The complainant was a subscriber of electronic financial information service provided by a company ("the Company") through its website. When the complainant subscribed the service, he provided the Company with an e-mail address, xyz@xxx.com.hk ("xyz" being the complainant's initials). The complainant thereafter received numerous SPAM e-mails at the said e-mail address. Having learned from the media that the Company's system had been infiltrated by hackers, the complainant alleged that the Company had failed to protect his personal information. The complainant therefore lodged a complaint with the Privacy Commissioner alleging that the Company had breached Data Protection Principle 4 ("DPP4") of the Ordinance.
Subscribe service through the Company's website - provide an e-mail address to the Company - receive SPAM e-mails at the e-mail address - media reported that the Company's system had been infiltrated by hackers - whether the Company has failed to protect the complainant's personal data and breached DPP4 - Section 39(2)(d), meaning of personal data and DPP4 of the Ordinance
The Complaint
The complainant was a subscriber of electronic financial information service provided by the Company through its website. In applying for the service, the complainant provided the Company with his e-mail address, xyz@xxx.com.hk ("xyz" being the complainant's initials). The complainant thereafter received numerous SPAM e-mails at the e-mail address. Having learned from a newspaper that the Company's system had been infiltrated by hackers, the complainant complained that the Company had failed to take all practical steps to protect his personal data, i.e., the e-mail address against unauthorized or accidental access by spammers and thus contravening DPP 4 of the Ordinance.
Findings by Privacy Commissioner
The Privacy Commissioner took the view that the complainant's e-mail address did not constitute "personal data" within the meaning of the Ordinance as the complainant's identity could not be ascertained from the e-mail address alone and that there was no evidence showing that his personal data had been leaked to the spammers by the Company’s website. In view of the aforesaid, the Privacy Commissioner refused to carry out an investigation, as there was no prima facie case of a contravention of the Ordinance under Section 39(2)(d) of the Ordinance. The complainant appealed against the Privacy Commissioner's decision.
The Appeal
There was no dispute that the SPAM e-mails received through the complainant's e-mail address contained no information concerning the identity of the complainant. There was no evidence that other than the use of the designated e-mail address, there had been any unauthorized use of the complainant's personal information or information which would have revealed the complainant's identity. The Administrative Appeals Board ("AAB") did not preclude the possibility that an e-mail address, in some circumstance, could be personal data where it would be reasonably practicable, whether because of the information revealed in the e-mail address itself or in conjunction with other information, for the identity of an individual to be ascertained from such an address. However, in this case, AAB did not accept that the complainant's identity could reasonably be ascertained from the e-mail address notwithstanding the fact that the prefix of the address "xyz" corresponded to the complainant's initials. In absence of any other evidence, AAB took the view that there was nothing to indicate that a contravention by the Company of DPP4 had occurred.
The AAB Decision
The appeal was dismissed.
uploaded on web in April 2009