AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 2017 >> [2017] JlLawInfoSci 4

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Hargreaves, Stuart; Tsui, Lokman --- "IP Addresses as Personal Data Under Hong Kong's Privacy Law: An Introduction to the Access My Info HK Project" [2017] JlLawInfoSci 4; (2017) 25(1) Journal of Law, Information and Science 68


IP Addresses as Personal Data Under Hong Kong’s Privacy Law: An Introduction to the Access My Info HK Project

STUART HARGREAVES[*] AND LOKMAN TSUI[**]

Abstract

IP addresses have significant implications for personal privacy: if connected to a particular subscriber, they can reveal a vast range of online behaviour. The question of whether IP addresses are ‘personal data’ under a data protection regime is therefore critical, as such a classification greatly limits the usage to which those addresses can be put absent user consent.

This paper critically reviews the approaches taken to the question of whether IP addresses ought to be classified in this way in Hong Kong and in the European Union (‘EU’). Jurisprudence related to the EU Data Protection Directive and the forthcoming General Data Protection Regulation both treat IP addresses as ‘personal information’. This results in robust protection for IP addresses under European law. In Hong Kong, however, the jurisprudence is limited to two lower court decisions that are inconsistent with one another, and neither show a deep appreciation for the importance IP addresses may have in revealing the behaviour and activities of Hong Kong residents online. The Privacy Commissioner for Personal Data has likewise not shown an interest in challenging the approach taken by the courts thus far regarding this issue.

Noting this relative lack of attention, this paper introduces the Access My Info: Hong Kong (‘AMI:HK’) project. AMI:HK is a platform for users to make data access requests to telecommunications service providers in Hong Kong. The project should reveal if there is consistency in the Hong Kong providers’ approach to their access obligations under the Personal Data (Privacy) Ordinance, in particular the question of whether they treat IP addresses as personal data within the meaning of the law.

Introduction

Every networked device is assigned an Internet Protocol (‘IP’) address that identifies it and that allows for communication with other networked devices. An Internet Service Provider (‘ISP’) has the ability to connect a home broadband subscriber to a particular IP address, and the same is true of a mobile communications provider that delivers internet connectivity to a smartphone.

If third parties can obtain this connection, then the implications for personal privacy are profound, since theoretically IP addresses can be used to log all kinds of online behaviour, whether it is participating in political or religious activism online, sharing family recipes, accessing pornography, infringing copyright by sharing music, or teenagers seeking information about human sexuality. A study conducted by the Office of the Privacy Commissioner of Canada, for instance, found that an IP address allowed them to determine that the individual assigned that address had visited websites related to:

search engine optimization training; Canada’s advertising and marketing community; web governance; identity management; privacy issues; legal advice related to insurance law and personal injury litigation; a specific religious group; fitness; online photo sharing; the revision history of a Wikipedia entry; and specific entertainers which, in turn, exposed a variety of usernames.[1]

A search for information related to the IP address of one Wikipedia contributor[2] revealed that they had:

edited hundreds of pages on Wikipedia about television shows, both North American and international ... [showing an] interest in TV shows [that] was extensive and specific; edited dozens of pages on Wikipedia related to history topics; participated in a discussion board about a television channel; and visited a site devoted to sexual preferences following an online search for a specific type of person.[3]

Consequently, European privacy law treats IP addresses as ‘personal data’ within the meaning of its data protection regimes, meaning they cannot be transmitted by ISPs to third parties absent circumstances such as the consent of the data subject or a court order.

Though Hong Kong’s privacy regime, the Personal Data (Privacy) Ordinance (‘PDPO’),[4] is modelled on the European Union’s Data Protection Directive,[5] treatment of IP addresses under it is not well developed. There is limited judicial commentary on the issue and no clarity as to whether Hong Kong ISPs consider the IP addresses of their subscribers to be ‘personal data’ and thus protected by Hong Kong’s privacy law.

This paper outlines the importance of IP addresses to personal privacy, compares the way in which they are treated under European and Hong Kong law, and then introduces the Access My Info: Hong Kong (‘AMI:HK’) project.[6] AMI:HK is a joint initiative of members of the Chinese University of Hong Kong’s School of Journalism & Communication, InMediaHK, Keyboard Frontline, Open Effect, and the Citizen Lab (developers of the original AMI project[7] in Canada). It includes an easy-to-use website that assists Hong Kong residents in making data access requests to their telecommunications providers. A key goal of the project is to learn whether Hong Kong ISPs and mobile phone service providers treat IP addresses as personal data within the meaning of the PDPO, and to help justify regulatory reform where necessary.

1 IP addresses and privacy

Simply put, IP addresses are unique identifiers assigned to every networked device connected to the internet. An IP address may be either static or dynamic. A static IP address is usually assigned by a network administrator to a specific device and, as the name suggests, does not change. An office computer may, for example, be assigned a static IP address that does not change, regardless of who is using the machine. In contrast, a dynamic IP address does change, sometimes at pre-set intervals and sometimes in response to network events.

Dynamic IP addresses are commonly used by ISPs to provide internet services to home users. An ISP, for instance, might control a block of IP addresses from which it then assigns temporary addresses to users, rather than assigning each subscriber a permanent static address. This would allow an ISP to minimise the overall number of IP addresses they must maintain. A home broadband user’s IP address might be different from one day to the next, or one month to the next, depending on how often their ISP rotates the addresses. It might also change every time they restart their modem or router.

However, the fact that the IP addresses of home broadband users change over time offers no meaningful privacy protection. An ISP knows exactly who was assigned any given IP address at any given moment. In other words, PCCW (an ISP that provides home broadband services) knows that IP address 10.7.44.214 was assigned to broadband subscriber Cynthia Chung from 6:34 am 9 January 2016 to 9:12 pm 11 January 2016. This also means that PCCW knows that any website that was accessed by IP address 10.7.44.214 in that timeframe was almost certainly accessed by Cynthia or someone in her household.

This implicates significant privacy issues: message boards log the IP addresses of the authors of every single comment, search engines know the IP address behind each query, online newspapers know which IP addresses clicked on which links, and every pornography website knows the IP addresses of its most common visitors. If approached by a third party seeking the identity of the individual who posted a politically sensitive comment from IP address 10.7.44.214 on the ‘Golden Forum’ message board at 8:03 pm on 10 January 2016, PCCW has the technical means to provide that information and thereby unmask Cynthia’s political beliefs. In short, if website logs of the IP addresses of visitors can be connected to the IP address subscriber information logs held by ISPs, then anonymity on the web is virtually impossible to maintain (assuming a user takes no steps to intentionally mask their IP address by use of a Virtual Private Network (‘VPN’)). Only if PCCW considers their IP address logs to be ‘personal information’ might Hong Kong’s privacy law regulate when they can provide assistance to a third party seeking to make such a connection.

2 IP addresses under European law

As a result, the importance of IP addresses to individual privacy is now well recognised in European law. As far back as 2007 the Article 29 Working Party argued that

unless an ISP is in a position to distinguish with absolute certainty that the data corresponds to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.[8]

In a subsequent paper, the Article 29 Working Party confirmed that this basic approach ought to also be followed by search engines.[9]

The relevant jurisprudence coming out of the Court of Justice of the European Union (‘ECJ’) has been consistent with this approach. In Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM),[10] SABAM, a collective of copyright owners and publishers, sought an order requiring Scarlet, an ISP, to prevent individuals from using its system to send or receive musical works within SABAM’s portfolio through the use of a systematic filter that would analyse the content of all data shared by subscribers. The ECJ found that such a mandatory filter failed to strike a fair balance ‘between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information, on the other’.[11] In reaching this conclusion, the Court argued that all parties had accepted that IP addresses are ‘protected personal data because they allow users to be precisely identified’.[12]

The addresses in Scarlet Extended allowed users to be identified, of course, because they were held by an ISP that could directly connect them to their subscriber data. However, what if the data controller were not an ISP, but rather a website operator? Should a website’s logs of the IP addresses of its visitors still be classed as personal data, even though the website acting alone does not have the mechanism to directly connect them to an identifiable individual?

In Patrick Breyer v Bundesrepublik Deutschland the ECJ answered this in the affirmative.[13] Breyer brought an action seeking to prevent websites run by the federal German government from storing IP addresses of visitors. As the IP addresses were dynamic, the only way the website operators could identify individuals would be to approach the relevant ISP and ask it to connect them to a subscriber. The Court found that even dynamic IP addresses of visitors to websites were properly classed as personal data when held by website operators with the legal means to obtain information from a third party (such as an ISP), that would then allow them to connect the address to a given individual.[14] Since the law did allow that ‘in the event of cyber-attacks ... [a competent authority could] take the steps necessary to obtain that information from the ISP and to bring criminal proceedings’,[15] this threshold was met.

The approach taken in Patrick Breyer also seems consistent with recital 26 of the EU Data Protection Directive, which states that when answering the question of identifiability, ‘account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person’.[16] This implies that it is not necessary under the Data Protection Directive that the data controller be able to immediately identify the individual through her IP address in order that the information be treated as ‘personal data’; rather, there simply must be a reasonable chance of them doing so given the means at their disposal.

This reflects a relatively expansive interpretation given to personal data in the EU, an interpretation that will be further solidified with the replacement of the Data Protection Directive in May 2018 with the General Data Protection Regulation (‘GDPR’).[17] Recital 30 of the GDPR explicitly uses IP addresses as an example of an online identifier that ‘may be used to create profiles of natural persons and identify them’.[18] Though it remains to be seen how the ECJ will interpret the GDPR, given the jurisprudence under the Directive and the direct inclusion of IP addresses into the recital, it is difficult to imagine the Court suddenly embracing a more restrictive approach to the treatment of IP addresses as personal data.

3 IP addresses under Hong Kong law

In Hong Kong, the legal protection of privacy is obtained in several ways. The Basic Law,[19] the quasi-constitution that grew out of the agreement between the United Kingdom and China regarding the restoration of Chinese sovereignty over the territory,[20] provides for the physical, territorial and communications privacy of residents of Hong Kong vis-à-vis the state. Article 28 of the Basic Law prohibits ‘arbitrary or unlawful search of the body’, article 29 prohibits ‘arbitrary or unlawful search of, or intrusion into [the home]’, and article 30 protects the ‘freedom and privacy of communication’.

Though judicial interpretation of these provisions by the courts has been relatively narrow in scope,[21] article 39 of the Basic Law also requires the incorporation of the International Covenant on Civil and Political Rights[22] into domestic legislation. This incorporation is achieved through the Hong Kong Bill of Rights Ordinance,[23] where article 14 ensures the ‘protection of privacy, family, home, correspondence, honour, and reputation’.[24]

Of course, both the Basic Law and the BORO relate to the relationship between the individual and the state, and so it falls to the PDPO to generally govern the privacy rights of individuals in Hong Kong in other circumstances. The PDPO is a comprehensive data protection regime, and (coming into effect in 1995) was the first of its kind in Asia. Like other comprehensive regimes,[25] it traces its conceptual roots to the ‘fair information principles’ of the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,[26] which form the substantive core of the law: the six ‘Data Protection Principles’ (‘DPPs’).[27]

DPP3, the data use principle, requires that personal data collected about a data subject cannot be used for a new purpose without the explicit consent of the data subject, subject to certain exemptions.[28] Generally, this has been taken to mean that data cannot be transferred by a data controller to a third party without such consent (or where there is a relevant exemption). However, for IP addresses to benefit from this protection, they must first reach the threshold of being ‘personal data’, defined under the PDPO as ‘data relating directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained’.[29] The PDPO also defines ‘practicable’ as meaning ‘reasonably practicable’,[30] a question to be answered by taking into account ‘all relevant data controlled by the party’.[31]

It is also worth noting that General Condition 6 of the Services-Based Operator Licence, which all ISPs and mobile internet providers are required to obtain by the Telecommunications Authority under the Telecommunications Ordinance,[32] obliges licensees to not disclose the ‘information’ of customers without their consent or unless it is needed for the prevention or detection of crime.[33] However, ‘information’ is not defined in either the Licence or the Telecommunications Ordinance, and so for the purposes of this paper we continue to query the meaning of ‘personal data’ under the PDPO as it relates to IP addresses.[34]

In comparison to European law, the question of whether IP addresses reach the legal standard of being ‘personal data’ under Hong Kong law is far from settled; judicial consideration is both less conclusive and less coherent. Cinepoly Records v Hong Kong Broadband Network[35] was the earliest case to touch upon this issue. A group of plaintiff music companies sought Norwich Pharmacal[36] relief against the defendant internet service provider for the names, Hong Kong identity card numbers, and other information relating to 22 subscribers whom the plaintiff believed were infringing its copyright through peer-to-peer ‘torrent’ software. Cinepoly already had the IP addresses of the subscribers, and argued that since Hong Kong Broadband Network (‘HKBN’) had assigned the subscribers those addresses, HKBN could also use them to provide Cinepoly with the other information (name, identity card number, address, etc) that they required to proceed with their main action. Norwich Pharmacal relief was required because that information was arguably ‘personal data’ under the PDPO, and therefore could not be handed over by HKBN to Cinepoly absent the consent of the 22 subscribers (which obviously they would not provide) or a court order.

Poon Dep J granted the relief, finding that the necessary elements were met. The applicant was able to establish that serious tortious or wrongful activities had been occurring (heavy copyright infringement), the applicant had a bona fide belief that the alleged wrongdoers were infringing its rights, and that HKBN was facilitating this infringement.[37] In deciding to exercise the Court’s discretion to make the order, Poon Dep J noted that section 58 of the PDPO provides an exemption to DPP3 (the use limitation principle that would otherwise prevent an ISP from handing over personal information without consent) where the new use of the data is for the prevention or detection of crime or unlawful or seriously improper conduct, if it can be shown that applying DPP3 in such circumstances would prejudice the ability to remedy that conduct. Poon Dep J concluded that such prejudice would in fact occur if the Norwich Pharmacal order were not granted, and therefore ordered HKBN to provide Cinepoly with the subscriber information.[38]

However, at no point did Poon Dep J argue or conclude that the IP addresses themselves were personal data within the meaning of the PDPO. Rather, the IP addresses were simply the mechanism by which the personal data (name, ID card number, billing address, etc) of the subscribers could be obtained. In dicta, however, Poon Dep J nonetheless acknowledged that the use of IP addresses was connected to individual privacy:

Some online copyright infringers may well think that they will never be caught because of the cloak of anonymity created by the P2P programs. They are wrong. And from now on, they should think twice. ... The court can and will, upon a successful application, pull back the cloak and expose their true identity.[39]

However, Poon Dep J also went on to argue that for the Court to order a connection of their IP addresses to their subscribers’ identity would not be ‘an intrusion into their privacy, [because the] protection of privacy is never and cannot be used as a shield to enable them to commit civil wrongs with impunity’.[40] This evinces some muddled thinking. On the one hand, Poon Dep J appears to accept that IP addresses can be used to eliminate the anonymity of internet users in Hong Kong if an ISP connects them to a particular user, a decision that necessarily reduces the privacy of the individual whose identity is disclosed. This makes sense. However, Poon Dep J then goes on to argue that this is not an intrusion of privacy because privacy cannot be a shield to commit wrongdoing.

Respectfully, this is an illogical approach to the very fair ‘balancing’ question of when privacy ought to be justifiably limited in order to protect other rights. A more sensible approach would be to simply acknowledge that privacy is not an absolute right, and there are circumstances in which it is legitimate for the state to order an intrusion into that privacy; search warrants and court orders are examples where individual privacy loses out to other interests. Indeed, this is explicitly provided for by the PDPO. The issuance of a search warrant does not, however, imply that there is no relevant privacy interest; rather it means that, on balance, a judicial officer has deemed it necessary and justifiable to pierce that interest.

Now, it is fair to argue that the Court did not feel the need to treat IP addresses as ‘personal data’ in Cinepoly because it was not necessary on the facts of the case. Recall that the applicants already possessed the IP address information and sought to use it to obtain other personal data. But this seems inconsistent with the recognition by the Court that the IP addresses were ultimately the key to unlocking the online activities of the alleged copyright infringers. Inclusion of IP addresses within the category of ‘personal data’ would not have altered a result based on section 58.

The second significant case in the Hong Kong courts touching on this issue related to the conviction of a mainland-based journalist in 2006 by the Changsa Intermediate People’s Court for transferring state secrets to foreign entities. He had used a Yahoo! email account to send notes on secret files from his office computer and his conviction was obtained in part thanks to the disclosure of related personal data by Yahoo! Holdings (Hong Kong) Ltd (‘YHHK’) to the relevant authorities in China.[41] This data included user registration details associated with the email account in question, associated IP addresses, login metadata and certain email content. The appellant lodged a complaint with the Office of the Privacy Commissioner for Personal Data (‘PCPD’) arguing that this was a breach of DPP3. The PCPD concluded in its Report that IP addresses were not personal data within the meaning of the law, because they are ‘information about an inanimate computer, not an individual. ... [A]n IP address cannot alone reveal the exact location of the computer concerned or the identity of the computer user’.[42]

The PCPD also determined that YHHK was not a ‘data user’ within the meaning of the law, since although it was the legal owner of the Beijing subsidiary and thus may have had control of the information generally,[43] it had no control over the disclosure of the information in question because it was compelled to disclose it under the Criminal Procedure Law of the People’s Republic of China.[44] Furthermore, there was no contravention of DPP3 in the PCPD’s view thanks to terms of service and privacy policies that stated that YHHK might share certain information in response to court orders and legal processes.[45] As a result, the Commissioner concluded, the disclosure was a ‘use’ for a purpose consistent with the original purpose of collection and therefore there was no violation of DPP3.[46]

Unsatisfied with this outcome, the appellant brought the case, Shi Tao v PCPD,[47] before the Administrative Appeals Board (‘AAB’) as was his right under the PDPO. He argued, inter alia, that the correct approach to the question of whether IP addresses constituted personal data was not about whether they themselves were data per se, but whether they were when combined with other relevant data.[48] The PCPD argued in response that personal data itself had to have ‘biological significance’ in relation to the individual.

The AAB split the difference between these two positions, concluding that ‘IP information ... even when coupled with other information disclosed, does not constitute personal data within the meaning of the PDPO’.[49] On this particular set of facts, the AAB concluded, there was no evidence that the user information related to the IP address revealed the applicant’s identity (that information was an anonymous Yahoo! email address, the business address where the computer sending the email was located, and the time and date the message was sent).[50] They therefore concluded that none of the information (not just the IP addresses) transmitted by YHHK to the state authorities in China was ‘personal data’ within the meaning of the PDPO.

Though not necessary given their conclusion that there was no ‘personal data’ at issue, the AAB went on to consider whether DPP3 had been breached, in case they were wrong on their conclusion about the nature of the data. They disagreed with the PCPD’s Report in part, finding that YHHK was a data user within the meaning of the PDPO, because it had control over the information in question as a matter of course. The fact that it was compelled by a government entity to transfer the information did not strip the company of that status generally.[51]

The AAB agreed with the PCPD, however, that the appellant had given his consent to the transfer of his information in the contemplated circumstances thanks to the terms of service and privacy policy associated with his email account. It disagreed with the PCPD that conceptually the transfer was therefore a use ‘consistent with’ the purpose of the original collection. Instead, it was better understood simply as consent to that particular purpose: compliance with a legal process.[52] Reliance on consent to the terms of service rather than the section 58 exemption was necessary, concluded the AAB, since the requested transfer was an out-of-jurisdiction legal process.

Returning to the critical question of the nature of IP addresses, the AAB in Shi Tao appeared to reject the treatment of IP addresses in Cinepoly. The AAB suggested that because the user information sought by the applicants in Cinepoly was ‘reliably personal’ (names, ID card numbers, and addresses), then in that context IP addresses would constitute personal data when coupled with that information. However, the AAB’s application of this principle to the facts before it in Shi Tao seems unsatisfying. As noted, the AAB found that the IP address information transferred by YHHK could not identify an individual without being coupled with more information, and thus did not satisfy the definition of personal data under the PDPO. Yet the identity of the appellant was relatively easily determined once the Security Bureau had the locational information associated with that IP address, since it was trivial for them to determine who had access to the computer in question at the relevant time. There seems little justification for holding that the existence of an additional step (even one out of the hands of the data user) that must occur before the ‘biographical’ level of personal data is revealed somehow strips away the ability of IP address data to be ‘personal data’. Regrettably, the PCPD has not indicated any disagreement with the conclusion of the AAB in Shi Tao, citing it in 2010 in its own document explaining the proper interpretation of the PDPO.[53]

In any event, what we are left with is that the legal status of IP addresses as ‘personal’ data within the meaning of the PDPO is unclear. The jurisprudence provides us with only two somewhat conflicting court decisions, neither of which is from an appellate level court.

It was with this legal background that the Access My Info: Hong Kong (‘AMI:HK’) project was launched in 2016 in the hopes of better understanding generally how data users in the telecommunications sector interpret their obligations regarding a data subject’s access to ‘personal data’ under the PDPO, and specifically whether they consider IP addresses to fall within that concept.

4 An attempt to bring clarity – the AMI:HK project

DPP6 contains a series of ‘access rights’, allowing data subjects to ascertain if a data user holds their personal data, a right to access it within a reasonable time, at a reasonable cost, in a reasonable manner and in an intelligible form, and to correct the data if it is inaccurate.[54] Sections 18–21 of the PDPO provide further detail on the operation of this principle (including exemptions, timeframes, circumstances under which requests for access may legitimately be refused, etc), and the PCPD has published a set of (non-binding) ‘best practice’ procedural guidelines for data users subject to an access request.[55] However, the general way in which the right is framed still leaves great scope for how DPP6 is interpreted in practice. This, combined with the aforementioned uncertainty surrounding the status of IP addresses under Hong Kong law, is a driving force behind the AMI:HK project.

The project provides an easy-to-use web portal allowing Hong Kong residents to submit data access requests in either English or Chinese to eight different mobile phone and internet service providers. It is written in simple language, with an easy to use interface, requiring a minimal number of steps. AMI:HK does not act as agent of the data subject, but rather assists them in generating a request that they can then submit via email, or print and submit through the post. At the time of writing, the site had been used to generate 1603 requests.

AMI:HK does not log any user data on the server side; the process is handled on the client side. Participants can request call logs, geolocation data, IP address logs, subscriber info, etc, but cannot make a blanket request for ‘all personal data’, since under both the PDPO[56] and the relevant Guidance Note data users can reject requests that are ‘too general’.[57]

Though the PDPO requires that data access requests be made using a prescribed form,[58] the automated nature of AMI:HK means this form is not used. However, the relevant Guidance Note ‘strongly advises’ data users against denying access requests for such technical reasons;[59] the PCPD also indicated in discussion with project members that they expect recipients of access requests to comply with any request that adheres to the spirit of the form, even if the form itself is not used.

Early responses to access requests made through AMI:HK suggest there is no standardisation amongst telecommunications service providers regarding:

• fees for processing data access requests

• the classification of ‘personal data’

• how to deal with data access requests

• retention periods.

The results also reveal that though providers are aware of and adhere to the PDPO’s guidelines regarding response timelines, the overall process remains extremely lengthy. Most significantly for our purposes, up to the time of writing not a single telecommunications provider presented with a data access request through AMI:HK has provided the IP addresses assigned to the subscriber as part of its response.

While a subsequent paper will provide a full analysis of the results of the project once completed and provide a detailed set of policy recommendations in response, these preliminary results reveal a certain amount of inconsistency amongst Hong Kong’s telecommunications providers regarding their approach to the procedural requirements of DPP6. However, there is no reason to suppose at this stage that any of the eight telecommunications organisations subject to requests through AMI:HK view IP addresses as personal data within the meaning of the PDPO. If this proves accurate as the project continues and IP addresses are not viewed as personal data, then this suggests a need for the PCPD to address a clear gap in Hong Kong’s privacy framework, given the importance of IP addresses to the personal privacy of Hong Kong’s residents.

Conclusion

We are rapidly entering a world of the ‘internet of things’, in which we wear fitness trackers that store our sensitive health information in the cloud, drive internet-enabled cars that maintain logs of our driving habits and destinations, and fill our houses with ‘smart’ devices equipped with cameras and microphones. Together, they can paint an incredibly detailed portrait of our daily lives. They are also subject to the same kind of legal requests identified herein. As this project continues to evolve, it may therefore expand beyond internet and telecommunications service providers to include content providers and internet-enabled hardware manufacturers of all kinds. Given the current results, however, it is reasonable to assume that such an expanded project would reveal essentially the same as we have uncovered so far. The governing law is the same and there is little reason to assume that content providers voluntarily adopt more stringent privacy protections than ISPs and telecommunications providers. What is required, then, is to give proper recognition to IP addresses as a critical piece of the personal data of Hong Kongers. This means reform that goes beyond issuance of a Guidance Note by the PCPD; the protection must become a clear and enforceable part of the PDPO itself. The GDPR offers a model for how this could be done and, in our view, the Hong Kong government would be wise to give serious consideration to similar changes. The PDPO has undergone only one significant amendment since its introduction (a series of reforms in 2012 related primarily to direct marketing), and it is critical that Hong Kong not be saddled with an outdated data protection regime as the rest of the world moves forward.


[*] Assistant Professor, Assistant Dean (Undergraduate Studies), LLB Programme Director, Faculty of Law, the Chinese University of Hong Kong.

[**] Assistant Professor, School of Journalism & Communication, the Chinese University of Hong Kong.

[1] Office of the Privacy Commissioner of Canada, What an IP address can reveal about you (May 2013) <https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2013/ip_201305/>.

[2] Wikipedia logs the IP addresses of all contributors.

[3] Office of the Privacy Commissioner of Canada, above n 1.

[4] Personal Data (Privacy) Ordinance (Hong Kong), cap 486 (‘PDPO’).

[5] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31 (‘Data Protection Directive’).

[6] Welcome to Access My Info, Access My Info Hong Kong <https://accessmyinfo.hk>.

[7] Welcome to Access My Info, Access My Info Canada <https://accessmyinfo.org>.

[8] Article 29 Working Party, ‘Opinion 4/2007 on the concept of personal data, 01248/07/EN WP 136’ (Opinion 4/2007, European Union, 20 June 2007).

[9] Article 29 Working Party, ‘Opinion 1/2008 on data protection issues related to search engines, 00737/EN WP 148’ (Opinion 1/2008, European Union, 4 April 2008).

[10] (C-70/10) [2011] ECR I–11959 (24 November 2011) (‘Scarlet Extended’).

[11] Ibid [53].

[12] Ibid [51].

[13] Patrick Breyer v Bundesrepublik Deutschland (Court of Justice of the European Communities (Second Chamber), C-582/14, 16 October 2016).

[14] Ibid [49].

[15] Ibid [47].

[16] Data Protection Directive [1995] OJ L 281/31, recital 26.

[17] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.

[18] Ibid recital 30.

[19] Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China (‘Basic Law’).

[20] Joint Declaration of the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the People’s Republic of China on the Question of Hong Kong, opened for signature 19 December 1984, [1985] UKTS 26 (entered into force 29 May 1985) (‘Joint Sino-British Declaration’).

[21] See, eg, Democratic Party v Secretary for Justice [2007] 2 HKLRD 807, 819 where Hartmann J argued that ‘Art 30 of the Basic Law does not seek to protect privacy simpliciter’.

[22] International Covenant on Civil and Political Rights, opened for signature 19 December 1966, 999 UNTS 171 (entered into force 23 March 1976) (‘ICCPR’).

[23] Hong Kong Bill of Rights Ordinance (Hong Kong), cap 383 (‘BORO’).

[24] This language mirrors art 17 of the ICCPR.

[25] See Stuart Hargreaves, ‘Data Protection Regimes’ in Christopher Anglim (ed) Privacy Rights in the Digital Age (Grey House Publishing, 2016).

[26] Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980) <http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm> (‘OECD Guidelines’).

[27] PDPO (Hong Kong), cap 486, s 4; PDPO (Hong Kong), cap 486, sch 1. The six DPPs are the data collection principle, the accuracy and retention principle, the data use principle, the data security principle, the openness principle, and the data access and correction principle.

[28] PDPO (Hong Kong), cap 486, Part 8.

[29] PDPO (Hong Kong), cap 486, s 2(1).

[30] Ibid.

[31] Also referred to as ‘the totality test’: Office of the Privacy Commissioner for Personal Data, Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner’s perspective (2nd Edition), (2010) 2.19 <https://www.pcpd.org.hk/tc_chi/publications/files/Perspective_2nd.pdf>.

[32] Telecommunications Ordinance (Hong Kong), cap 106, s 7; See Hong Kong Communications Authority, Guidelines for the Application of Services-Based Operator (‘SBO’) License (5 March 2013) <http://www.coms-auth.hk/filemanager/statement/tc/upload/127/gn32013e.pdf> .

[33] See Hong Kong Communications Authority, Telecommunications Ordinance (Chapter 106) Services-Based Operator Licence (19 May 2016) <http://www.coms-auth.hk/filemanager/common/licensing/SBO_form_conditions_e.pdf> .

[34] The government relied on an earlier version of this licence to deflect a query from a LegCo member as to whether IP addresses constitute personal data under the PDPO: see Constitutional & Mainland Affairs Bureau, ‘LCQ17: IP addresses as personal data’ Constitutional & Mainland Affairs Bureau (Press Release, 3 May 2006) <http://www.info.gov.hk/gia/general/200605/03/P200605030211.htm> .

[35] [2006] 1 HKLRD 255 (‘Cinepoly’).

[36] Such relief, if granted, can compel an innocent third party who has facilitated the perpetration or continuation of wrongdoing by the alleged wrongdoer to comply with a request from an applicant to disclose information that will assist the applicant in their case against the alleged wrongdoer: See Norwich Pharmacal Co & Ors v Commissioners of Customs and Excise [1973] UKHL 6; [1974] AC 133; A Co v C Co [2002] 3 HKLRD 111.

[37] Cinepoly [2006] 1 HKLRD 255, [18]–[19], [24]–[33]. Later the same year, Chan Dep J applied an identical approach and came to the same conclusion in another action for Norwich Pharmacal relief by a group of 10 plaintiff music companies against four ISPs regarding 49 individual subscribers suspected of copyright infringement: Cinepoly v Hong Kong Broadband Network [2006] HKCU 1500.

[38] Cinepoly [2006] 1 HKLRD 255, [41]–[57].

[39] Ibid [78].

[40] Ibid.

[41] Though the applicant was based in the mainland and used a Yahoo! account registered through a Beijing-based Yahoo! subsidiary, YHHK was the legal entity that owned that subsidiary and was therefore responsible for it.

[42] Roderick B Woo, ‘The Disclosure of Email Subscriber’s Personal Data by Email Service Provider to PRC Law Enforcement Agency’ (Report No R07-3619, Office of the Privacy Commissioner for Personal Data, Hong Kong, 14 March 2007) [8.10] <https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/Yahoo_e.pdf>.

[43] Ibid [8.22].

[44] National People’s Congress, 1 July 1979; Ibid [8.25]–[8.26].

[45] Woo, above n 42, [8.38]–[8.40].

[46] Ibid [8.41].

[47] Shi Tao v Privacy Commissioner for Personal Data [2008] 1 HKC 287 (‘Shi Tao’).

[48] Ibid [54].

[49] Ibid [62].

[50] Ibid [63]–[67].

[51] Ibid [71].

[52] Ibid [95].

[53] Office of the Privacy Commissioner for Personal Data, above n 31.

[54] PDPO (Hong Kong), cap 486, sch 1(6).

[55] Privacy Commissioner for Personal Data, Hong Kong, Guidance Note: Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users (June 2016) <https://www.pcpd.org.hk/english/publications/files/DAR_e.pdf>.

[56] PDPO (Hong Kong), cap 486, s 20(3)(b).

[57] Privacy Commissioner for Personal Data, Hong Kong, above n 55.

[58] PDPO (Hong Kong), cap 486, s 20(3).

[59] Ibid.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/2017/4.html