Stephen Wong, newly-appointed Privacy Commissioner for Personal Data, weighs in on current data privacy developments and reveals how he plans to fortify the City’s data privacy culture during his tenure.
Whether opening a bank account or shopping online, you constantly hand over reams of personal data (eg, name, contact details, credit card number, address) to a variety of public and private bodies. This information, collected and stored on thousands of computers, may make you wonder: How big is my digital dossier and what’s in it? Who has access to my data and how can they use it? These are but a few of the questions Mr. Wong hopes you will begin to consider on a regular basis.
Despite having only recently taken up his new role as the Privacy Commissioner, Mr. Wong already seems fully aware of the growing need for individuals and organisations to not only better understand their rights, but also their “obligations” and “the limitations in personal data privacy protection.” With data privacy and cybersecurity issues on the rise, Mr.Wong earnestly explained, as we gathered around the conference table in his office in Wan Chai, much remains to be done to enhance the City’s data privacy culture.
Life as a Lawyer
Mr. Wong is no stranger to working under pressure or in the public eye. In 1986, he joined the Attorney General’s Chambers (now known as the Department of Justice) as a Crown Counsel, or to be exact as “an advocate”, in criminal trials and appellate courts. During his 30-year tenure, he assumed various posts including Assistant Director of Public Prosecutions and Deputy Solicitor General, tackling legal issues from white-collar crime to high-level legal policies.
Of the cases Mr. Wong was assigned during his prosecution period, the most memorable for him was one referred to (then) as the Race Fixing case, in which a syndicate of jockeys and horse owners conspired to defraud punters and the Hong Kong Jockey Club by fixing the results of races. The trial lasted for more than 100 days, in total, and involved a dissolution of the jury and re-empanelling of another; a letter of request whereby the court was moved to San Francisco for the testimony of a witness; and playing for the first time video tapes of the races before the jury as evidence against the defendants.
More recently, Mr. Wong’s work as a government lawyer has focused on issues relating to the “one country, two systems” principle, the Basic Law and minority rights, including those of the LGBT. He was also involved in the promotion of the Bill of Rights Ordinance in the early 1990s and since its enactment was assigned to act as a fire fighter in court for the prosecution where human rights issues were raised.
Mr. Wong believes his previous experience, especially human rights-related work, has prepared him well for his new role and equipped him to tackle the challenges that lie ahead.
Protector of Personal Data
As the newly appointed Privacy Commissioner, Mr.Wong is responsible for promoting, monitoring and supervising compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance”), as well as administering the activities of the Office of the Privacy Commissioner for Personal Data (“PCPD”).
During his five-year term, he intends to work with all stakeholders to protect personal data privacy rights, with a view to ensuring proper protection of individuals’ rights while at the same time facilitating the free flow of information in the best interests of the community as a whole. “I hope to be able to strike the right balance so that Hong Kong can continue to maintain and develop as an international business and data centre,” he said.
The constant flow of information is the lifeblood of our daily interactions. The distribution of data across different platforms and borders is shifting traditional social, economic and geo-political boundaries and creating a more integrated and interconnected global eco-system.
Against this backdrop, Mr. Wong must deal with current data privacy developments and trending issues, such as the right to be forgotten, cyber attacks and regulating cross-border data transfers, among other things.
The Right to be Forgotten
The right to be forgotten is a trending and controversial topic in the global privacy arena that stems from the May 2014 ruling by the European Court of Justice (“ECJ”) in a case called Google Spain. In brief, this case was concerned with the continued public availability through Google search of a newspaper announcement in 1998 about a Spanish national’s real estate auction in connection with proceedings for the recovery of his social security debts. The announcement was accurate at the time and had been legitimately published. However, as the debt had been resolved, the complainant argued that the information became irrelevant and misleading. The ECJ ruled in favour of the complainant and required Google to remove or conceal the information so that it no longer appears in search results based on the complainant’s name.
The right to be forgotten empowers individuals to control the online dissemination of information about themselves. Specifically, it allows users to request searches performed on the basis of their name (eg, “John Smith”) be de-listed. However, this right does not extend to searches using other terms (eg, “car accident in London” in which John Smith was involved).
Mr. Wong explained that while the right to be forgotten is a convenient label, it is a “misnomer”, as no published material is required to be deleted through exercise of the right. The original information continues to exist at the source and can be accessed online directly or by using other search terms (as in the case of Google Spain).
While the ECJ decision does not bind Hong Kong courts, Mr. Wong indicated that the PCPD will continue to keep an open mind and monitor related developments. “We are certainly not promoting privacy as an absolute right. We have to seek a balance between privacy and other rights and interests, including freedom of expression and of the press. These rights are of equal value in a civil society and none have pre-eminence over the others. A balance needs to be struck on a case-by-case basis between an individual’s personal data privacy, and the public interest in accessing information. As pointed out in the ECJ’s judgment, a different conclusion could be reached ‘… if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having … access to the information in question.’”
Freedom of speech, freedom of expression and the free flow of information are vital to Hong Kong’s success in the global marketplace and critical to an open society. Mr. Wong indicated that he will try “to preserve and advance all these values” as the Privacy Commissioner.
David Webb Case
The David Webb appeal, recently decided by the Administrative Appeals Board (“AAB”), is an interesting case that has required Hong Kong data privacy enforcement officials to revisit the controversial issue of how personal data in the public domain should be treated under the Ordinance.
Some hoped the AAB’s decision would address whether, and the extent to which, the European-style right to be forgotten exists in Hong Kong. This was due to the fact that Mr. Webb was appealing against the Commissioner’s Enforcement Notice that directed him to remove three hyperlinks from his website that effectively disclosed the complainant’s identity in three anonymised judgments. However, the AAB based its decision squarely on Mr. Webb’s contravention of Data Protection Principle 3 (“DPP3”), which concerns the purpose for which the data was to be used at the time of the collection.
In dismissing his appeal, the AAB found that Mr. Webb’s purpose for using the complainant’s personal data (ie, publication of her name for general reporting) to be inconsistent with the Judiciary’s purposes of publishing the judgments (ie, to enable them to be used as “legal precedents on points of laws, practice and procedure of the courts and of public interests”). As Mr. Webb used the relevant personal data for a new purpose that contravened DPP3 in relation to the use of data, the AAB upheld the Commissioner’s order that required him to remove those links from his “Webb-site”.
While the David Webb and Google Spain decisions both weighed similar competing interests, namely the freedom of press and expression and the personal data privacy of the complainant, Mr.Wong carefully explained why the David Webb case is not comparable in principle to the Google Spain decision on the right to be forgotten.
In the David Webb case, the courts had already granted orders on the data subject’s application to have the complainant’s name redacted and replaced by English letters in the published judgments. Yet the hyperlinks in issue appearing on Webb-site displayed the complainant’s name, even though the published judgments themselves did not reveal her name. By contrast, in the Google Spain case, the unredacted information contained in the original articles (16-year old property auction notices) were subsequently deemed “inadequate, irrelevant or no longer relevant, or excessive” for the purpose of the data processing and in light of the time that had elapsed since the original publication.
Thus, the David Webb case was largely based on the particular factual circumstances involved (where information was anonymised as directed by the Chief Justice), which differs from the Google Spain decision on the right to be forgotten (where the information was unredacted in its origin).
Mr. Wong said “the AAB’s decision in the David Webb case has no adverse impact on the public’s right to access information. The decision does not affect information reported by or stored on news websites or news archives. That information can remain in their original form (ie, bearing the data subjects’ names) for retention and distribution.”
Mr. Wong indicated that the AAB’s decision has confirmed the Commissioner’s determination in upholding the data protection principles relating to use. The case also serves to illustrate data protection principles apply to all personal data, even data collected from publicly available sources.
Cyber Attack on Toymaker Vtech
In late November 2015, Vtech, an electronic toymaker, confirmed that an unauthorised party accessed data from its educational app store and had stolen a database containing the details of millions of customers and some of their children.
While Mr. Wong indicated that he could not comment on individual cases, he did confirm that the PCPD has initiated a compliance investigation on this Hong Kong-based company.
“As a matter of general principle, organisations or data users need to do their best to strengthen their data protection and security measures, namely to take all reasonably practicable steps to safeguard personal data against unauthorised or accidental access, processing, erasure, loss or use,” he explained.
Mr. Wong indicated that he may serve an Enforcement Notice directing the data user involved in this data breach incident to take steps to remedy the contravention and prevent its re-occurrence if such contravention is found after investigation. Contravention of an Enforcement Notice is an offence which would attract a maximum fine of HK$50,000 and imprisonment for two years. If the offence continues after the conviction, the data user is liable to a daily penalty of HK$1,000.
But talk of penalties and fines aside, Mr. Wong recognised that in the wake of a data breach, it is damage to an organisation’s reputation and loss of consumers’ confidence that really hurt. For instance, in addition to having its Hong Kong-listed shares suspended from trading post-breach, the hack was also predicted to impact Vtech’s sales during the year-end holiday shopping season.
The hack also raises the issue of whether mere compliance with regulations is enough to protect the data of today’s children from advanced threats or whether current regulations might need to be revamped.
'While the Ordinance went into effect in 1995, s. 33 (ie, which regulates transfer of personal data to outside the city) has never been implemented.
When asked why s. 33 had not yet come into force, Mr. Wong said the Government is still trying to ensure the right balance will be struck when s. 33 is implemented; namely, achieving the underlying purpose of the provision (ie, ensuring personal data transferred overseas will be afforded with comparable protection) on the one hand and avoiding adverse impact on the businesses and economic development on the other.
Mr. Wong indicated that the PCPD had undertaken the necessary preparatory work including preparation of a ‘white list’ of jurisdictions with privacy standards comparable to that of Hong Kong; and published a Guidance Note on Personal Data Protection in Cross-border Data Transfer in December 2014. This served as a starting point for the Government’s determination of the next step.
More recently, the Government has engaged a consultant to conduct a business impact assessment for implementation of s. 33. Mr. Wong said the PCPD will render comments from the perspective of privacy regulator and provide clarifications on the Guidance. However, the effect of the ECJ’s recent ruling on the US Safe Harbour framework will need to be taken into consideration when making an overall assessment.
Priorities for 2016
Mr. Wong indicated that the PCPD will continue to press for a fair enforcement of the regulations, mostly demand-led whether by way of complaints received or investigations initiated by him as empowered by the Ordinance. “I note that ICT progress and globalisation have profoundly changed the way individuals’ data are collected. We in Hong Kong should keep up with the development and changes in the privacy landscape with a view to bringing our data protection policies and regulations up to date. Comparative research and analysis will be a priority in 2016 considering the fact that the European Commission has proposed a comprehensive reform of Directive 1995 to strengthen online privacy rights, boost Europe’s digital economy and better equip Europe for the digital age. It is anticipated that this initiative will help reinforce consumer confidence in online services and provide a much needed boost to growth, jobs and innovation in Europe."
The PCPD will also look into privacy issues relating to Big Data, as well as the Internet of Things (ie, the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enable these objects to collect and exchange data), as they become more of a real concern.
“Comparative studies and research aside, we will place more resources on our public education campaigns – not merely for the individuals walking in the streets of Mongkok, but also the organisations (governmental bodies included) which collect, retain and use individuals’ personal data,” Mr. Wong vowed.
The PCPD will continue to build upon its Privacy Management Programme for organisations (data users) and its existing programmes for the promotion of privacy awareness in the community. It also plans to mount focused projects to help educate particularly vulnerable groups (including children and the elderly). In addition, it will launch a large scale TV production in partnership with RTHK to mark the 20th anniversary of the establishment of the PCPD.
Privacy Commissioner for Personal Data
Prior to joining the PCPD, Mr.Wong was a barrister in private practice and the Secretary to the independent advisory body, the Law Reform Commission of Hong Kong (“LRC”). Before serving at the LRC, Mr.Wong was a legal counsel in the Department of Justice from 1986 to 2007 (the then Attorney General’s Chambers before 1997), assuming various posts including Assistant Director of Public Prosecutions and Deputy Solicitor General. From 2007 to 2012, Mr.Wong was a Director of the Hong Kong Economic and Trade Office, first based in Brussels and then Berlin. Being an expert in human rights law, he was involved in the legislative process of the 1991 Hong Kong Bill of Rights Ordinance and was subsequently on loan to the United Nations Human Rights Committee in Geneva for one year until 1992.