1 POSITION TAKEN
I would like to address the proposition put by drawing upon the experience of the Office of the Privacy Commissioner for Personal Data in Hong Kong ("the PCPD"). I want to develop that learning and supplement it with the findings of research we undertake annually into community perceptions of personal data privacy. In addressing the issue that I have been asked to speak to - the case for separate regulation of privacy and freedom of information - I am merely seeking to offer a contrarian view for the purpose of prompting debate. I am fully aware that a growing number of jurisdictions have combined the statutory regulation of data privacy and freedom of information ("FoI") and, no doubt, others are actively weighing the arguments for so doing. I would not therefore wish to convey the impression that I am engaged in some didactic endeavour designed to preach a moral sermon to those of you in the audience that operate a combined regime.
I should perhaps state at the outset that I am a firm believer in contextualism. My honest opinion is that either of the two models proposed may be perfectly tenable in a given context. It is the substance of that context that determines the extent to which either model is appropriate and efficacious in terms of the needs of a particular jurisdiction. In truth therefore I have an open mind about the proposition and can see merits in both systems. However, my task today is to convey to you the virtues of distinctly separate regulatory authorities to deal with data privacy and freedom of information. I feel rather more comfortable in adopting this stance because in Hong Kong there is no FoI legislation and consequently no commissioner to represent that interest.
That the citizens of Hong Kong take their personal data privacy rights seriously is in no doubt. They are also increasingly prepared to exercise those rights. The evidence for this is in the rapid increase in caseloads, notably over the past 3 years, for those of our staff in the Operations Department.
At this point I can only speculate on what would happen if a proposal to merge the statutory powers I have in relation to personal data privacy were extended to include FoI powers. Initially I think that, in Hong Kong, confusion would prevail. That confusion would emanate from perhaps the rather simplistic, yet attractive notion that no man/woman can serve two masters. I am also fairly sure that those members of our Legislative Council that are generally pro-privacy, would raise, and want to debate at length, the prospect of a conflict of interest1.
Why do I think that confusion would be likely to prevail? My explanation draws upon two observations which compound one another. First, I think that ignorance around FoI (or, at least, a lack of understanding of the subject) would be a substantial barrier to disseminating the essential message. I will return to this point later. Secondly, I think that currently there is no general sense that there is a need for FoI legislation. I cannot recall any recent media story of substance on the subject. If my impression is correct, I question whether it is the Administration's role to assume responsibility for creating that need and then servicing it? Thirdly, I think that we would have a perceptual problem on our hands built upon the view that that there is an essential contradiction in one commissioner assuming the role of arbiter between two different sets of values that could come into conflict with one another.
Before developing my arguments further I think it would be beneficial, given the international flavour of this conference, to offer some background to personal data privacy, freedom of expression and FoI in Hong Kong.
2 THE LEGAL BACKGROUND TO PERSONAL DATA PRIVACY, FREEDOM OF EXPRESSION AND FoI IN HONG KONG
PERSONAL DATA PRIVACY
In 1992-1993 the Law Reform Commission's ("the LRC") sub-committee on privacy began to research the issues associated with personal data privacy in Hong Kong. At that time FoI, though touched upon by the members of the committee was not given serious consideration. The outcome of the LRC's discussions was a recommendation that Hong Kong draft personal data privacy legislation. This recommendation was accepted by the then Administration and in 1994 Hong Kong opted for a legislative approach to personal data privacy that consisted of a statutory framework and regulatory mechanism. The Personal Data (Privacy) Ordinance ("the PD(P)O") was enacted in 1995 and took effect in December 1996. The primary purposes of the PD(P)O were to protect the individual's personal data privacy rights and to safeguard the free flow of personal data to Hong Kong from restrictions by countries that already had data protection laws in place. In effect the PCPD has become the leading advocate and defender of personal data privacy rights in Hong Kong as distinct from any rights that may be associated with FoI.
The PD(P)O is a comprehensive piece of privacy legislation that has been instrumental in raising the profile of privacy in the community from it being an item of curiosity, to a human right that is valued. Over the past 5 years or so, the independently commissioned research that the PCPD has undertaken indicates that the community has come to regard privacy as a social policy of importance ranked third out of seven policy portfolios behind unemployment and air pollution (please refer to Figure 1).
The perceived benefits are not exclusively in favour of the data subject. The same research indicates data users hold positive attitudes towards the long-term benefits to be obtained from compliance with the provisions of the PD(P)O (please refer to Figure 2).
Without wishing to sound too self-serving I am gratified to see that our combined endeavours have been able to achieve these sorts of outcomes in the relatively short life of the PCPD to date.
The notion of privacy is also given legal force in Hong Kong by virtue of the SAR's obligation under several international covenants:
3 THE MERGING OF VALUES AND REGULATORY MECHANISMS ~ SOME ISSUES
The generic term 'human rights' assumes different dimensions which are complementary in nature and give rise to a certain 'wholeness'. Of course that 'wholeness' is subject to change and privacy is a relatively recent addition to the human rights afforded to the individual. However, it is clear from the reporting of alleged abuses of human rights that codifying them in international covenants, though symbolically important, is very distinct from ensuring that they are adequately protected on a day-to-day basis. For that to happen there must be political will, appropriate legislation and an effective regulatory mechanism. An effective regulatory mechanism is one that commands the respect of the community and is impartial and equitable in enforcing human rights legislation. It is for that reason that I would adopt the stance that the merging of regulatory functions needs to be subjected to something akin to a feasibility study. Only if functions are seen to be complementary, rather than in conflict, can the marriage work. Whether that is the case is dependent, to my mind, upon something I have already alluded to, public perception.
Allow me to try to examine this a little more closely. Clearly there are some commonalities between personal data protection, freedom of expression and FoI. However, although the personal rights arising from the three sets of values may be complementary, within the overall context of human rights, their expression, in terms of the benefits to be derived from these rights by the individual, can only be achieved if the legislative structure and regulatory framework underpinning them are seen to be equitable. That perception is likely to be influenced by perceptions of the mechanism's efficacy, efficiency, transparency and accountability. However, perhaps more important than all of these conditions is the need for regulatory authorities to avoid conveying the impression that they are in any way compromised by the potential for a conflict of interests. Circumventing that potential for conflict would require a subtle separation of these rights and their respective benefits. I say subtle because I think that the natural tendency of an institution charged with upholding these rights would be to use economic or accounting expediency to 'force' some coalescence of at least two of them. If the resultant institutional structure giving effect to these rights were to convey some sort of administrative amalgamation of them then there is always the prospect of the discreteness of any individual right being subject to strain. To my mind, that is wholly undesirable.
The central issue for debate involves not simply a matter of whether the three rights are complementary but whether there may be potential for conflict of interest in the course of enforcing those rights. Such conflict may manifest itself in a number of forms. If judgements are seen to be arbitrary or lacking in consistency then the impartiality and objectiveness of the processes involved in investigating cases would come into question, and rightly so. This brings me to the matter of the fundamental integrity of the regulatory mechanism which, I suggest, is ultimately determined in the court of public opinion.
4 THE PERCEPTION IS THE REALITY
John Lindsay, a former mayor of New York on the campaign trail for a second term in office, once observed: "In politics, as in life, the perception is the reality2." The power of perception cannot be under-estimated and such power can be put to advantage, or give rise to disadvantage, in different forms and in different situations. I would like to take that idea and apply it to the argument for not merging personal data privacy and FoI in one office.
2 In point of fact he won a second term partially because of the aura he projected. The perception he created among the electorate was that he could relate to people of all walks of life and possessed “the common touch,” even though he came from a privileged background. It was as much this perception as the policies he was associated with that rewarded him with a second term in office.
The thrust of my case is that the credibility of a regulatory system is ultimately based upon public perceptions. People see what they want to see, hear what they want to hear and are influenced by selective recall. The big question therefore is what do members of the public 'see' in a single office that combines the roles of privacy and FoI commissioner? As I have suggested, such an organizational configuration runs the risk of projecting an image characterised by confusion. As the two sets of rights challenge each another it is almost inevitable that the public perception will be formed, that there is an essential conflict of interests. Frankly, it matters not whether that is the actual case because the perception can 'delude' people into believing what they choose to believe and what they choose to believe may not be favourable in terms of their attitudes towards the office of a combined commissioner. If that were the case then I think there is the risk that collective perceptions of the community, which may degenerate into prejudices, could effectively undermine the moral authority of that office. If that were to happen my view is that this would strike at the very heart of the system. Equally as significant it would create a "lose-lose" situation.
Let me apply this line of argument to Hong Kong by way of an illustration. In the HKSAR, the PCPD is perceived by the community as the advocate and champion of personal data privacy. Although at the present time it is an unlikely event, what would be my analysis if the PCPD were to assume responsibility for newly passed FoI legislation? With a history that has been exclusively devoted to personal data privacy the overlay of an FoI remit would mean that our Office would have to involve itself in the perception management business. Perceptions alone would be enough to cause damage to the level of public confidence invested in such a regulatory system. If conflict of interests were to be perceived at the inception of a combined office then that perception strikes at the very core of the regulatory system, and the ensuing erosion of confidence becomes a damning indictment of its creation and creator. The damage would have been done and correcting that damage would make considerable demands upon the skills of the most accomplished spin doctor.
However, I recognise that my argument is influenced by my own experience as a privacy commissioner and that, of course, is context-specific. That context may be idiosyncratic, if not unique, and therefore I am not putting forward a view that can be universally applied to other jurisdictions that exhibit different structural features and social components. As a person who sees merit in contextualism I must acknowledge that Hong Kong is not the United Kingdom and what suits one may very well be contrary to the interests of another.
For the purpose of our discussion, allow me to cite three principal objections to the creation of a combined office. Again, I stress that these objections may be perceived rather than actual.
1) Information 'versus' Privacy
"Versus" may overstate my case a little but I believe that from a perceptual standpoint that is precisely how any conflict of interests might be paraphrased. Information precedes privacy in that without information there can be no infringement of personal data privacy rights. Accordingly, an Information Commissioner would be expected to protect the right that FoI legislation confers upon the public, namely the right to be informed of, and have access to, official information. In exercising this right the most obvious problem would be dealing with official information that contained private information. For some FoI proponents this would not be an issue because the stance taken would be that the rights pertaining to private information should be subordinated to the public's right to know. What justification is there for asserting that the public's right to know reigns supreme and at the expense of the public's right to a reasonable expectation of personal data privacy? Where do you draw the line between the exercise of these rights and how do you draw the line in practice? What day-to-day problems arise from striking a balance between the two, and can you expect to walk that fine line in a consistent and impartial manner that exemplifies an equitable judgement?
2) The Inviolability of the Public's Right to Know
How far should the public's right to know intrude into the private affairs of another, especially the lives of public figures and media personalities? Should those in either category, upon assuming some public significance, be expected to abandon any hope of preserving and protecting their privacy? Does the argument that the public's right to know extend to the citizens of Canada knowing what their Prime Minister has for breakfast or, for that matter, who he has breakfast with? Should the glare of the public spotlight cast a shadow over all aspects of the Prime Minister's privacy, twenty-four hours a day?
Surely there are great difficulties involved in giving definition to fairness, reasonable access, and a reasonable expectation of privacy. Certainly those charged with clarifying those definitions face an unenviable task. Yet it is a task that must be undertaken if for no other reason than that cited by the French scholar Voltaire who said, "Define your terms and we shall talk." Those of us with a legal training know this only too well in that ill-conceived definitions give rise to a plethora of problems associated with interpretation and application of the law. In short, practice becomes precarious simply because a lack of clarity impacts upon an ability to devise sound criteria for decision-making purposes. If decision-making becomes fudged the operation and maintenance of a regulatory authority is placed in jeopardy.
3) Grey is not a 'Good'Colour
Any contest of values is likely to give rise to grey areas. Where there are grey areas the focus inevitably switches to judgmental issues such as objectivity and fairness. Grey areas confront the decision-maker with imponderables that can so easily degenerate into a compromise of one set of values in one set of circumstances and another set of values in another set of circumstances. This type of arbitrariness does nothing to promote faith in the concept of fairness, and that does not make for a good regulatory mechanism.
My primary objection therefore is that situation-specific decision making gives rise to an unacceptable level of risk that, in turn, has ramifications for continuity and regulatory consistency. The legal splitting of fine hairs in FoI and privacy judgements confounds the layman. I don't think that I am alone when I say that I firmly believe it to be the duty of legal practitioners in public service to clarify rather than obfuscate issues so that the learning can readily be communicated, and communicatable, to persons on the proverbial Clapham omnibus.
Review and Appeal may not be the answer
By way of a supplementary to the issues generated by 'greyness' it is my view that the corollary of this phenomenon is that it tends to result in the construction of an elaborate review and appeal mechanism. Such a mechanism, erroneously in my view, tries to both rationalise the imperfections of the regulatory system and convey to the general public that all is well. I do not think that is so, in fact I believe that a very different interpretation can be made, which is, that the elaborateness of the review and appeal mechanism is directly proportional to the magnitude of the inadequacies of the regulatory system. Far from conveying a sense in the community that the review and appeal mechanism is some sort of user-friendly safety net that the individual may seek reassurance in, there is at least an equal chance that its complexity is intimidating, and, for the lesser man, not a real option. Complexity, compounded by convoluted procedures and a lengthy procedural process, together with associated costs, dissuades all but the most tenacious complainant from exercising his/her rights.
5 CONCLUSION - An Issue of Confidence
The foundation of an effective and efficient regulatory system is the trust and confidence in the system on the part of those regulated. Argument aside an adverse ruling by an appellate body can seriously undermine regulatory integrity and confidence. In the final analysis, it comes down to an issue of confidence. If 'consumers' have confidence in products and services they will purchase them. If they don't, they will reject them. I do not think that because regulatory bodies reside in the public domain that they are immune to this very fundamental market principle. On the contrary, they should learn from and have an open mind towards other types of organisations that offer services to the public. Why? Because in many ways there are striking similarities between the office of a regulatory commissioner and a service-oriented company operating in the private sector. Both offer services to the public which are attempts to satisfy their wants and needs. In the process of consumption 'consumers' may well challenge the value of that service, or its delivery, and register a complaint. I would therefore suggest that we might do well to think 'outside of the box' and look at how other people face the challenges that I have outlined. Most importantly, we need to consider how they instill consumer confidence in the services they offer, and when that breaks down, as it does from time to time, the damage control mechanisms that are engaged in order to satisfy the customer and restore confidence.
I think the issues of trust and confidence are central to determining just how any regulatory mechanism is perceived, indeed both act as critical tests of the system. An analogy would be with the way in which the B2C consumer regards shopping online. In Hong Kong at least, shopping online accounts for a minimal proportion of total consumer expenditure in a city that is highly 'wired' and where consumers embrace new technologies with enthusiasm. Nonetheless, survey after survey into online shopping indicates that consumers just do not have trust and confidence in the Internet and E-vendors. Irrespective of the pledges made on the websites an abiding perception is that it is just not safe to shop online. Whether it is more or less safe to hand over a credit card in a physical transaction as distinct from transmitting those details over the Internet is a moot point. However, the perception is the reality and the perception says that E-vendors have to do a lot more to establish trust and confidence in this medium for it to become widely diffused.
In conclusion if we subscribe to the proposition that protection of personal information, as a public service, is best undertaken by an independent authority -untainted or unaffected by issues considered important by the authority of the day - then the separate regulation of privacy and FoI would appear to me to be the preferred model, at least, from the HKSAR's perspective. This is so because a separation of duties and powers is less likely to result in a situation in which the office is obliged to confront those issues that become the subject of public scrutiny and controversy.
E Mail: firstname.lastname@example.org