Site A describes a court case, but the names of the plaintiff and defendant are replaced with initials to protect their privacy. But if you go to Site B and do a search for the individual’s name, the search results provide a link to the court case. Are you violating some aspect of Hong Kong’s Data Protection law by identifying them via hyperlinks that way? Spoiler alert: Yes.
Read the following press release from the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) . The background on the case is embedded in the press release, so you’ll be able to understand the issue and facts.
(29 October 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) welcomes the ruling by the Administrative Appeals Board (“AAB”) on 27 October 2015 for the dismissal of the appeal from Mr David Webb against the PCPD’s Enforcement Notice directing him to remove from his Webb-site in 2014 the three hyperlinks which effectively disclosed the Complainant’s identity in three anonymized judgments.
The AAB confirms:
- the PCPD’s decision that Mr Webb had contravened Data Protection Principle 3 (“DPP3” – Data Use Principle) of the Personal Data (Privacy) Ordinance (“Ordinance”) by publishing the three hyperlinks on Webb-site; and
- the justification for the issuance of the Enforcement Notice.
The PCPD’s Comments
Ms Fanny Wong, Acting Privacy Commissioner for Personal Data, responded, “It is not the PCPD’s stance to ask for removal of articles from the archives of newspapers and publishers. In this case, the PCPD only directed Mr Webb to remove the hyperlinks which showed the parties’ names in the three anonymized judgments on the Judiciary’s website, bearing in mind that the anonymization is made pursuant to the request of the Complainant and is consistent with Article 10 of the Hong Kong Bill of Rights. As directed by the Chief Justice, with effect from April 2011, all judgments in family and matrimonial cases at every level of courts, whether in open court or in chambers, should be anonymized before release.”
Ms Wong added, “In weighing the freedom of press and expression against the personal data privacy of the Complainant, the PCPD was of the view that the disclosure of the Complainant’s identity in the three anonymized matrimonial judgments did not serve to promote the transparency of operations of companies, governments, regulators and controlling shareholders; nor was it able to achieve the purpose of condemning public vices or protecting the minority shareholders’ interest. In the circumstances, the balance should be tipped in favour of protecting the Complainant’s personal data in the three anonymized judgments.”
As the AAB has dismissed the appeal, the Commissioner will follow up with Mr Webb on his compliance with the Enforcement Notice.
It is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without any regulation. Personal data obtained from the public domain is still subject to the protection under DPP 3 of the Ordinance.
Case Background
The Complainant and her ex-husband were parties to several matrimonial proceedings, of which three judgments were handed down by the Court of Appeal in 2000, 2001 and 2002 in open court. At the request of the Complainant, the Judiciary in 2010 and 2012 replaced the names of the Complainant and her ex-husband by alphabets in those three judgments in the Legal Reference System of the Judiciary’s website.
However, the Complainant subsequently found her name revealed on three hyperlinks on “Who’s Who” of a website named “Webb-site” established by Mr Webb. If a user entered the Complainant’s name in the “search people” box, Webb-site would bring the user to the “Who’s Who” page, and the three hyperlinks were embedded under the item “Articles”. By clicking on “Articles” and then on the hyperlinks, the user would be taken to the three anonymised judgments in the Legal Reference System of the Judiciary’s website.
According to Webb-site, its objective was “to provide independent commentary on corporate and economic governance, business, finance, investment and regulatory affairs in Hong Kong.” The Complainant was aggrieved and hence lodged a complaint with the PCPD against Mr Webb.
The PCPD decided that Mr Webb had contravened DPP 3 of the Ordinance by publishing those three hyperlinks with the Complainant’s name revealed on Webb-site, which effectively disclosed her identity in the three anonymized judgments, and served upon Mr Webb an Enforcement Notice directing him to remove those three hyperlinks from the Webb-site. The three judgments are matrimonial proceedings touching on her private life but not public duty. Mr Webb subsequently lodged an appeal against PCPD’s decision and the service of the Enforcement Notice, and the appeal was heard before the AAB on 13 July this year.
The AAB’s Decision
The AAB upheld the PCPD’s decision and the issuance of the Enforcement Notice and made the following findings:
The AAB held that DPP 3 is directed against the misuse of personal data, regardless of whether the relevant personal data has been published elsewhere or in the public domain and that Mr Webb was a data user governed by the Ordinance.
The AAB also held that on a proper construction of subsection (4) of DPP 3, “the purpose for which the data was to be used at the time of the collection of the data” referred to the purpose for which the data was originally collected. In this case, the Judiciary was the person who first collected the Complainant’s data, and its purposes in collecting the Complainant’s personal data were to enable its judgments to be utilized as “legal precedents on points of law, practice and procedure of the courts and of public interests”. The AAB was of the view that Mr Webb’s purpose of using the Complainant’s personal data (i.e. reporting and publication for general use) in Webb-site was not consistent with the Judiciary’s purposes of publishing the three judgments, and it therefore concluded that Mr Webb did use the Complainant’s personal data for a “new purpose” in contravention of DPP 3.
The AAB also took the view that the balance between freedom of expression and personal data privacy protection struck by the Commissioner was not unreasonable.
The AAB rejected Mr Webb’s argument that the common law principle of open justice would exempt him from any breach of DPP 3 under section 60B(a) of the Ordinance, as Mr Webb was not required by any principle of law to publish the personal data of the Complainant on Webb-site.
– End –
Please click here to view:
Decision of the AAB
www.pcpd.org.hk/english/files/casenotes/AAB_54_2014.pdf