Skip to content

Case Notes

Case Notes

This case related to Internet

Case No.:2007A06

Disclosure of email subscriber's personal data by email service provider to PRC law enforcement authority

AAB ruled insufficient evidence that personal data of the Appellant were disclosed by the webmail service provider to the PRC law enforcement authorities and that prescribed consent was given by the Appellant-in the Terms of Service for disclosure "in accordance with legal procedure".

Appellant an email account subscriber in PRC - webmail service provider's operation in PRC provided certain user registration information, IP log-in information and email contents to PRC authorities in compliance with Disclosure Order lawfully issued - DPP3 - personal data disclosed - "data user" - question of control - section 65(2) - extra-territorial application - exemption of "crime" under section 58(1)

The Complaint

The Appellant was a PRC resident and subscriber of webmail service provided by the webmail service provider's operation in the PRC. The Appellant was suspected to have leaked state secret to foreign entity through email message sent, violating the PRC State Secrets law. In compliance with the Data Disclosure Order issued by the PRC authorities to the webmail service provider’s operation in the PRC, information on certain user registration, IP log-in information and email contents were disclosed. The Appellant was subsequently convicted in the PRC. The Appellant lodged a complaint with the Privacy Commissioner on suspected breach of DPP3 and an investigation was carried out under section 38(a) of the Ordinance.

Findings by Privacy Commissioner

The corporate structure of the webmail service provider's business operation was studied. The websites in the PRC and Hong Kong were operated and managed independently of each other, although both were owned by the webmail service provider which is a Hong Kong registered company. The webmail service provider was found to be responsible in its capacity as principal for the acts and practice of its agent under section 65(2) of the Ordinance insofar as the act or practice falls within the jurisdiction of the Ordinance. There was, however, no evidence to show that any of the act of collection, holding, processing and use of the personal data of the Appellant took place in Hong Kong or evidence to show that the Data Disclosure Order was issued to the webmail service provider in Hong Kong.

On the question of whether personal data of the Appellant was disclosed, the Privacy Commissioner formed the view that an IP address alone is a specific machine address assigned to an inanimate computer and it does not per se satisfy the definition of "personal data" under the Ordinance. It is a question of fact whether IP address together with other identifying particulars constitutes "personal data". Apart from the Verdict given by the court confirming that the account holder information pertaining to the IP address was furnished by the webmail service provider, there was no other evidence available to show that personal data of the Appellant were indeed being disclosed. Since the email message in question was sent by alias, the email address itself did not reveal the identity of the Appellant and there was no evidence to show that the Appellant registered his email account using his real name, it was unsafe to conclude that personal data of the Appellant were disclosed by the webmail service provider. Hence, the Privacy Commissioner found insufficient evidence of contravention of DPP3.

In view of the public concerns aroused by the incident, the Privacy Commissioner proceeded to examine further the case assuming that personal data of the Appellant were disclosed. The circumstances for disclosure were considered and the Privacy Commissioner found that disclosure of the information in question by the webmail service provider's operation in the PRC was compelled under lawful order issued by the PRC authorities and sanction attaches on non-compliance. The Privacy Commissioner formed the view that control, if any, was lost and vitiated under compulsion of law. As such, the webmail service provider did not meet the definition of "data user" who shall be one who "controls the collection, holding, processing or use of the data". The Ordinance does not confer extra-territorial application and so the territorial principle should be applied in construing the provisions of the Ordinance. Since none of the connecting factors to attract jurisdiction is found to exist, the Privacy Commissioner found the act or practice in question outside the purview of the Ordinance.

Assuming that the Ordinance has jurisdiction, in determining whether the use of the personal data contravened DPP3, the Privacy Commissioner was of the view that compliance with statutory requirement was "use" for a purpose consistent with the purpose of collection under DPP3. Since the webmail service provider's operation in the PRC was obliged to comply with the PRC law, the disclosure of the information in question was consistent with DPP3. Lastly, the Privacy Commissioner has also considered the applicability of the exemption provision under section 58(1) of the Ordinance and formed the view that the word, "crime" and "offenders" should be narrowly construed to mean Hong Kong crime and may be extended to cover those crimes to which the Mutual Legal Assistance in Criminal Matters Ordinance, Cap 525 applies. Dissatisfied with the Privacy Commissioner's findings, the Appellant appealed to the AAB.

The appeal

The Board addressed the four grounds of appeal raised by the Appellant as follows:

Whether IP address together with other information disclosed constituted "personal data" of the Appellant

The Board found insufficient evidence to conclude that “personal data” of the Appellant was disclosed having regard to the facts that (i) the Verdict did not indicate that the corresponding user information of the IP address belonged to the Appellant or revealed his identity, address of a business rather than an individual's address was provided to the PRC authorities; (ii) there is no guarantee that information provided by email service subscribers is genuine; (iii) the user name of the Email Account was not in the name of the Appellant; and (iv) the email was sent under an alias, not revealing the true identity of the Appellant. The Appellant failed to discharge the burden of proof to put forward credible evidence that the registration information held in the hands of the PRC authorities disclosed his personal data.

Whether the webmail service provider a "data user" at the material time

Premised on the facts that the business operator in the PRC was the agent of the webmail service provider, the latter had control over the relevant information. The Board took the view that even if the disclosure was made under compulsion of law, it did not and could not "vitiate" their control given that the webmail service provider had chosen to disclose the information. The Board ruled that the webmail service provider was a "data user" defined under the Ordinance.

Whether the Ordinance has extra-territorial application

Upon the finding that the webmail service provider was a "data user", the Board found it unnecessary to come to any view on whether the Ordinance has any extra-territorial application.

Whether there was breach of DPP3

The Board took the view that "prescribed consent" was given by the Appellant through the Terms of Service to authorize the disclosure by the webmail service provider "in accordance with legal procedure".

The Board did not agree with the Privacy Commissioner's view that compliance with statutory requirement on disclosure of personal data should be regarded as a use for a purpose consistent with the purpose of collection under DPP3. The Board was of the view that "disclosure of personal information to public prosecution authorities could not be considered to be a "use" of the information intended by the parties when the information was collected".

On the question of applicability of section 58 exemption and the interpretation of the word, "crime", the Board agreed that the crime committed by the Appellant in the PRC did not amount to a crime under the laws of Hong Kong.

AAB's decision

The appeal was dismissed.

[N.B. For full version of the investigation report issued by the Privacy Commissioner and the decision given by the AAB, they can be downloaded at http://www.pcpd.org.hk/english/publications/files/Yahoo_e.pdf and http://www.pcpd.org.hk/english/publications/files/Appeal_Yahoo.pdf respectively.]


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :