PogoWasRight.org

Menu
  • About
  • Privacy
Menu

HK: Disclosing someone’s identity via hyperlinks to anonymized court judgements violates Data Protection Principle

Posted on October 30, 2015June 26, 2025 by Dissent

Site A describes a court case, but the names of the plaintiff and defendant are replaced with initials to protect their privacy. But if you go to Site B and do a search for the individual’s name, the search results provide a link to the court case. Are you violating some aspect of Hong Kong’s Data Protection law by identifying them via hyperlinks that way? Spoiler alert: Yes.

Read the following press release from the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) . The background on the case is embedded in the press release, so you’ll be able to understand the issue and facts.

(29 October 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) welcomes the ruling by the Administrative Appeals Board (“AAB”) on 27 October 2015 for the dismissal of the appeal from Mr David Webb against the PCPD’s Enforcement Notice directing him to remove from his Webb-site in 2014 the three hyperlinks which effectively disclosed the Complainant’s identity in three anonymized judgments.

The AAB confirms:

  1. the PCPD’s decision that Mr Webb had contravened Data Protection Principle 3 (“DPP3” – Data Use Principle) of the Personal Data (Privacy) Ordinance (“Ordinance”) by publishing the three hyperlinks on Webb-site; and
  2. the justification for the issuance of the Enforcement Notice.

The PCPD’s Comments

Ms Fanny Wong, Acting Privacy Commissioner for Personal Data, responded, “It is not the PCPD’s stance to ask for removal of articles from the archives of newspapers and publishers. In this case, the PCPD only directed Mr Webb to remove the hyperlinks which showed the parties’ names in the three anonymized judgments on the Judiciary’s website, bearing in mind that the anonymization is made pursuant to the request of the Complainant and is consistent with Article 10 of the Hong Kong Bill of Rights. As directed by the Chief Justice, with effect from April 2011, all judgments in family and matrimonial cases at every level of courts, whether in open court or in chambers, should be anonymized before release.”

Ms Wong added, “In weighing the freedom of press and expression against the personal data privacy of the Complainant, the PCPD was of the view that the disclosure of the Complainant’s identity in the three anonymized matrimonial judgments did not serve to promote the transparency of operations of companies, governments, regulators and controlling shareholders; nor was it able to achieve the purpose of condemning public vices or protecting the minority shareholders’ interest. In the circumstances, the balance should be tipped in favour of protecting the Complainant’s personal data in the three anonymized judgments.”

As the AAB has dismissed the appeal, the Commissioner will follow up with Mr Webb on his compliance with the Enforcement Notice.

It is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without any regulation. Personal data obtained from the public domain is still subject to the protection under DPP 3 of the Ordinance.

Case Background

The Complainant and her ex-husband were parties to several matrimonial proceedings, of which three judgments were handed down by the Court of Appeal in 2000, 2001 and 2002 in open court. At the request of the Complainant, the Judiciary in 2010 and 2012 replaced the names of the Complainant and her ex-husband by alphabets in those three judgments in the Legal Reference System of the Judiciary’s website.

However, the Complainant subsequently found her name revealed on three hyperlinks on “Who’s Who” of a website named “Webb-site” established by Mr Webb. If a user entered the Complainant’s name in the “search people” box, Webb-site would bring the user to the “Who’s Who” page, and the three hyperlinks were embedded under the item “Articles”. By clicking on “Articles” and then on the hyperlinks, the user would be taken to the three anonymised judgments in the Legal Reference System of the Judiciary’s website.

According to Webb-site, its objective was “to provide independent commentary on corporate and economic governance, business, finance, investment and regulatory affairs in Hong Kong.” The Complainant was aggrieved and hence lodged a complaint with the PCPD against Mr Webb.

The PCPD decided that Mr Webb had contravened DPP 3 of the Ordinance by publishing those three hyperlinks with the Complainant’s name revealed on Webb-site, which effectively disclosed her identity in the three anonymized judgments, and served upon Mr Webb an Enforcement Notice directing him to remove those three hyperlinks from the Webb-site. The three judgments are matrimonial proceedings touching on her private life but not public duty. Mr Webb subsequently lodged an appeal against PCPD’s decision and the service of the Enforcement Notice, and the appeal was heard before the AAB on 13 July this year.

The AAB’s Decision

The AAB upheld the PCPD’s decision and the issuance of the Enforcement Notice and made the following findings:

The AAB held that DPP 3 is directed against the misuse of personal data, regardless of whether the relevant personal data has been published elsewhere or in the public domain and that Mr Webb was a data user governed by the Ordinance.

The AAB also held that on a proper construction of subsection (4) of DPP 3, “the purpose for which the data was to be used at the time of the collection of the data” referred to the purpose for which the data was originally collected. In this case, the Judiciary was the person who first collected the Complainant’s data, and its purposes in collecting the Complainant’s personal data were to enable its judgments to be utilized as “legal precedents on points of law, practice and procedure of the courts and of public interests”. The AAB was of the view that Mr Webb’s purpose of using the Complainant’s personal data (i.e. reporting and publication for general use) in Webb-site was not consistent with the Judiciary’s purposes of publishing the three judgments, and it therefore concluded that Mr Webb did use the Complainant’s personal data for a “new purpose” in contravention of DPP 3.

The AAB also took the view that the balance between freedom of expression and personal data privacy protection struck by the Commissioner was not unreasonable.

The AAB rejected Mr Webb’s argument that the common law principle of open justice would exempt him from any breach of DPP 3 under section 60B(a) of the Ordinance, as Mr Webb was not required by any principle of law to publish the personal data of the Complainant on Webb-site.

– End –

Please click here to view:
Decision of the AAB
www.pcpd.org.hk/english/files/casenotes/AAB_54_2014.pdf

Related posts:

  • 2013 saw a 48% Increase in Privacy Complaints in Hong Kong
  • Hong Kong Professional Health Group Ltd Fined for Failure to Comply with an Opt-Out Request
Category: BreachesNon-U.S.Online

Post navigation

← Report: Schools Fall Short In Handling Students’ Digital Data
After guilty plea, judge confused as to why prosecutors still want iPhone unlocked →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Germany’s top court holds that police can only use spyware to investigate serious crimes
  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help
  • Attorney General James Takes Action to Protect Sensitive Personal Information of Tens of Millions of People

RSS Recent Posts on DataBreaches.net

  • Connex Credit Union notifies 172,000 members of hacking incident
  • Federal judiciary says it is boosting security after cyberattack; researcher finds new leaks (CORRECTED)
  • Bank of America Refused To Reimburse Georgia Customer After Hackers Hit Account. Then a News Station Showed Up.
  • NCERT Issues Advisory on “Blue Locker” Ransomware Targeting Pakistan’s Key Institutions
  • Scattered Spider has a new Telegram channel to list its attacks
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy