Data protection law needs to evolve to tackle privacy challenges, say experts

Government urged to catch up with information age and consider amending privacy ordinance to protect people without stifling opportunities

PUBLISHED : Monday, 25 November, 2013, 9:41am
UPDATED : Tuesday, 26 November, 2013, 8:28am

Hong Kong’s data protection law is “miles away” from developments internationally and does not fit with what is happening in society, critics have said.

The law needs an update to enable the city to tackle privacy challenges and embrace innovation opportunities brought about by the use of public data in the information age, to maintain its laissez-faire culture and reputation as an international business hub, according to a senior lawyer, a lawmaker and a scholar.

The government should engage the public in discussions on how the law needs to be amended to protect people from the “evil” of invasive background searches, known as “human flesh searches”, while avoiding stifling innovation and business opportunities with undue restriction on use of public data.

“I think that the [Personal Data (Privacy) Ordinance] doesn’t necessarily fit with what’s going on in the world. I don’t think that the legislation is suitably developed to be able to deal with public data,” said Simon Deane, a partner of law firm Deacons.

Freedom of expression needs to be preserved but at the same time protection of privacy is also very important
Dr Marcelo Thompson

Information law expert Dr Marcelo Thompson said: “Hong Kong’s data protection law needs to evolve beyond recent, localised amendments. It is not well suited at present to deal with problems related to the aggregation of public data. I trust few people would disagree on how harmful, for instance, human flesh search engines can be.”

The call for a review of data protection law came as opinions remain divided on whether the privacy watchdog was right to have forced the shutdown of mobile phone application Do No Evil for gleaning and collating personal data from various public records and making it convenient to search them by name. The personal information included a person’s involvement in criminal and civil litigation, history of bankruptcy and partial identity card numbers.

The privacy commission said in August the app broke the law because the new use of the data was different from the original purpose for which the data was collected and no consent was obtained.

But Deane said the commissioner’s ruling was flawed, criticising it for failing to make a distinction between data that is lawfully disclosed by the government and data that is generally available in the public domain.

“It is intellectually dishonest to argue that restrictions on use of personal data which has been made public by a government agency should apply when it is very clear that the agency cannot control actual use of the data, and indeed has no intention of doing so,” Deane said.

Deane, who will publish an article in the legal journal Hong Kong Lawyer discussing the flaws in the commissioner’s decision, suggested people should be free to use personal data made public lawfully and officially.

He also said there was an issue of discrimination given that banks were legally allowed to access aggregated public personal data under an exemption, but an ordinary person was not.

While banks were under a legal duty to do due diligence to make sure that their clients were not laundering money, he said the crime under the Organised and Serious Crimes Ordinance applied to everyone. “A man in the street” should not be deprived the right to do background checks on others to avoid getting into trouble, Deane said.

“Is it fair? Why should I not be able to do a check into my business partner to make sure that he is not a crook just because I am not a bank?”

However, Thompson said he tended to agree with the commissioner’s decision. “Freedom of expression needs to be preserved but at the same time protection of privacy is also very important,” he said.

“I don’t think it is proportionate and fair to make tools available whose only function is to conflate data across contexts in order to build detrimental profiles of a person. This is even more so when the very purposes for which those data were made available online in the first place are violated.”

But what Deane and Thompson could agree on was the law should be updated to come to terms with the information age.

Thompson said Hong Kong was “miles away” from ongoing discussions in Europe on data protection law. Some in Europe have proposed a “right to be forgotten”, which would empower people to ask service providers to delete their personal information stored online even if it was provided voluntarily.

He suggested the introduction of some accountability in the aggregated treatment of public data, ensuring that those who provide the tools abide by certain standards of civic responsibility.

Lawmaker Charles Mok said many in the information technology sector were concerned about the current restrictions on the use of public data.

He pointed out that the privacy commission had in 2009 proposed the creation of a public domain exemption. But the government eventually decided not to take up the proposal after a public consultation was met with few responses.

“There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” he said. “I hope the government would take the initiative to engage the public in the discussion.”

The story was updated at 8.25am on November 26, 2013 to ammend quotes in the 15th paragraph at Dr Marcelo Thompson's request.