Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (“PCPD”) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application, claiming that the company “seriously invaded” the privacy of those individuals. Various commentators have accused the PCPD of threatening freedom of information, making inconsistent decisions, and being technophobic, while others argue that the decision highlights the limitations of the Personal Data (Privacy) Ordinance (“PDPO”) which governs the use of personal data in Hong Kong. So, when is publicly available personal data actually private data?
The offending application, “Do No Evil” (the “App”) was launched by Glorious Destiny Investment Limited in 2012 and allowed users to search a database of publicly available records of civil and criminal litigation and bankruptcy cases by an individual’s name or address. The search results could reveal the target person’s name, partial identity card number, address, court type, action number, nature of civil case, criminal charge, and more. The App enabled consumers to carry out simple due diligence and background checks for certain decisions such as the offer of a job to a potential employee, signing tenancy agreements with prospective tenants, or signing contracts with business partners.
The basic position in Hong Kong is that while an individual’s personal data may be obtained from a source in the public domain, that does not mean that the individual has given his blanket consent for use of that personal data for other purposes. Anyone who collects and uses personal data from the public domain must observe the requirements of the PDPO and, in particular, Data Protection Principle (“DPP”) 1 and DPP3. DPP1 requires personal data to be collected by means which are lawful and fair in the circumstances of the case. DPP3 specifies that personal data shall not, without the prescribed consent of the data subject (the person to whom the data relates), be used for a new purpose. A “new purpose” essentially means any purpose other than the one for which the personal data was originally collected or a directly related purpose. “Prescribed consent” means consent that is expressly and voluntarily given by the data subject.
Section 64 of the PDPO stipulates that a person commits an offence if he discloses any personal data of a data subject which was obtained from a data user without the data user’s consent and with intent to (i) obtain gain for himself or another person, or (ii) cause loss to the data subject. It is also an offence if the unauthorised disclosure causes psychological harm to the data subject. The maximum penalty for these two offences is a fine of HK$1 million and imprisonment for five years.
Due regard must be given to the original purposes of making the personal data available in the public domain. A data user, such as a court or government department, which makes personal data available in the public domain will often specify in a separate privacy policy statement the circumstances under which the personal data it is providing may be accessed and used by others. By way of example, the HK Judiciary website makes it clear that personal data obtained from the daily cause lists has strictly limited uses:
"Daily Cause Lists are published to provide members of the public with information on the schedule of court hearings and related matters. They also facilitate court users (including witnesses, defendants’ family members, etc.) to know which court they should attend. After the relevant hearing day, such lists serve no other purpose and will not be retained. No person accessing a Daily Cause List shall use any personal data contained therein for any purpose not related to the purposes set out above."
A person who collects personal data from the public domain regardless of these stipulations and restrictions may contravene DPP1.
When the original purpose of making the data available to the public is not stated by the user or is not clear, the PCPD’s approach is to consider the reasonable expectation of personal data privacy of the individual when assessing the lawful use of the personal data under DPP3. The test is whether a reasonable person in the data subject’s situation would find the new use of the public data unexpected, inappropriate, or otherwise objectionable, taking into account all the circumstances of the case.
In the case of the App, the PCPD considered that this test had not been met for the following reasons:
The App aggregated the litigation information and bankruptcy data from different sources so users of the App could view all data of a target person in one go simply by entering his name or address. Aggregation of such information from multiple sources increased the severity of the privacy intrusion.
The App enabled users to access individuals’ litigation and bankruptcy data at any time. A data subject had no idea when, where or by whom their sensitive personal data was being accessed via the App so that data was being used without the data subject’s knowledge or consent.
The Judiciary, the Official Receiver’s Office, and the Companies Registry disclose or publish litigation, bankruptcy data, and company directors’ data in accordance with the law and they have imposed access restrictions to prevent the data from being misused. As the App was aimed at consumers, restrictions on the use of the personal data were limited and there were no measures put in place to restrict users from bulk downloads or reproduction of the data from the database. As such the personal data accessed via the App could easily be misused.
Where a data subject involved in litigation cases was finally acquitted or a claim was not substantiated, the App would not always update or clarify the situation so users could be misled. Moreover, the search facility on the App may have revealed all persons in the database with the same name, so innocent individuals could have been mistaken as litigants or bankrupt.
Under the Rehabilitation of Offenders Ordinance, an offender who is sentenced to imprisonment not exceeding three months or to a fine of less than HK$10,000 will be treated as not having been convicted of the offence, if that individual was not convicted of another offence in the following three years. However, the App used a database with no prescribed retention period for the data and no arrangement for deletion of invalid data. It was considered that this would adversely affect the rehabilitation of the data subjects.
The PCPD has said that it recognises that the right of individuals to privacy is not absolute and must be balanced against other rights and public interests. Part VIII of the PDPO specifically provides for certain exemptions from the application of DPP3 and they also apply to personal data in the public domain. These exemptions include the following:
Section 52: where personal data is held by an individual and is concerned only with the management of his/her personal, family, or household affairs, or held only for recreational purposes.
Section 58: where personal data is used for the purpose of prevention or detection of crime or for prevention, preclusion, or remedying of unlawful or serious improper conduct or dishonesty or malpractice by persons, etc.
Section 59: the disclosure of the identity, location, and health data of a data subject where non-disclosure may cause serious harm to the physical or mental health of the data subject or any other individual.
Section 60B: where the use of the personal data is required or authorised by Hong Kong law or in connection with any legal proceedings in Hong Kong or is required for establishing, exercising, or defending legal rights in Hong Kong.
Section 61: the disclosure of personal data by a person to a data user whose business consists of a news activity and the publication or broadcasting of the personal data is in the public interest.
Section 62: where personal data is used for preparing statistics or carrying out research and the resulting statistics or research does not identify the data subjects.
Section 63C: where the use of the personal data is to identify an individual who is, or may be, involved in a life-threatening situation and to carry out emergency rescue operations or providing emergency relief services.
The burden of proof rests with the data user who wishes to apply the exemption.
To assist data users to comply with the requirements of the PDPO, the PCPD has issued a new guidance note on the Use of Personal Data Obtained from the Public Domain. In addition to summarising the relevant sections of the PDPO and the various exemptions, the note also provides recommended best practices for data users who intend to collect and then use personal data from the public domain.
The guidance note can be downloaded here: www.pcpd.org.hk/english/publications/files/GN_public_domain_e.pdf.
Authored by Gabriela Kennedy