The idea of a right to privacy, which arose in reaction to the rapid rise of newspapers, instant photography and the “paparazzi” of the 19th century, has evolved into a constitutional right in much of the developed world. It is enshrined in Hong Kong through Articles 28, 29, 30 and 39 of the Basic Law. Hong Kong stands proud as the first jurisdiction in Asia to enact legislation to safeguard personal data in the form of the Personal Data (Privacy) Ordinance, Cap 486 (“the Ordinance”) which came into force in 1996. At its centre are the six Data Protection Principles based on the 1980 OECD Guidelines. The office of the Privacy Commissioner for Personal Data was created under this legislation to provide oversight and ensure compliance. The Octopus scandal in mid-2010 eventually led to substantial changes being made to the Ordinance that were enacted in 2012 and 2013, the main amendments being the Direct Marketing provisions and the provision of legal assistance and representation to aggrieved persons. In this digital age, the Ordinance is proving to be the main safeguard of our privacy rights.
The Data Protection Principles seek to create broad common principles based on fairness that apply to the public and private sectors. The passage of twenty years since the enactment of the Ordinance has given rise to a substantial body of case law and administrative decisions on these principles and the other provisions of the Ordinance. The new amendments have already been the subject of judicial scrutiny. This publication, which replaces its predecessor, has the dual aim of becoming a practitioner’s guide on the important subject of personal data privacy, containing, as it does, a detailed exposition of the principles and provisions in the Ordinance and a comprehensive source of reference materials, and of enabling the Privacy Commissioner to discharge his major duty to promote awareness and understanding of the Ordinance.
作者簡介:
Mr. Stephen Kai-yi WONG
Mr. Stephen WONG is the Privacy Commissioner for Personal Data in Hong Kong. He is also a Barrister and Adjunct Professor of the School of Law, City University of Hong Kong.
Professor Guobin ZHU
Guobin ZHU is a Professor in the School of Law, City University of Hong Kong and also the Director of City University of Hong Kong Press.
作者序
Stephen Kai-yi WONG:
In 1996, Hong Kong enforced the Personal Data (Privacy) Ordinance, Cap 486, Laws of Hong Kong (“the Ordinance”) and became the first jurisdiction in Asia operating with a dedicated piece of legislation on personal data privacy protection. The Privacy Commissioner for Personal Data (“the PCPD”) was created in the same year, being the statutory body independent of the Government to oversee the compliance of the Ordinance.
The publication of this book coincides with the twentieth anniversary of the founding of the regulatory framework of personal data privacy in Hong Kong, reflecting on the changes which its two decades of life and growth have seen.
The origin of the law is attributable to the 1995 EU Directive which aimed to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data without restricting or prohibiting the free flow of personal data.
PDP (Personal data privacy) was an acronym of which few had any understanding at that time. The first decade of the operation, amid the Information Age, was one of slow growth, until 2009 when there was a marked increase in the transfer and sale of customers’ personal data by enterprises for direct marketing purposes.
>In 2012, the Ordinance was substantially amended as a result of a comprehensive review of the regulatory regime on direct marketing and the impact of information and communications technology on privacy protection.
As revealed in the findings of a surveyundertaken in 2014, personal data privacy has become a popular issue on both social agendas and those of senior management. An in-depth understanding of the Ordinance is considered an asset by individuals, organisations and practitioners alike.
It is not surprising that there are not many judicial decisions on the law as twenty years is not a lengthy period for the development of a new area of law. There are however hundreds of decisions made by the Administrative Appeals Board which is a quasi-judicial body established by statute to determine appeals lodged against the decisions made by the Commissioner in relation to complaints. Many of these quasi-judicial decisions are also published by the PCPD to ensure transparency of the reasoning and application of the law. The PCPD has the benefit of twenty years of experience as the regulator, receiving in the region of 20,000 enquiries and determining about 2,000 complaints on a yearly basis. With the start of the third decade of the operation of the PCPD amid this Age of Artificial Intelligence, this book is offered as a practical guide on compliance to all stakeholders, as well as those who are interested in the personal data privacy landscape in Hong Kong.
My learned predecessors published the first and second editions of a handbook entitled Data Protection Principles in the Personal Data (Privacy) Ordinance — from the Privacy Commissioner’s perspective in 2006 and 2010 respectively. Expanding on the commendable initiative of my predecessors, I attempt to roll out an all-in-one guide on personal data privacy law in Hong Kong, which also offers updates on the 2012 legislative amendments as well as other selected texts, cases and materials up to February 2016. Case notes of significant court judgments and Administrative Appeals Board decisions, as well as the three Codes of Practice issued by the PCPD are annexed.
This book is organised and written with a view to explaining the conceptual, legal and practical frameworks of the personal data privacy protection in Hong Kong, in the hope that readers, individuals or organisations; professionals or otherwise, will find it easy and user-friendly to delve into the most relevant statutory provisions for their need or interest in the topics.
I cannot thank enough all of the contributors who helped to make the publication of this book a reality, but special thanks must go to the Honourable Mr. Justice BHARWANEY for his Lordship’s support in writing the most inspirational foreword to this book, Professor Guobin ZHU for being the co-editor with me, and the editorial team in my office. I would also like to record my appreciation to City University of Hong Kong Press for its dedicated efforts in providing valued assistance and publishing this book.
Guobin ZHU, PhD:
Over 125 years ago, Samuel Warren and Louis Brandeis first published “The Right to Privacy” in the Harvard Law Review (4 Harvard L.R. 193, Dec. 15, 1890), in which they articulated that right primarily as a “right to be let alone”. This article, widely regarded as the first publication in the United States (and indeed the world) to advocate a right to privacy, opened a new page in the history of citizens’ rights protection, and its influence, together with the concept of privacy, quickly travelled far beyond the American borders.
Although there is no uniform definition of the notion of privacy, it remains commonly understood as the “right to be let alone”. Privacy certainly has a wider coverage in comparison to personal data privacy, the theme of the present guide. The Law Reform Commission of Australia, cited by many as an authority, has identified four categories of privacy interests requiring legal protection, namely: (i) the interest in controlling entry to a personal place (territorial privacy); (ii) the interest in freedom from interference with one’s person and personal space (privacy of the person); (iii) the interest of the person in controlling the information held by others about him (information privacy); and (iv) the interest in freedom from surveillance and from interception of one’s communications (communications and surveillance privacy). According to this categorisation, personal data privacy falls under information privacy.
The right to privacy has been gradually established as one of the fundamental rights of the citizen and is widely recognised as such by international and regional human rights bodies as well as in the domestic legislation of many nations.
Article 17 of the International Covenant on Civil and Political Rightswhich directly derives from Article 12 of the Universal Declaration of Human Rights (1948), provides:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.
Article 8 (1) “Right to respect for private and family life” of the European Convention on Human Rights (1950) also guarantees that “Everyone has the right to respect for his private and family life, his home and his correspondence”.
In Hong Kong, the right to privacy as stipulated in the ICCPR was incorporated into law before the handover by way of the Hong Kong Bill of Rights Ordinance (Cap 383, 1991). Actually, Article 14 in this document, stipulating the protection of privacy, family, home, correspondence, honour and reputation, is simply a replica of the above quoted Article 17 of the ICCPR. Since the handover of Hong Kong, the right to privacy has acquired a constitutional status by virtue of Article 39 of the Basic Law of the Hong Kong and this has been compounded by the subsequent case law as well. Suffice to say that a constitutional framework of privacy law is already in place in Hong Kong.
Personal records have been with us for as long as the written word has, but computerisation of them has become widespread only since the second half of the twentieth century. This development has revolutionised personal record-keeping, because of the ease of storing, retrieving, combining and transferring data. On the one hand, technology has significantly enhanced the quality of human life, but on the other public concern has arisen about the privacy implications of the resulting large-scale dissemination of personal data. This situation has called for increased lawmaking on information privacy.
Hong Kong has taken the lead in the field of data protection. In 1995, the Personal Data (Privacy) Ordinance (Cap 486) was adopted to implement information privacy protection. The introduction of this law has imposed security safeguards on the keeping of personal data by a “data user” and granted the individual (as “data subject”) the right to obtain copies of, and correct, personal data which relates to him. Most significantly for Hong Kong, the Office of the Privacy Commissioner for Personal Data, an independent statutory body, was set up to oversee the enforcement of the Ordinance in 1996.
Since the enactment of the law and the establishment of the Office of the Privacy Commissioner for Personal Data, Hong Kong has made great achievements in the protection of the right to privacy in general, and of personal data (privacy) in particular. The Hong Kong experience deserves praise along with wider dissemination and recognition.
From a law professor’s perspective, the primary purpose of printing this book, Personal Data (Privacy) Law in Hong Kong: A Practical Guide on Compliance, is three-fold: firstly, to provide an easy reference to legal professionals, governmental officials, and corporate staff, who are the major data users; secondly, to provide the general public with quick and direct access to the personal data (privacy) law of Hong Kong; and thirdly, to disseminate Hong Kong’s experience to a wider international audience through international publication distribution channels.
City University of Hong Kong Press is proud to be part of this significant enterprise. Personally, I am honored to be invited to co-edit this important work. For this, I am particularly grateful to Mr. Stephen Kai-yi WONG, the Privacy Commissioner for Personal Data, for his kind and friendly invitation, and also to his dedicated colleagues whose professionalism and efficiency has greatly impressed me. Last but not least, I wish to record my sincere thanks to my colleagues from the Press and in particular, to Edmund CHAN and Joanna PIERCE. I cherish this experience of collaboration between the two institutions very much.
Stephen Kai-yi WONG:
In 1996, Hong Kong enforced the Personal Data (Privacy) Ordinance, Cap 486, Laws of Hong Kong (“the Ordinance”) and became the first jurisdiction in Asia operating with a dedicated piece of legislation on personal data privacy protection. The Privacy Commissioner for Personal Data (“the PCPD”) was created in the same year, being the statutory body independent of the Government to oversee the compliance of the Ordinance.
The publication of this book coincides...
目錄
Chapter 1 Introduction
Chapter 2 The Meaning of “Personal Data”
Chapter 3 The Meaning of “Collect”
Chapter 4 The Meaning of “Data User”
Chapter 5 Data Protection Principle 1
Chapter 6 Data Protection Principle 2
Chapter 7 Data Protection Principle 3
Chapter 8 Data Protection Principle 4
Chapter 9 Data Protection Principle 5
Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5
Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5
Chapter 12 Exemption Provisions in Part 8
Chapter 1 Introduction
Chapter 2 The Meaning of “Personal Data”
Chapter 3 The Meaning of “Collect”
Chapter 4 The Meaning of “Data User”
Chapter 5 Data Protection Principle 1
Chapter 6 Data Protection Principle 2
Chapter 7 Data Protection Principle 3
Chapter 8 Data Protection Principle 4
Chapter 9 Data Protection Principle 5
Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5
Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correc...