The Hong Kong Administrative Appeals Board (“ABB”), an independent statutory body that reviews appeals against administrative decisions, recently released its decision concerning the controversial issue of whether individuals in Hong Kong have a right to demand deletion of their personal data in the public domain. The ABB dismissed the appeal and affirmed the Privacy Commissioner’s decision which directed the webpage owner to remove the individual’s personal data from the public domain.
The appeal was against an enforcement notice issued by the Hong Kong Privacy Commissioner directing an activist and share market analyst (“Appellant”), to remove hyperlinks to court judgments from his website (known as Webb-site.com). The court judgments involved matrimonial proceedings which initially disclosed the names of the parties and their children when they were first published on the Hong Kong judiciary website from 2000 to 2002, but the names were subsequently redacted by the court about ten years later in 2010 and 2012. However, the name of the individual was still connected to the anonymized court judgments through the hyperlinks in the Appellant’s website (i.e. a user of the Appellant’s website who searched for the individual’s name would be able see the hyperlinks and they would be taken to the anonymized court judgments by clicking on the hyperlinks). The individual lodged a complaint with the Privacy Commissioner when the Appellant rejected the request to remove the hyperlinks.
The Privacy Commissioner issued an enforcement notice against the Appellant on the ground that he had contravened the requirements of Data Protection Principle 3 (“DPP 3”) of the Personal Data (Privacy) Ordinance (“PDPO”) which provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose.
One of the arguments raised by the Appellant was that DPP 3 does not apply to collection of data from the public domain and he argued that “if the DPPs apply to public domain personal data, then any person who reads, sees or hears public domain personal data in the media, and records it, either in writing or electronically, is a data user, and that would include recording the TV news, putting newspaper clippings in a filing system, writing about it in emails, or disclosing it on a blog such as Facebook or Twitter.” The Appellant contended that the application to such broad class of users would make administration of the law wholly impracticable and the PDPO is intended to “keep private data private, and not to make public data private.”
The Appellant also argued that the application of DPP3 to restrict the use of public domain personal data is unconstitutional because it violates the constitutional rights to freedom of speech and expression contained in the Hong Kong Basic Law and Bill of Rights.
The ABB rejected the Appellant’s argument that DPP 3 does not apply to collection of data from the public domain and it cited a Court of Appeal decision which held that DPP 3 “is directed against the misuse of personal data and it matters not that the personal data involved has been published elsewhere or is publicly available.”
The ABB also found that the Privacy Commissioner had considered the competing interests between freedom of expression and personal data privacy and the conclusion it reached after performing the balancing exercise was reasonable.
Effect of the Decision
There is no doubt that the decision will have far reaching consequences and is likely to open a floodgate of requests by individuals demanding for deletion of their personal data in the public domain. Those who refuse to remove the personal data will face the risk of complaints being made to the Privacy Commissioner, who may serve an enforcement notice against those who, in their view, contravened the PDPO.
It should be noted that since the revised provisions of the PDPO came into force on April 1, 2013, the Privacy Commissioner is empowered to issue an enforcement notice where a data user, is contravening, or has contravened, the PDPO, regardless of whether the contravention has ceased or is likely to be repeated. A data user who contravenes an enforcement notice commits an offence and is liable on first conviction to a fine of up to HK$50,000 (approximately US$6,450) and imprisonment for two years. The PDPO also provides that an individual who suffers damages by reason of a contravention of the PDPO may seek civil compensation from the data user.
The Privacy Commissioner has wide discretionary power in determining whether there was a contravention of the PDPO when the data user refused to remove the personal data from the public domain. According to the decision, the Privacy Commissioner explained that a person who carried out the activities described by the Appellant above (i.e. putting newspaper clippings in a filing system or disclosing the personal information on a blog) is prima facie not considered to have been compiling information about another individual and thus would not be subject to the PDPO. In addition, there is also an exception to DPP3 when the data is used for personal or recreational purposes.
Although the Hong Kong Privacy Commissioner later clarified in a media statement that they were not asking for the removal of articles from the archives of newspapers and publishers, the decision has likely set a precedent for individuals to request the removal of their personal details in the public domain. It remains to be seen how, and to what extent, the decision will be implemented in Hong Kong.
Organizations should be mindful that the collection and use of personal data obtained from the public domain (e.g. a public register, the government website or a public directory, etc.) are subject to the requirements of the PDPO. Organizations should consider whether the proposed use is consistent with or directly related to the original purpose for which the personal data was placed in the public domain, or whether such use is exempted under the PDPO. Express consent should be obtained from the individual if the personal data is used for a new purpose, particularly in the case of sensitive data.