Upload
avice-richards
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Overview of HK privacy law
General law protection of privacy Constitutional Torts - common law and statutory Breach of confidence
Data protection laws - Personal Data (Privacy) Ordinance Data Protection Principles (DPPs) Exceptions Enforcement Relevant international standards
HK Privacy Resources
Berthold & Wacks Data Privacy Law in Hong Kong - 2nd Ed (2003)
HKLRC Report Civil Liability for Invasion of Privacy (2004) Personal Data (Privacy) Ordinance Summaries of the Ordinance
M Berthold’s article (1995) 2 PLPR 164 R McLeish’s ‘country report’ (1999)
Web site of the Privacy Commissioner for Personal Data, particularly: Enquiries, complaints and AAB appeals Annual reports Guidelines to DPPs still being developed
General law on privacy
Why is special privacy legislation needed?
Constitutional protection‘Privacy torts’ Other tortious protectionBreach of confidence
Constitutional law (I)
ICCPR A17(1). No one shall be subjected to arbitrary or unlawful interference with his privacy,…’ (UK acceded for HK)
A39 Basic Law in effect entrenches ICCPR as part of Hong Kong law; legislation cannot be inconsistent with the ICCPR
HK Bill of Right Ordinance A14 gives this a statutory basis; but this only gives a right of defence against State actions (cf US Bill of Rights)
Constitutional law (II)
A28 Basic Law- 'The freedom of the person of Hong Kong residents shall be inviolable. …. Arbitrary or unlawful search of the body … shall be prohibited’
A29 Basic Law: ' The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited.'
All are little tested as yet, but European Court of Human Rights and US Bill of Rights decisions may be relevant (weaker than 1st Amendment) Eg US SC 2001 - thermal imaging violated search and seizure
‘Privacy torts’ (i)
Since Warren and Brandeis’ “The Right to Privacy” (1890) US law has developed 4 ‘privacy torts’: 'intrusion', 'public disclosure of private facts', 'appropriation' and 'false light' torts
Many common law jurisdictions have not followed.HK Law Reform Commission recommended (2004)
statutory versions of ‘intrusion’ and ‘public disclosure’ torts (partly to comply with ICCPR A17).
HKLRC was due to report 2002 on surveillance in public places
‘Privacy torts’ (ii)
Common law courts are undecided on an explicit ‘privacy tort’: UK - Wainwright [2004] P required to undress to visit
prisoner - HL held no intrusion tort in UK common law NZ - Hosking v Runting [2004] - NZ CA held there is a
disclosure of private facts tort in NZ common law Australia - Lenah v ABC [2001] HCA 63 - Information
obtained by trespassers in a possum abbatoirs; restraint on media publication soughtHC refused to restrain publication because no breach of
confidence; unlawful obtaining of information not sufficient6/7 HC Js considered the question of a tort of invasion of privacy
still open - but not in this case
Other piecemeal torts
All existing torts have significant defects in protecting privacy
Defamation Requires falsity; qualified privilege does not require
fair practices; expensiveNegligence
Liability for negligent statements is very limited - even more so to 3rd parties
Eg Sullivan v Moody [2001] HCA 59 - investigators of sexual assault did not owe duty of care to one parent concerning information about the other
Breach of confidence
Three elements (Coco v Clarke) Information having the quality of confidence Disclosure under circumstances of confidence Unauthorised use (including disclosure)
Scope of relationships covered is uncertain Duty uncertain for most modern commercial relationships
Duty only owed to the discloser of the information No duty owed to the ‘data subject’ per se (see Fraser v Evans
[1969] 1 QB 349)
Third party recipients of information will owe a duty once they become aware of the original circumstances of confidence
BOC - ‘Improperly obtained information’
Breach of confidence is expanding to cover (unconscionable?) ‘obtaining’ of information Franklin v Giddens [1978] 1 Qd R 72 (Qld SC) - theft of
budwood from orchard gave rise to BoC action Campbell v MGN [2004] HL - Naomi Campbell filmed leaving
Narcotics Anonymous meeting (ie in a public place); breach of confidence (disclosure of NA attendance) by a person unknown (assumed to be her staff or NA staff) was enough to make the Mirror liable as 3rd P for photographing.
Data protection laws
Since 1970 (Swedish Data Act), all European countries have enacted data protection laws based on: ‘information privacy principles’ (IPPs) A Data Protection/ Privacy Commissioner
NZ, Aust, Canada, and HK also: an Asia-Pacific approach of common law countries
Civil law countries (Taiwan, Japan) have not adopted Privacy Commissioner approach, but Korea has a central complaint mediation body
Individual
concerned3rd parties
Collection
ProcessingStorage Destruction
Use
DisclosureSubject access
& correction
Individual
concerned
3rd parties
Public knowledge System justification
Information privacy principles in the information system lifecycle
(derived from a diagram by Roger Clarke)
s
Data protection as a bundle of rights
Information privacy law Copyright law
No simple definition No simple definition
‘Bundle of rights’ eg access, correction, fair collection, ‘finality’, security
‘Bundle of rights’ eg control copying, performance etc, ‘make available’, fair attribution
Subject matter is ‘personal information’ (‘about’ a person)
Subject matter is ‘expressions’ (‘by’ a person)
Holder is the subject of the information
Holder is the author/creator of the information
Data surveillance laws
data protection laws
HK’s privacy Ordinance
Personal Data (Privacy) Ordinance (PDPO)Schedule 1 - Data Protection PrinciplesKey concepts
"data" means ‘any representation of information (including an expression of opinion) in any document, and includes a personal identifier;’ (s2)
Q: requirement to show an ID card to enter a building
Q: a video camera in a lift
Distinguishes surveillance from data protection
“personal data” ….
International standards
OECD privacy Guidelines (1980) Basis of many national laws Allowed but attempted to limit data export restrictions
EU privacy Directive (1995) Higher standard, basis of revisions of European
national laws Required data export restrictions
APEC Privacy Framework (2004) Are its standards ‘OECD Lite’? Position on data export restrictions uncertain
‘Personal data’
"personal data" means ‘any data - (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable;’ (s2)
Other information may be used to identify What is practicable changes with technology What is practicable depends on the holder
Q: Consider CCTV tapes and web cams Eastweek [2000] HKCA 186 -
CA majority held intention to identify requiredContrary view: capacity to identify is sufficient
DPP1 - Collection limitation
DPP1(1) - for a lawful purpose and not excessiveNot a general ‘legitimate purpose’ requirement
DPP1(2) - by means lawful and fairUnlawful surveillance also breaches DPP1
DPP1(3) - if collected from the data subject, notice is given of obligations, purposes, intended disclosures, and rightsIncludes unsolicited information but only at the point of
retentionNot if from observation of the person (surveillance law may
apply)
What types of obtaining information are ‘collection’?
Information solicited from another person Is covered (whether from data subject or 3rd parties)
Unsolicited information Is covered (whether from data subject or 3rd parties), but may
only be collection at point of retention Information obtained from observations ('surveillance') of
the data subject; Is covered, on a purposive construction
Information extracted from documentary or other sources Is covered, on a purposive construction
Collection may be in any medium
DPP1 - Collection limitation
DPP1(1) - for (I) a lawful purpose (ii) relevant to functions of collector and (iii) not excessiveNot a positive ‘purpose justification’ requirementAllows private sector organisations wide latitude to
define their purposes
Some special cases:Credit reporting Code revised (2003) to allow
‘positive’ reportingWorkplace monitoring Code not yet completed
DPP1 - Collection limitation
DPP1(2) - by means lawful and fair Purpose may be lawful, but means unlawful/unfair
Deception, trickery, undue pressure will be unfair Unlawful surveillance also breaches DPP1 Legal but covert surveillance may be unfair
HKPCO examples of surveillance of domestic helpers, secret recording of staff or customers
No requirement of consent to collect, only fairness
DPP1 - Collection limitation
DPP1(3) - if collected from the data subject, notice is given of obligations, purposes, intended disclosures, and rights Does not include where collected from 3rd parties Includes unsolicited information but only at the point of retention Not if from observation of the person (surveillance law may
apply) Not if collection from documentary sources
Notice of purposes is vital in setting limits of use/disclosure In discouraging excess collection In putting data subjects on notice of potential abuses
DPP3 - Use/ disclosure limitation
Data can only be used / disclosed in 4 ways: (I) For the purpose for which it was collected;
DPP 1 allows fairly broad purposes; note DPP 1(3) (ii) For a directly related purpose;
Direct marketing ‘opt out’ exception (s34) (iii) With ‘prescribed consent’;
‘express consent given voluntarily’ (s2(3))Narrower than implied consent allowed in Aust/NZ - cannot include
a failure to opt out (iv) Subject to exceptions (eg s58 law enforcement)
Disclosure can be verbal or by inspection Can mere inspection be ‘use’? (B&W - ‘yes’)
DPP3 - Use/ disclosure limitation
Are recipients tied to the same purpose as the proper purposes of the discloser? Best answer is that collection must be by ‘fair’ means (DPP 1(2))
- fairness is an objective test in relation to data subject This covers both legitimate disclosures (wider purposes of
collection unfair), and illegitimate disclosures (any collection unfair)
Necessary answer to support the policy of the Ordinance Once unlawfulness of discloser is known, collector’s use may
also be a breach of confidence (‘unlawfully obtained info’) Common complaint: Disclosure was within purpose of collection, but
notice was not given under DPP 1(3) Eg Disclosure of skating competitors OK as a purpose of
collection, but no DPP 1(3) notice given
DPPs - Disclosure and data exports
DPP 3 does not prevent overseas transfers
S33 only Ordinance provision not in forcePrivacy Commissioner
‘Exploratory survey’ began 2004
DPP2 - Data quality & retention
DPP2.1 - Accuracy in relation to purpose of use Does not specify ‘complete’ or ‘up-to-date’
DPP 2.2 - Data retained no longer than necessary ‘shall not be kept longer than is necessary for the
fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used'
s26 - Erasure of personal data no longer required, except where: (a)prohibited under any law; or (b) non-erasure is in the public interest
DPP4 - Security
‘All practicable steps … to ensure … protected against unauthorized or accidental access, processing, erasure or other use’
Possibilities If hackers access data, data user may be
liable for inadequate security Mailouts in error of sensitive data may breach
DPP4
DPP5 - Information generally available
Rights to obtain information not restricted to data subjects (contra DPP 6), allowing anyone to: " (a) ascertain a data user's policies and practices in
relation to personal data; (b) be informed of the kind of personal data held by
a data user; (c) be informed of the main purposes for which
personal data held by a data user are or are to be used."
‘Openness’ principle which should be important to the media and community organisations
DPP6 - Access & correction
DPP6 - Access and correction rights Right to access and correct your own data
Exceptions to access (Pt VIII) Many exceptions apply (see Berthold summary) Exemptions relate to data, not specific data users Privacy Commissioner can access on reasonable
grounds (s38), as an intermediaryProblem: correction is tied to right of access
Enforcement of the DPPs
Enforcement notices (s50) PC can issue, requiring contraventions to be remedied
(4 in 2000), or warning notices (21) Failure to comply is a criminal offence No systematic publication of these serious complaints S48 allows PCO to issue formal reports naming data
users (but not others), but has only done so onceAppeals (s50(7)) to Admin. Appeals Board
Either complainant or data user can appeal No further right of appeal to a Court against AAB
decision, only judicial review
Enforcement of the DPPs (II)
Compensation (s66) only by separate Court proceedings, not by PC Only 1 reported case, and it was dismissed PCO cannot award damages (contra Australia) HKLRC recommends PC be able to assist complainants
Criminal offences S64 creates criminal offences by data users
Supplying false informationContravening matching requirements, enforcement notices, or any
other provision of the Ordinance S64 creates offences by other persons
Supplying false informationHindering Commissioner’s investigations
Enforcement of the DPPs (III)
Judicial review of PC decisions (2 in 2003)Other duties of Privacy Commissioner:
Review legislation (s8) Data matching application approvals Compliance checks (10 in 2003) (s81(e)) Issuing Codes of conduct Now stressing need for PIAs