- Email: [email protected]
Privacy law reform - Hong Kong
PRIVACY LAW REFORN
-
HONG KONG
THE NEW DATA PROTECTION LAW PROPOSED FOR HONG KONG 2.2
The original terms of reference for the Committee encompassed (1) intrusion (by electronic or other means) into private premises and (2) interception of communications (whether oral or recorded), but excluding matters falling within the terms of reference of parallel reports of the Law Reform Commission on the issues of arrest and breach of confidence. Those aspects will be dealt with (or so says the report) in a supplementary document. (As regards breach of confidence, it seems a report has already been made to the Law Reform Commission, about 18 months ago, but for reasons which the Commission has not disclosed is being kept confidential.) The report is extremely thorough, outlining internationally accepted principles concerning data-collection. It points out that whilst laws are now in place in Europe, North America and Australasia, no country in Asia currently has a data protection law in place apart from Japan. (Notwithstanding the change of Hong Kong's sovereignty to China in 1997, the consultative document has made no reference to the taws of China on this subject, presumably because there are none.) Briefly, the law reform proposals recommended by the report are as follows: 1. That a new law should be introduced, which should regulate all data banks. That is, it should not apply only to computer automated data banks (as is the case in the UK). Data-processing will not be subject to regulation, however, where it is controlled from outside the territory - unless the data-processing involves the collection of data within Hong Kong, in which case it should be subject to the full application of the law. 2. The proposed law takes the form of imposing Various duties on persons operating data banks, including: 2.1 Collection of data: 2.1.1 to collect data only for a lawful purpose which is directly related to the function or activity of the collector; 2.1.2 to inform the data subject of the data bank, of its purpose and of the data subject's "right of access"; 2.1.3 with respect to "sensitive data" (data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical or ethical persuasions or trade union membership) to obtain the data subject's consent before collecting it.
203
.
Registration of the data bank, and its purpose 2.2.1 For private sector business, this will be done by way of the current Business Registration Scheme (framed by a supplement of US$13 to the existing registration fee), and for others direct to the proposed enforcement authority, described in the report as the "Privacy Commissioner". 2.2.2 Those who do not register will still be bound by the law. 2.2.3 The procedure will be for notification purposes only, so that the operation of data banks will not require any prior approval from the Privacy Commissioner. 2.3 Use of the data bank 2.3.1 not to make any adverse decision with respect to any data subject based only on stored data, unless the data subject has first been given the opportunity to put his point of view; 2.3.2 before using the data for mail marketing or disclosing it to any third parties, to give the data subject the option to have the data erased from the data bank at no cost to the data subject; 2.3.3 "investigative data matching" to be permitted only with the consent of all data subjects involved or of the Privacy Commissioner. The report recommends that the Commissioner should be able to set up mandatory guidelines to be followed by those wishing to come within such exemptions; 2.3.4 to ensure that data is accurate and up-to :~ date, with any loss caused to a data subject as a result of any inaccuracy to be compensatable; 2.3.5 to take all reasonably appropriate security measures against unauthorized access to or tampering with the data; 2.3.6 to allow individual data subjects a right of access (on payment of a nominal fee), entitling them to be given any data concerning them within 30 days of their request, and to have any errors in the data corrected, provided that the information only relates to that individual. It will be possible for a data controller to rely on exceptions, but he will have to state what exception is relied on and the Privacy Commissioner will be able to review any withholding of information (unless the exception relied on is in relation to security, defence or international relations). Proposed exemptions to the above obligations are as follows: 3.1 Personal data of an individual concerning only his
.......................................................................................................................................................... :::: ........................................................................................................................................................................................................................... !!Li!!i!ii!i!ii!!Li!!!!i !!iiii:!:::i!!:!!!!!:..................
4.
.
personal affairs should be totally exempt. Private clubs and similar organizations which have databases on their members will, however, be subject to the regulations. 3.2 Matters relating to security, defence and international relations will be exempt from the obligations concerning subject access and non-disclosure. 3.3 Information concerning prosecution or detection of crime, apprehension of offenders or assessment of tax will also be exempt from the subject access and non-disclosureobligations, provided that the applications of those obligations would be likely to prejudice these purposes. 3.4 Appointments in the public interest, matters of legal professional privilege or information, the discovery of which would be likely to cause serious harm to the physical or mental health of the data subject, should be exempt from the subject access, but not the non-disclosure obligations. The report also recommends that with respect tO activities of the security service, a complaints mechanism should be adopted along the lines of the UK Security Service Act 1989. With respect to the use of personal data in the police sector, it says that the Council of Europe recommendations on the subject should be adopted. Enforcement 5.1 There is also to be an overseeing authority, headed up by a Privacy Commissioner, appointed as a full time post for five years with maximum of one renewal. He will be assisted by nine part time commissioners, to be appointed for periods of three years with a maximum of two renewals, the majority
of whom should not be public officers. 5.2 This commission will be empowered to investigate complaints, inspect data collectors, receive notifications and promote "codes of conduct" as well as publicizing the rights of data subjects. 6. Transborder data flow - There is to be a general prohibition on any transfer of data to a third country which does not, by its laws, ensure an adequate level of protection for data. There are exceptions, whereby such a transfer will be permitted where either: 6.1 the data subject has consented to the transfer, which takes place in preparation for or in performance of a contract. 6.2 It is necessary (a) to protect the data subject's vital interests or (b) on public interest grounds; or 6.3 where full control is retained over the use of data in the other country. The restrictions on transborder data flow will not be enforceable by individuals through the courts but but only via the Privacy Commissioner. It is not clear to what extent other rights may be directly enforceable by individuals through the courts, but it seems that, if nothing else, the "subject access" and "non-disclosure" obligations should be. The Sub-Committee has invited comments on these reform proposals from interested parties, to be made in writing to the Secretary, the Privacy Sub-Committee, the Law Reform Commission of Hong Kong, 1IF High Block, Queensway Government Offices, 66 Queensway, Hong Kong. Tom Hope, Solicitor Linklaters & Paines, Hong Kong
BOOK REVIEW
iil:i
DATA PROTECTION ilili Handbook of Personal Data Protection, by Wayne ~i::i~i~ Madsen (1992), Macmillan, hard-cover, 1026 p, :il;~:i £85.00, ISBN: 0 333 569202 ;!i!i;i!; This text is intended to provide a comprehensive reference manual for those involved in both national and internaili~il; tional aspects of personal data protection. Part one of the :~iii book, comprising the first 200 pages, contains narrative discussing the relevant aspects of various national and subnational data protection concerns, recent events and legal mechanisms. This is followed by a glossary and then by part i:iiill two of the work, being the results of an effort by the :~:~:;~: author to collect as many national and international laws as ~:i::~ possible on data protection legislation. Some data protection laws are still in draft form and, where only these are
ii
available, they are published. In some cases laws were not available in English so summaries had to be translated providing a general overview of the contents. Part two also provides the reader with the resolutions, guidelines and directives on personal data protection of various international organizations, including the Council of Europe, the European Community, the Organisation for Economic Cooperation and Development, the United Nations and Amnesty International. The handbook is available from Globe Book Services, the Macmillan Press Ltd, Houndmills, Basingstoke, RG21 2XS, UK. Tel: (0256) 817245. Contact: Lisa Teasdale. ~i::~i:::.i~~ii:i:i:.i: :.iii::ii
204
~ii~il~: iii:;iil iiii:ii: iiii:: iiiiii
ili:i::ii~:.!i:!~i:;ii:.:i:~;!~i:i:i:i~i:~i::ii~i~i:~i~~~i!~ i ~ii~i~:.i:~:~i:~i~ :i:::ii~i:i:ii:~: i:i::::::::::::::::::
-
HONG KONG
THE NEW DATA PROTECTION LAW PROPOSED FOR HONG KONG 2.2
The original terms of reference for the Committee encompassed (1) intrusion (by electronic or other means) into private premises and (2) interception of communications (whether oral or recorded), but excluding matters falling within the terms of reference of parallel reports of the Law Reform Commission on the issues of arrest and breach of confidence. Those aspects will be dealt with (or so says the report) in a supplementary document. (As regards breach of confidence, it seems a report has already been made to the Law Reform Commission, about 18 months ago, but for reasons which the Commission has not disclosed is being kept confidential.) The report is extremely thorough, outlining internationally accepted principles concerning data-collection. It points out that whilst laws are now in place in Europe, North America and Australasia, no country in Asia currently has a data protection law in place apart from Japan. (Notwithstanding the change of Hong Kong's sovereignty to China in 1997, the consultative document has made no reference to the taws of China on this subject, presumably because there are none.) Briefly, the law reform proposals recommended by the report are as follows: 1. That a new law should be introduced, which should regulate all data banks. That is, it should not apply only to computer automated data banks (as is the case in the UK). Data-processing will not be subject to regulation, however, where it is controlled from outside the territory - unless the data-processing involves the collection of data within Hong Kong, in which case it should be subject to the full application of the law. 2. The proposed law takes the form of imposing Various duties on persons operating data banks, including: 2.1 Collection of data: 2.1.1 to collect data only for a lawful purpose which is directly related to the function or activity of the collector; 2.1.2 to inform the data subject of the data bank, of its purpose and of the data subject's "right of access"; 2.1.3 with respect to "sensitive data" (data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical or ethical persuasions or trade union membership) to obtain the data subject's consent before collecting it.
203
.
Registration of the data bank, and its purpose 2.2.1 For private sector business, this will be done by way of the current Business Registration Scheme (framed by a supplement of US$13 to the existing registration fee), and for others direct to the proposed enforcement authority, described in the report as the "Privacy Commissioner". 2.2.2 Those who do not register will still be bound by the law. 2.2.3 The procedure will be for notification purposes only, so that the operation of data banks will not require any prior approval from the Privacy Commissioner. 2.3 Use of the data bank 2.3.1 not to make any adverse decision with respect to any data subject based only on stored data, unless the data subject has first been given the opportunity to put his point of view; 2.3.2 before using the data for mail marketing or disclosing it to any third parties, to give the data subject the option to have the data erased from the data bank at no cost to the data subject; 2.3.3 "investigative data matching" to be permitted only with the consent of all data subjects involved or of the Privacy Commissioner. The report recommends that the Commissioner should be able to set up mandatory guidelines to be followed by those wishing to come within such exemptions; 2.3.4 to ensure that data is accurate and up-to :~ date, with any loss caused to a data subject as a result of any inaccuracy to be compensatable; 2.3.5 to take all reasonably appropriate security measures against unauthorized access to or tampering with the data; 2.3.6 to allow individual data subjects a right of access (on payment of a nominal fee), entitling them to be given any data concerning them within 30 days of their request, and to have any errors in the data corrected, provided that the information only relates to that individual. It will be possible for a data controller to rely on exceptions, but he will have to state what exception is relied on and the Privacy Commissioner will be able to review any withholding of information (unless the exception relied on is in relation to security, defence or international relations). Proposed exemptions to the above obligations are as follows: 3.1 Personal data of an individual concerning only his
.......................................................................................................................................................... :::: ........................................................................................................................................................................................................................... !!Li!!i!ii!i!ii!!Li!!!!i !!iiii:!:::i!!:!!!!!:..................
4.
.
personal affairs should be totally exempt. Private clubs and similar organizations which have databases on their members will, however, be subject to the regulations. 3.2 Matters relating to security, defence and international relations will be exempt from the obligations concerning subject access and non-disclosure. 3.3 Information concerning prosecution or detection of crime, apprehension of offenders or assessment of tax will also be exempt from the subject access and non-disclosureobligations, provided that the applications of those obligations would be likely to prejudice these purposes. 3.4 Appointments in the public interest, matters of legal professional privilege or information, the discovery of which would be likely to cause serious harm to the physical or mental health of the data subject, should be exempt from the subject access, but not the non-disclosure obligations. The report also recommends that with respect tO activities of the security service, a complaints mechanism should be adopted along the lines of the UK Security Service Act 1989. With respect to the use of personal data in the police sector, it says that the Council of Europe recommendations on the subject should be adopted. Enforcement 5.1 There is also to be an overseeing authority, headed up by a Privacy Commissioner, appointed as a full time post for five years with maximum of one renewal. He will be assisted by nine part time commissioners, to be appointed for periods of three years with a maximum of two renewals, the majority
of whom should not be public officers. 5.2 This commission will be empowered to investigate complaints, inspect data collectors, receive notifications and promote "codes of conduct" as well as publicizing the rights of data subjects. 6. Transborder data flow - There is to be a general prohibition on any transfer of data to a third country which does not, by its laws, ensure an adequate level of protection for data. There are exceptions, whereby such a transfer will be permitted where either: 6.1 the data subject has consented to the transfer, which takes place in preparation for or in performance of a contract. 6.2 It is necessary (a) to protect the data subject's vital interests or (b) on public interest grounds; or 6.3 where full control is retained over the use of data in the other country. The restrictions on transborder data flow will not be enforceable by individuals through the courts but but only via the Privacy Commissioner. It is not clear to what extent other rights may be directly enforceable by individuals through the courts, but it seems that, if nothing else, the "subject access" and "non-disclosure" obligations should be. The Sub-Committee has invited comments on these reform proposals from interested parties, to be made in writing to the Secretary, the Privacy Sub-Committee, the Law Reform Commission of Hong Kong, 1IF High Block, Queensway Government Offices, 66 Queensway, Hong Kong. Tom Hope, Solicitor Linklaters & Paines, Hong Kong
BOOK REVIEW
iil:i
DATA PROTECTION ilili Handbook of Personal Data Protection, by Wayne ~i::i~i~ Madsen (1992), Macmillan, hard-cover, 1026 p, :il;~:i £85.00, ISBN: 0 333 569202 ;!i!i;i!; This text is intended to provide a comprehensive reference manual for those involved in both national and internaili~il; tional aspects of personal data protection. Part one of the :~iii book, comprising the first 200 pages, contains narrative discussing the relevant aspects of various national and subnational data protection concerns, recent events and legal mechanisms. This is followed by a glossary and then by part i:iiill two of the work, being the results of an effort by the :~:~:;~: author to collect as many national and international laws as ~:i::~ possible on data protection legislation. Some data protection laws are still in draft form and, where only these are
ii
available, they are published. In some cases laws were not available in English so summaries had to be translated providing a general overview of the contents. Part two also provides the reader with the resolutions, guidelines and directives on personal data protection of various international organizations, including the Council of Europe, the European Community, the Organisation for Economic Cooperation and Development, the United Nations and Amnesty International. The handbook is available from Globe Book Services, the Macmillan Press Ltd, Houndmills, Basingstoke, RG21 2XS, UK. Tel: (0256) 817245. Contact: Lisa Teasdale. ~i::~i:::.i~~ii:i:i:.i: :.iii::ii
204
~ii~il~: iii:;iil iiii:ii: iiii:: iiiiii
ili:i::ii~:.!i:!~i:;ii:.:i:~;!~i:i:i:i~i:~i::ii~i~i:~i~~~i!~ i ~ii~i~:.i:~:~i:~i~ :i:::ii~i:i:ii:~: i:i::::::::::::::::::