On July 1, 1997, the People's Republic of China (PRC) resumed exercise of its sovereignty over Hong Kong and established it as a "Special Administrative Region" (SAR). The laws of the Hong Kong SAR were incorporated into the Chinese legal system by the enactment of the Basic Law, often described as Hong Kong's mini-constitution.[1299]
The Basic Lawof the Hong Kong SAR contains several privacy protections. Article 29 provides that the "homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited." Article 30 provides that the "freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offenses."
In 1996, after six years of study by the Law Reform Commission,[1300] Hong Kong enacted a Personal Data (Privacy) Ordinance(the Ordinance),[1301] The Ordinance came into effect in December of that year, with the exception of the provisions concerning the transfer of data outside Hong Kong[1302] and data-matching.[1303] No substantial amendments to the Ordinance have been made to date, other than the provision that provided that the Ordinance prevails over any other ordinance in case of inconsistencies,[1304] which the Standing Committee of the National People's Congress of the PRC found contravened the Basic Lawand declared invalid.[1305]
Following the standard set by the OECD Guidelines for Protection of Privacy and Transborder Flows of Personal Data, the Ordinance adopts six "fair information principles" to regulate notice, collection, accuracy, use, security and access to "personal data," broadly defined as "any representation of information (including an expression of opinion) in any document, and includes a personal identifier."[1306] It also imposes additional restrictions on certain processing, namely data matching and direct marketing. The former requires the prior approval of the Privacy Commissioner while the latter requires that a "data user" inform the "data subject" of the opportunity to opt-out from further approaches.[1307]
The Ordinance applies to public and private "data users" and to manual and electronic records. However, under the Interpretation and General Clauses Ordinance,[1308] itis not applicable to PRC government agencies in the Hong Kong SAR.[1309] In June 1999, the High Court dismissed a legislator's civil suit over the failure of the then New China News Agency (NCNA) to respond within the Ordinance-specified time frame to the legislator's request for information about herself in the agency's files, because the NCNA Director named in the suit was not in Hong Kong at the time the incident occurred. In October 2000, the Director of the NCNA, now known as the Liaison Office, served the legislator a writ requiring the legislator to pay his court costs, as is allowed under Hong Kong law. The pro-democracy legislator eventually paid her opponent's court costs with a combination of public donations and personal funds.[1310]
The Ordinance establishes an oversight body, the Office of the Privacy Commissioner (PCO), to promote and enforce compliance with statutory requirements.[1311] The Commissioner is given strong enforcement powers modeled on those contained in the United Kingdom Data Protection Act.[1312] In addition to investigating complaints, the commissioner may initiate independent investigations and conduct audits of selected data users. Some violations of the Ordinance constitute criminal offenses. In other cases, an injured party may seek compensation through civil proceedings. If the Commissioner believes that violations may continue or be repeated, it may issue enforcement notices to direct remedial measures.[1313]
The Commissioner may issue codes of conduct to provide guidance on compliance with the Ordinance's provisions. Codes are legally subordinate, but have evidentiary relevance in determining whether a contravention of the Ordinance has occurred. To date the Commissioner has issued five codes; the Code of Practice onthe Identity Card Number and other Personal Identifiers;[1314] the Code of Practice on Consumer Credit Data;[1315] the Code of Practice on Human Resource Management;[1316] the Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators[1317] and, most recently a draft Code of Practice on Monitoring and Personal Data Privacy at Work.[1318] In 2000, the Privacy Commissioner jointly issued a voluntary code of practice and a consumer guide on how to deal with "spam" with the Telecommunications Authority and the Hong Kong Internet Service Providers Association. In May 2001, the Privacy Commissioner held a public consultation on the Code of Practice for Consumer Credit Data.[1319] In February 2002,[1320] the Privacy Commissioner approved amendments that would make it easier for banks and other credit grantors to gain access to consumer credit reference files[1321] and retain credit data for a much longer period of time than previously allowed.[1322]
The recent economic downturn[1323] has led to some companies outsourcing data processing functions to jurisdictions that have weaker privacy protections for personal data, particularly mainland China and India.[1324] To date this development has largely gone unchecked by the Privacy Commissioner[1325] because § 33 of the Ordinance, governing transborder data flows, has yet to be enacted.[1326]
The Hong Kong SAR is the European Union's tenth largest trading partner, while the European Union is Hong Kong's third largest supplier, after China and Japan. Total bilateral trade in 2002 amounted to approximately EUR39 billion.[1327] The Commissioner has had informal discussions with the European Union over the question of the adequacy of data protection under the European Union Data Protection Directive, but has not received a formal reply.[1328] Hong Kong will likely not be deemed adequate before the enactment of Section 33 of the Ordinance.[1329]
In 1999, the Hong Kong Law Reform Commission issued a consultation paper calling for "a code of practice on all forms of surveillance in the workplace for the practical guidance of employers, employees and the general public."[1330] In March 2002, the Commissioner responded with a more modest Draft Code of Practice on Monitoring and Personal Data Privacy At Work,[1331] which covers the monitoring of telephone calls, e-mail and computer usage and video surveillance.[1332] He specifically recognized, but excluded from treatment, other privacy-invasive practices such as drug testing, psychological profiling and productivity monitoring by automated equipment. These may yet be covered by future codes of practice.
Opinion surveys conducted in 2000 and 2001 indicated that approximately 64 percent of Hong Kong businesses use at least one of the following five surveillance methods: closed-circuit television, computer use (auditing), web-browsing, e-mail, phone.[1333] While only around 22 percent of businesses engaged in surveillance had relevant written policies.[1334]
Employers, trade association and trade unions have criticized the draft - particularly the definition of "e-mail" - as problematically vague and have suggested that the nature of the workplace will be affected by companies reacting with more restrictive policies on the use of e-mail and the Internet at work.[1335]
Since 1949, Hong Kong residents have carried laminated photo identity cards imprinted with biographical data and the cardholder's residency status. In 2002, the government introduced a smart identity card with a chip that will contain a digital replica of the cardholder's thumbprint, immigration data, a digital certificate and have room for other information, including medical and financial data and driving records.[1336] The government plans to replace all 6.8 million of the old cards by 2007.[1337]
In response to widespread sensitivity about privacy, Hong Kong's Secretary of Information Technology and Broadcasting stated in January of 2002 that there "will be no more data on the surface of the card, than the data that already appears" and that "... only minimal data will be stored in the card's chip. Except for essential immigration-related data and digital certificates, personal data in respect of non-immigration related applications will be kept at back-end computer systems of the concerned government departments. None of the proposed non-immigration applications (that is, using the card as a driving license and library card, storage of a digital certificate and change of address) will be mandatory. Cardholders will have a choice on whether to include the applications on the card."[1338] Further, any data stored in the chip will be encrypted, data for separate applications will be segregated and only authorized persons will have access to the data on the card.[1339]
In a classic example of "function creep," in April 2002, a senior Immigration Department official said that more services and functions are being considered, including storing a person's blood type on the card for emergencies.[1340]
In commenting on the initial proposal, the Privacy Commissioner expressed concerns over the danger of identity theft and the secondary use of the personal information that will be stored on the card.[1341] Sin Chung-kai, a Democratic Party legislator, who led the debate on the ID card issue, stated "We're not opposed to people having to carry ID cards. The crux of the controversy is how much other information about a person should be stored on the card."[1342]
In December 2000, an interdepartmental working group on computer crime issued a report for public consultation.[1343] The report proposed a series of measures, both legislative and administrative, to address computer-related crimes. Recommendations included strengthening the penalties for hacking and unauthorized access offenses,[1344] compelling the disclosure of encryption keys or decrypted text,[1345] and requiring Internet Service Providers to retain subscriber logs.[1346] Thegovernment is still considering means to implement these proposals.[1347]
Hong Kong banks already share a 'blacklist' of loan defaulters and borrowers who have court judgments issued against them,[1348] but faced with an unprecedented five-fold increase in bankruptcies in recent years, banks proposed an amendment to the Ordinance allowing them to share even more personal data through a newly created third-party agency. The so-called "positive data sharing agency" would be run by a private company and modeled after British and North American institutions.[1349] The agency would allow banks to share information between each other on the amount of a credit seeker's outstanding credit card debt, cards held, credit limit, past due accounts, residential mortgages and other types of consumer credit.[1350] The Hong Kong Monetary Authority and the Privacy Commissioner supported the proposal, but SAR legislators, consumer advocates and the public did not, citing privacy concerns.[1351] A representative of one of Hong Kong's largest banks responded to these concerns by saying that "privacy [was] no longer relevant."[1352]
As required by the Ordinance, the Privacy Commissioner opened a public consultation on the credit issue last year and proposed relaxing restrictions on data sharing between banks.[1353] Specifically, amendments to the Consumer Credit Data Code would extend the period of retention of credit application data by a credit reference agency from 90 days to 5 years and extend the period for retention of file activity data from 12 months to 5 years. Further proposals would allow the release of file activity data by a credit reference agency to credit providers, and to prevent credit providers from accessing an individual's data held by a credit reference agency except where there was a relevant need to do so. Credit reference agencies began building positive information databases on applicants in June, but it will be another two years before they are in full use.[1354]
In early 2002, Hong Kong police proposed a pilot program to install a number of cameras in Lan Kwai Fong, a district of Hong Kong, aimed at preventing crime and controlling crowds.[1355] The cameras would be linked to a police station and footage would be held for three months. The plan was supported by the local business association, but not by many local businesses who felt the surveillance might affect people's willingness to come to the area. Lawmakers and human rights groups also opposed the plan, saying it was an invasion of privacy.[1356]
In May 2002, Hong Kong police bowed to public and legislative opposition and suspended the proposal. In a paper submitted to legislators, Deputy Secretary for Security, Timothy Tong Hin-ming, said police would study the privacy concerns of the scheme before consulting the public and the Privacy Commissioner again.[1357]
Also in May 2002, the SAR Correctional Services Department announced that it was installing thousands of surveillance cameras in all of Hong Kong's prisons - including dormitories, but not toilets - in an effort to prevent inmate gambling.[1358] Following the death of an inmate last year, legislators renewed questions regarding the use of surveillance cameras in prisons. In the past, the CSD has refused to detail what percentage of prisons were monitored by cameras or what the criteria is for their use to be deemed necessary. "In some cases, the images are used to assist prison staff's observation only and no recording function is provided. In other cases, automatic recording of the sequential images appearing on the monitor is provided," a CSD spokesman said. At least one legislator has said he plans to ask the department to disclose details of the number, function and purpose of surveillance cameras in all penal institutions.[1359]
Following outcries over 'upskirt' scandals overseas and in the absence of laws making cyber-voyeurism illegal in Hong Kong, some businesses - such as fitness clubs - have begun to ban the use of mobile phones with built-in cameras.[1360]
Hong Kong's Independent Commission Against Corruption (ICAC) prosecuted two people, in 1998 and 1999, for unauthorized disclosure of telecom subscriber data to debt collectors.[1361] In response to these incidents, ICAC issued a study that called for closer cooperation among the government agencies responsible for telecommunications in Hong Kong.[1362]
In June, the Privacy Commissioner jointly launched a voluntary Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operatorswith Hong Kong's Consumer Council, ICAC, and the Office of the Telecommunications Authority.[1363] The guidelines are the result of the yearlong effort to gather the privacy rules for telecommunication companies into one document.
The Codecovers the following five areas: policy on protection of customer personal data; technical measures for protection of customer personal data; location security; staff security; and, transfer of customer personal data.[1364] Specifically, the Codecalls on companies to establish a data classification policy based on degrees of sensitivity for personal data and risk of exposure. It also recommends controlling access on a "need-to-know" basis, the introduction of an ethics policy and the prevention of bribery.
While the compliance with the guidelines in the Codeis voluntary, the requirements listed in the code are not. For example, the Telecommunication Authority requires service providers to protect customers' data,[1365] the Personal Data (Privacy) Ordinance sets out strict rules for the use and distribution of personal data; and, the ICAC has responsibility for all cases involving bribery in Hong Kong.
The Telecommunications Ordinance[1366] and the Post Office Ordinance [1367] regulate the interception of communications. Wiretaps require authorization for interception operations at the highest levels of government, but a court-issued warrant is not required. The Hong Kong government has refused to reveal how often the Chief Executive uses his powers to authorize telephone wiretaps and interception of private mail.[1368] In 1999, an unofficial report estimated that the SAR government intercepted more than 100 conversations of private individuals a day.[1369] The vagueness of the intercept powers and the lack of procedural safeguards are inconsistent with the Article 17 of the International Covenant on Civil and Political Rights, which is incorporated into Hong Kong's domestic law by article 14 of the Bill of Rights Ordinance.[1370]
After the Tiananmen Square demonstrations in 1989, and in anticipation of the 1997 handover, Beijing insisted on an internal security provision in the Basic Law[1371] requiring Hong Kong to draft internal security laws to replace the archaic colonial regulations left behind by the British. In September 2002, the Hong Kong government released an "Article 23" consultation document[1372] proposing a long list of substantive amendments, - including prohibiting acts of treason by foreign nationals, secession, sedition, subversion, or theft of state secrets, as well contacts with foreign political organizations, - and procedural amendments, including new police investigatory powers.[1373]
The amendments were vague and overbroad. Human rights groups noted that Chinese laws with similar language have been regularly used to convict and imprison journalists, labor activists, Internet entrepreneurs and academics.[1374] Following wide public criticism, the government scrapped the sedition and treason offences in January and promised to narrow the allowed uses of new warrantless searches to only senior police officials.[1375] However, the government stood firm on proscribing local groups affiliated with mainland organizations that have been banned on national security grounds.[1376] In July, massive public protests and the defection of a key pro-business member of the government forced the Chief Executive Tung to delay the passage of the Article 23 amendments indefinitely.
The Hong Kong Bar Association said the national security bill was widely perceived to be "a real threat to the rights and freedoms of the residents of Hong Kong, in particular, to their freedom of political expression and of seeking information through the media".[1377] The United States and Europe have stated that they are pleased the Hong Kong government had decided to delay Article 23 legislation.[1378]
Hong Kong's anti-terrorism efforts since September 11, 2001, have largely focused on improved financial tracking.[1379] The original bill allowed the government to unilaterally declare a person a terrorist, while the courts would only serve as an appeal channel. However, legislators have said the government should go through the courts first as a way to minimize the risk of people being wrongly labeled terrorists. The deputy secretary for security, Timothy Tong, has said the government would consider amending the bill.[1380]
In September 2002, the Hong Kong government signed a customs declaration with the United States Customs Service to facilitate exchanges of airline passenger information and increase surveillance of shipping traffic.[1381] The government has also signed similar agreements with other Southeast Asian nations.
In 2003, Hong Kong SAR was hit hard by SARS (or "severe acute respiratory syndrome"). The government implemented quarantine measures that required any person who had come into close contact with a known SARS carrier to report daily for ten days to one of four designated medical centers throughout the city. However, legislator Lo Wing-lok expressed concern that cases might be under-reported as people stayed away from clinics for fear of being identified in the press. "There should be provisions for privacy - otherwise people might be discouraged from going because they won't want their pictures appearing in the press," he said. In response, health officials proposed to transport quarantined individuals to the centers by private shuttles.[1382]