7 August, 2015
A recent appeal against an enforcement notice issued by the Privacy Commissioner for Personal Data of Hong Kong raised an interesting and highly controversial issue as to whether, and to what extent, individuals in Hong Kong have a "right to be forgotten" entitling them to deletion of personal data in the public domain.
This label of "right to be forgotten" gained significant publicity following a landmark ruling of the European Court of Justice (ECJ) in May 2014 where it held that under certain circumstances search engines are obliged to remove results if they link to webpages that contain information infringing the privacy of EU citizens. The rationale behind this right is to avoid indefinite stigmatisation or censure due to information available about a specific action performed in the past, or at least to avoid search engines producing results that aggravate the resulting harm to affected individuals.
David Webb's case in Hong Kong – a right to remove personal data available in the public domain?
David Webb is a former investment banker turned activist who runs a website at Webb-site.com offering investors information on corporate and economic governance in Hong Kong. The website contains a database which compiles information about the various roles certain individuals play in the financial and public sectors in Hong Kong, for example, directorships in listed companies or membership in governmental advisory bodies. The database also includes reports and links to public documents about that person, such as press articles and court judgments.
The personal data in question in this case are the full names of the parties set out in the court judgments of a matrimonial case heard in open court in Hong Kong. The judgments were published on the Hong Kong Judiciary's website during 2000 to 2002. Some ten years later, in 2010 and 2012, the Judiciary redacted the names in the files on its website and, acting on one of the data subject's complaint, the Privacy Commissioner ordered Webb to follow suit and remove the names from his reports on Webb-site.com.
Mr. Webb refused to follow suit, and in August, 2014 the Privacy Commissioner issued an enforcement notice under the Personal Data Privacy Ordinance ("PDPO") against Mr. Webb ordering him to remove the names of the data subjects in question. The ground on which the Privacy Commissioner issued his enforcement notice was apparently Data Protection Principle 3 ("DPP3") of the PDPO, which requires that processors of personal data only use personal data for the purposes for which it has been collected, or any directly related purpose. The Privacy Commissioner's position was that Mr. Webb, by maintaining the reports and hyperlinks in the Webb-site.com archives, breached DPP3 by using personal data for a purpose other than the purpose for which it was to be used at the time of collection of the data. Under the PDPO, failure to comply with an enforcement notice constitutes an offence.
While taking down the reports in the interim, Mr. Webb filed an appeal against the enforcement notice, arguing that the personal data was collected at a time when it was publicly available, and so should continue to be accessible. Mr. Webb commented that the enforcement notice, if upheld, "would have a chilling effect on publishing within Hong Kong", with newspapers and websites potentially being ordered to take down articles about convictions, bankruptcies or divorces, information about which is already public.
Mr. Webb's appeal was heard by the Administrative Appeals Board ("AAB") in a public hearing on 13 July 2015. The AAB's decision is yet to be published.
Hong Kong law – is there a right to be forgotten?
The treatment of personal data in the public domain is a controversial subject, and has been the subject of enforcement under the PDPO in the past. The Privacy Commissioner issued an enforcement notice in July 2013 to the operator of a smartphone application known as "Do No Evil", which enabled searches for target individuals' litigation, bankruptcy and company directorship data obtained from public databases.
Users reputedly made use of the smartphone
application for due diligence and background check purposes. The Privacy Commissioner determined that the use of personal data obtained from the public domain for due diligence review and background checks was inconsistent with the original purpose of data collection by the Judiciary, the Official Receiver's Office and the Companies Registry, whether such purposes were expressly stated by the relevant registrar or were as determined by the Privacy Commissioner following his review of the functions of these registries. Use of data in such a way "obviously exceeded the reasonable expectation of the data subjects on public disclosure of their litigation and bankruptcy data". The Privacy Commissioner stated that "[t]his case highlights a common misunderstanding that personal data collected from the public domain, not from the data subjects direct, is open to unrestricted use".
As the law stands now then, there clearly is some basis in Hong Kong law, or at least in the Privacy Commissioner's enforcement policies, for a "right to be forgotten".
The position in Europe: a judicially sanctioned right to be forgotten
In a landmark ruling in May 2014, the ECJ held that under certain circumstances search engines may be required to remove search results if they link to webpages that contain information infringing the privacy of EU citizens.
The ECJ case concerned a Spanish national who requested a search engine to remove certain search links to newspaper announcements of 1998 regarding the forced sale of properties arising from social security debts that contained his name.
The ECJ found that in this particular situation, the processing of the personal data by the search engine was no longer relevant because the original publication was 16 years old and it could not be justified in the public interest or otherwise. An important point made by the ECJ is that whilst the legal basis for a ‘right to be forgotten’ exists under the EU Data Protection Directive ("the Directive"), its exercise needs to be considered on a case by case basis, by considering whether the public interest in accessing the information overrides the individual's right to privacy. In practical terms, an individual could argue that the processing of their data by a data controller is inadequate, irrelevant or excessive; such data is not kept up to date; or the data is being kept for longer than necessary.
It should be remembered that this “right to be forgotten” is a narrow one. The ECJ ruling concerns the de-listing of Internet search results only. The original information continues to exist at the source and can be accessed online directly or by search using search terms other than the individual's name.
Beyond the Webb case: what will happen in Hong Kong?
It will be interesting to see how the AAB decides on the Webb case, which involves a fundamental conflict between the right to privacy, freedom of expression and the right to use personal data in the public domain.
It is clear that ECJ rulings do not bind Hong Kong courts or the AAB and, in any event, the basis of the Privacy Commissioner's enforcement notice differs significantly from basis for the European enforcement action. Commenting on the ECJ litigation on his blog, the Privacy Commissioner noted that "prima facie, the approach [the ECJ] has taken is not applicable under the Ordinance [PDPO]". In particular, the Privacy Commissioner expressed the view that a search engine would not be considered a "data user" in Hong Kong; whereas in contrast the ECJ considered the search engine operator a "data controller" (the EU equivalent of a "data user") subject to the Directive.
Furthermore, the ECJ case turned on a finding that the linking to prejudicial data in relation to the individual in questions was "excessive" use of that data rather than the use of personal data for a new, unrelated purpose than for which it was collected (the basis for the Hong Kong enforcement action against Mr. Webb). The ECJ held that the search engine had breached the principle in Article 6(1)(c) that the personal data collected or processed "must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed". The gist of the ECJ ruling is that the processing of accurate personal data for the purposes for which it was lawfully collected may, in the course of time, become incompatible with the Directive. The Hong Kong enforcement action against Mr. Webb takes a different line of argument that the purpose of placing personal data into the public domain may over time be discharged, at least when the primary publisher of the personal data, in this case the judiciary, ceases to make the information public.
The issues under deliberation in Mr. Webb's case are perhaps narrower than those at issue in the "Do No Evil" case, where the personal data in question was ordered removed even though the data continued to be published by its primary sources. The forthcoming decision in Mr. Webb's appeal will necessarily, however, explore in much the same way the clashing of policy interests that arise when the interest in having a free flow of news and information poses challenges for privacy interests. Hong Kong's understanding of rights of privacy has expanded considerably in recent years. These issues are increasingly relevant in Hong Kong as elsewhere, and the decision in Mr. Webb's case will be an important one to watch.
