The recent action against the mobile app Do No Evil highlights the limitations of the Personal Data (Privacy) Ordinance. The privacy commissioner's office advocated the privacy risk of compiling bankruptcy and litigation records.
But what about other practices? For example, many property brokers upload residential transaction records, including the sales amount, obtained from the Land Registry, for public viewing. This data does not contain personal identification. However, does this service affect the owners' privacy? They may say yes.
Then there is the reuse of press reports, which often include people's names. Does such reuse satisfy the original purpose of making the personal data publicly available?
These examples highlight some issues: privacy concerns can arise without personal identification data; the guidelines are insufficient; and, we need to clarify who should make the judgment, and how.
The response depends on how privacy is treated. There is no universal standard. Some countries treat privacy as a human right and adopt an omnibus approach to protecting all personal data. In others, privacy is governed by contract law except for selected industries such as finance and health care.
There can also be a cost to protecting privacy. One striking study shows that privacy regulations restricting the exchange of electronic medical records could lead to higher mortality rates of newborns.
Limiting the reuse of public data increases the costs of exploiting it. If the aggregation of bankruptcy and litigation data is forbidden, for example, people need to look into multiple government databases for the same information.
More important, the recent enforcement creates ambiguity. When can a business add value to public data? Surely, some restrictions may be needed, and any violation must be properly sanctioned. But what if the reuse is not excluded?
An ambiguous interpretation of the ordinance may stifle innovation as businesses may stop investing in data services because of the worry about privacy infringement.
Above all, we must fix the role of privacy in our society. The ordinance and its strict interpretation seem more consistent with the human rights perspective. Lawmakers should decide whether that is best for Hong Kong.
If a strict interpretation of the ordinance is warranted, then we should review whether the data should be made public in the first place. The issue of reuse will be moot. If it is not, then we need a clear guideline about what is allowed and what is not.
Kai-Lung Hui is professor of information systems, business statistics and operations management at the Hong Kong University of Science and Technology. The views expressed here are those of the author