Facial Recognition and CCTV Surveillance

The Court of Appeal’s decision in Eastweek Publisher Ltd & Anor v Privacy Commissioner for Personal Data [2000] 1 HKC 692 is always known to be one of the landmark decisions on the interpretation of Data Protection Principle (“DPP”) 1 in Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). We will examine in this article the decision and the impact of time and technology on it.


The complainant was photographed on a street by a photographer working for Eastweek magazine (“Eastweek”). The complainant’s photograph, together with some other women being photographed, was published in an article in Eastweek with unflattering and negative comments about her fashion style. The photograph was taken and published without the complainant’s knowledge or consent.

The Privacy Commissioner initially found that there was a breach of DPP1(2)(b) on the part of Eastweek in collecting the complainant’s personal data by an unfair means. Eastweek applied for a judicial review of the Privacy Commissioner’s decision, the application for which was dismissed by the Court of First Instance. Eastweek further appealed to the Court of Appeal against the dismissal of the judicial review application and the appeal was allowed.

Collecting Personal Data and Relevance of Identity

In all cases where DPP1 is contravened, the contravening act must involve the act of “collecting” personal data, this being the subject matter of DPP1 of the PDPO. Based on the facts of the case, the Court of Appeal held that the DPPs had not been engaged at all.

The Court held that in the act of personal data collection, the data user must be compiling information about an identified person or about a person whom the data user intends to or seeks to identify. What was crucial in the case was the complainant’s anonymity and the irrelevance of her identity to the photographer, the reporter and Eastweek. The Court held that taking photograph of the complainant in the circumstances of the case did not constitute an act of collection of personal data of the complainant.

The decision was not suggesting that taking someone’s photograph can never be an act of personal data collection. It plainly can, and it all depends on the circumstances of the case. The Court stressed that the press or other media organisations do not fall outside the scope of the PDPO. If an organisation engages in collecting personal data, the provisions of the PDPO squarely apply.

The Court further emphasised that while the complainant would be entirely justified in regarding the article and the photograph as an unfair and impertinent intrusion into her sphere of personal privacy, the aim of the PDPO was to protect the privacy of individuals in relation to personal data, namely, information privacy as opposed to other kinds of privacy interests including territorial privacy, personal privacy or communications and surveillance privacy.

Implications in the Digital Era

What would happen if a similar complaint were to come before me today? The availability of social media and powerful search engines has made it technically easier and feasible for people to ascertain the identity of an otherwise unknown person whose image is captured in a photograph. It has been reported that facial recognition technology deployed in surveillance cameras has assisted policemen in arresting criminals. If a person’s image is captured by artificial intelligence installed in the CCTV system with intent to ascertain his identity, this may constitute collection of personal data, presumably by the operator of the CCTV system in the first place.

When footage in a CCTV system is being used to ascertain the identities of individuals by automated means, it would amount to collection of personal data of individuals, necessitating the application of the PDPO including the notification requirement under DPP1(3) - in Schedule 1 to the PDPO and the limitation of use requirement under DPP3 etc. DPP1(3) states that a data user shall take all practicable steps to inform data subjects of the purpose of the collection of the personal data. DPP3(1) requires a data user to obtain prescribed consent of data subjects if their personal data is used for a new purpose. Depending on the circumstances of the case, a data user may consider if any of the exemptions under Part 8 of the PDPO (eg for the prevention and detection of crime under s. 58(1)(a)) are applicable. I would advise operators of such systems to conduct a privacy impact assessment to assess if there is indeed genuine need to install such systems and, even if so, whether there are any less privacy-intrusive alternatives to installing such systems. For details, please refer to “Guidance on CCTV Surveillance and the Use of Drones” issued by the Privacy Commissioner for Personal Data, Hong Kong in March 2017. Operators of systems with AI functions that may capture personal data should carefully consider the privacy implications of such systems and their compliance obligations under PDPO.


Barrister, Privacy Commissioner for Personal Data, Hong Kong