who further uses such sensitive personal data must respect the privacy of the data subjects and comply with the Ordinance's Data Protection Principles ("DPPs"). In particular, DPP3 requires that personal data should only be used for the purposes for which it was collected or a directly related purpose. Explicit and voluntary consent of the data subjects must be sought before changing the purpose of use. "Convenience is not a justification for intrusion of others' privacy", stressed Mr Chiang.

Background and Findings

3. The App was launched in 2012 with a claim of 2 million records of civil and criminal litigation as well as bankruptcy cases. After installation of the App, users could search if such records existed for a target person. The search results could show the target person's name, partial identity card numbers, address, court type, action number, nature of civil case, criminal charge, company directors' data and more. The App publicised that it could be used to conduct due diligence review and background check for decisions involving the offer of a job to a potential employee, including a private tutor and a domestic helper; signing tenancy agreements with prospective tenants; or signing contracts with business partners. In the past year, the App had more than 40,000 downloads, and more than 200,000 search requests.

4. The PCPD had received 12 complaints against the App for intrusion of personal data privacy, and enquiries and expressions of concerns from 60 people. The PCPD thus initiated an investigation against the operator of the database, GDI.

5. It was found that GDI had collected litigation, bankruptcy and company directorship data of the public from different sources, including the Judiciary, the Official Receiver's Office ("ORO"), Gazette and the Companies Registry, and formed a database. The App enables users to search an individual's litigation and bankruptcy data by his name or address. The service involved the collection and use of a massive amount of personal data.

6. Two of the complainants had been involved in both litigation and bankruptcy cases, with no relation between the cases. However, the search result of the App showed in one go the litigation records of the Judiciary, bankruptcy records of the ORO, as well as company directors' data, which were obtained from different sources (see Appendix). They were worried that the consolidated data might be used to make adverse inference and decision against them, including employment decision. They felt that their privacy had been violated.

The Commissioner's Decision

7. DPP3 of the Ordinance requires that personal data should only be used for the purpose for which it was collected or a directly related purpose, unless the explicit and voluntary consent of the data subject has been obtained. The use of personal data obtained from the public domain for due diligence review and background check was obviously inconsistent with the original purpose of data collection by the Judiciary, the ORO and Companies Registry, as well as their purposes of making the data publicly available. (Table 1)

Table 1: Original purpose of making the data publicly available

Original Data User

 

Purpose of making the data publicly available (Explicit or Implicit)

Judiciary

Daily Cause Lists

Facilitate litigants, witnesses and members of the public to attend designated courts at the right time. Destroyed one day after the trial is over

Judgments

Disclose reasons for the court's decisions

Cause Books and
Writs of Summons

Provide litigation information to the public, but not to enable the public to access individual litigants' data

All of above

Ensure open justice

ORO

Bankruptcy notice published on the Gazette

Let the public know when the named person was bankrupt or had been discharged, and all debts due to the bankrupt should be paid to the trustee during the bankruptcy period. The data can only be used for the purposes of the bankruptcy cases

Companies Registry

Annual Return

Enable members of the public to ascertain, when dealing with a company, whether a person holding out as a director of the company is in fact dealing in such capacity


8. The Commissioner pointed out that the data searchable by the App included very sensitive personal data such as names, addresses and partial identity card numbers of litigants and bankrupts; the amount and reasons of claims; charges; decrees and so on. As the operation of the App had brought about the following privacy risks, its use of personal data had obviously exceeded the reasonable expectation of the data subjects on public disclosure of their litigation and bankruptcy data:

  • Aggregation of data brings higher privacy risks: As the App aggregated the litigation information from different courts and the bankruptcy data published on the Gazette, users of the App could view all these multi-sourced data of a target person in one go simply by entering his name. Aggregation of such fragmented information increases the severity of the privacy intrusion.

  • Sensitive personal data being accessed without the data subjects' knowledge: The App enabled users to access others' litigation and bankruptcy data at any time without informing the data subjects. The data subjects did not know that their sensitive personal data was accessed by others via the App. In other words, the data was used without the data subjects' consent and knowledge.

  • Difficulty in restricting further use of the data: The Judiciary, the ORO and the Companies Registry disclose or publish litigation, bankruptcy data and company directors' data according to the law, and they have imposed access restrictions to prevent the data from being misused. It is understood that GDI made use of the same litigation and bankruptcy database to provide due diligence service to corporate clients, and presumably the service has strict contractual terms to ensure the data is legally used. On the other hand, the App was targeted at consumers. There was hardly any restriction on the use of personal data imposed by GDI nor had there been any measures adopted to restrict individual users from bulk download or reproduction of the data from the database. Hence the data accessed could be misused, thus aggravating the intrusion of personal privacy.

  • Data not accurate, valid and comprehensive: Where the target person involved in litigation cases was finally acquitted or the claim was not substantiated, the App would not always update or clarify the situation and hence users would be misled. Moreover, the search result inevitably revealed all persons in the database with the same name. Hence innocent target persons could be mistaken as litigants or bankrupts. Though the App had offered a service of "Redress Files" to enable the data subjects concerned to correct their personal data, the Commissioner considered that it was unfair to put such onus on the data subjects.

  • Detrimental to rehabilitation: According to the Rehabilitation of Offenders Ordinance, an offender who is sentenced to imprisonment not exceeding 3 months or to a fine of less than $10,000 will be treated as not having been convicted of the offence, if that individual was not again convicted of an offence in three years' time. Under the Bankruptcy Ordinance, a bankrupt can be discharged from bankruptcy after a period of 4 to 8 years. The Code of Practice on Consumer Credit Data issued by the PCPD requires that credit reference agency can only keep the bankruptcy records of a person up to 8 years after declaration of bankruptcy. However, the App operated on a database with no prescribed retention period for the data nor arrangement for deletion of invalid data. This would adversely affect the rehabilitation of the data subjects.

9. To conclude, the Commissioner is of the view that the disclosure of litigation, bankruptcy and company directors' data of the complainants by GDI via the App has exceeded their reasonable expectation on the use of their litigation information in the public domain. This is neither consistent with nor directly related to the original purposes of the Judiciary, the ORO and the Companies Registry in collecting the complainants' litigation and bankruptcy information, and hence GDI had contravened DPP3.

Enforcement Action

10. Considering the large number of people affected and the severity of the privacy intrusion risk, the Commissioner issued an Enforcement Notice to GDI on 31 July 2013, directing it to cease disclosing the litigation and bankruptcy data it held to the App users. GDI had complied with the directive since 7 August 2013.

The Commissioner's Comments

11. Mr Chiang stated, "This case highlights a common misunderstanding that personal data collected from the public domain, not from the data subjects direct, is open to unrestricted use."

12. "I must make it clear that personal data obtained from the public domain is still subject to regulation of the Ordinance, otherwise the consequences will be dire. For example, people may get around the law by deliberately publicising the data so as to make ‘data available in the public domain'. Further, personal data leaked on the Internet from data breaches may be treated as data in the public domain and thus can be ‘legally' used." Importantly, people may combine, re-arrange and match personal data obtained from various public sources to form a profile of a target person (i.e. profiling) and generate new uses of the data. This is facilitated by rapid advances in information technology which enable data processing to be done at phenomenal ease and efficiency.

13. The Commissioner acknowledges that profiling and re-use of the personal data in the public domain could generate economic efficiency and societal benefits. At the same time, he wishes to emphasise that such activities expose invariably individuals to particularly high risks of discrimination and attacks on their privacy rights and freedoms. Some examples of these risks include:

  • Use of bankruptcy and litigation records of individuals to check their integrity, credit-worthiness and employability without their knowledge and without any guarantee on the data's accuracy, validity and comprehensiveness (the privacy concerns as presented in the investigation case);

  • Compilation of sensitive data such as individuals' identification numbers, residential addresses and signatures from the companies register, vehicles register and lands register by ill-intentioned people, thus exposing the individuals to the risks of identity theft, stalking and surveillance;

  • Use of contact information, lifestyle and behavior data of individuals to make unwanted sale approaches.

14. "In daily life, it is common for people to collect others' personal data from the public domain for further processing and use. To determine whether it is an intrusion of others' privacy, we may look at the reasonable expectations of the data subjects on personal data privacy. The test here is whether a reasonable person in the data subject's situation would find the re-use of the data unexpected, inappropriate or otherwise objectionable. Each case will have to be determined on its own merits, taking into account all relevant factors", Mr Chiang added.

15. The Commissioner notes that the right of individuals to privacy is not absolute. It must be balanced against other rights and public interests, such as freedom of information. Part VIII of the Ordinance specifically provides for certain exemptions from the application of DPP3 and they apply equally to personal data in the public domain. The exemptions cover a wide range of situations. In particular, section 58 caters for personal data used for the prevention or detection of crime or for the prevention, preclusion or remedying of unlawful or serious improper conduct or dishonesty or malpractice by persons. This may be relevant for data users engaged in law enforcement and professional due diligence. Also, section 61 provides for the exemption from DPP3 for news activity where the publishing or broadcasting of the personal data is in the public interest.

16. To assist data users to comply with the requirements under the Ordinance, the Commissioner publishes the Guidance on the Use of Personal Data Obtained from the Public Domain concurrently with the publication of this investigation report. Both can be obtained from the PCPD office or be downloaded online:

Investigation Report: www.pcpd.org.hk/english/publications/files/R13_9744_e.pdf

Guidance note: www.pcpd.org.hk/english/publications/files/GN_public_domain_e.pdf

- End -