Today marks the end of my 5-year tenure as Privacy Commissioner for Personal Data. Farewells are never easy but perhaps I can do it by making these last words a simple reminder of who we are, where we have been and what the future holds.
The privacy landscape
It has been a trying time since I took over the post in August 2010 when the infamous Octopus incident created a public furore and the investigation into the privacy intrusions in question was only partially completed.
The privacy landscape has been rapidly evolving and expanding with two distinctive features. Firstly, major privacy intrusion events that happened locally (like the Octopus case in 2010) and internationally (like the Snowden revelations in 2013) have led to heightened consumer and organizational awareness and understanding of their respective privacy rights and obligations in relation to personal data. Secondly, the pervasive use of new information and communications technologies (ICTs) in today's digital society has enabled the collection and use of personal data with phenomenal ease and efficiency. Whilst creating economic and societal values, it also poses immense risks to privacy and raises serious concerns about the protection of personal data.
Privacy issues are controversial by nature
Privacy issues are controversial by nature, as exemplified by a number of high profile privacy complaint cases and issues that cropped up in recent years.
One example is my determination in 2012 regarding complaints by three TV artistes against two gossip magazines about the use of systematic surveillance and telescopic lens photography to take clandestine photographs of the artistes' daily lives and intimate acts inside their private residences over a prolonged period1. It touched on the delicate balance between freedom of the press and the right to privacy.
Another example involved my investigation in 2013 into the operation of a smartphone application which enabled subscribers to search the bankruptcy and litigation records of target individuals by name2. The data was compiled based on public records and I took the opportunity to dispel the common misunderstanding that personal data available in the public domain may be used and re-used indiscriminately and without appropriate safeguards. Although the app operation was ceased in compliance with our enforcement notice, some people in the ICT sector had expressed concerns that protection of privacy interest could hinder technology advances.
More recently, we made an appeal to the government for adopting a more proactive approach in introducing legislative and administrative measures to safeguard against misuse of personal data in public registers3. This was immediately opposed by a journalists association on the ground that it conflicts with freedom of expression, freedom of the press and government transparency4, albeit we are only against misuse (not legitimate use) of personal data (not all government data).
Balance between privacy right and other rights and interests
As I have emphasised on many occasions, we are not promoting privacy as an absolute right. Given a situation, we have to seek a balance between privacy and other rights and interests, including freedom of expression and of the press. These rights are of equal value in a civil society and none has pre-eminence over others.
I believe that if we try hard, compromise solutions could be found to accommodate both legitimate use of personal data and protection against misuse. The balancing act should not be a win-lose exercise. However, if stakeholders anchor themselves fast to polarised positions and are not prepared to seek middle grounds, the Government who has to make the final call in many instances like initiating legislation is likely to maintain the status quo on the ground that no societal consensus could be reached. Regrettably, this was exactly what happened when we addressed issues like restricting (not prohibiting) access to company directors' full residential address and identification document numbers, as well as stalking5.
This extremist approach may not be conducive to the healthy development of a civil society. More often than not, the privacy concerns of many people will remain unaddressed. They could well represent the silent majority who do not understand enough the underlying privacy risks6 and even if they do, seldom speak out to protect their privacy interests7.
Statutory independency of the Privacy Commissioner
In the circumstances, the Privacy Commissioner's advocacy and enforcement roles in privacy and data protection are imperative. In this regard, Hong Kong is fortunate that the Personal Data (Privacy) Ordinance provides for the Privacy Commissioner to operate independently as a statutory authority.
The Privacy Commissioner is appointed by the Chief Executive for a term of 5 years but the appointee can only be removed from office by the Chief Executive by a resolution of the Legislative Council on the grounds of either inability to perform or misbehaviour8. With this security of tenure, the appointee is in a good position to exercise his statutory functions impartially and without fear or favour.
I trust this exposition helps to emphasise the independent status of the Privacy Commissioner and clear up the misunderstanding held by many people that the Privacy Commissioner, whose activities are principally funded by the government, is part of government and has to report to or seek endorsement from designated authorities in the government hierarchy.
Inadequate privacy protection has a chilling effect on freedom of expression
It is not uncommon for people to think that privacy is always at odds with freedom of expression. This is not true. Both rights should be cherished as they complement each other in building a free and democratic society.
Privacy provides both the boundaries of and protection for the space in which we can be ourselves. Privacy nurtures self-expression, creativity, speaking your mind, associating with whomever you wish, and pursuing your interests. Privacy is not about hiding something; it is about having something to live for.
Hong Kong has witnessed in recent months prominent examples which illustrate that if privacy is not well protected, free speech would be hindered.
In one case, some students expressed their views on political reforms during an interview conducted by the Federation of Hong Kong Guangxi Community Organisations for selection of students to join an overseas study tour. They were cyber-bullied after the interview was uploaded to YouTube.
In the worst case scenario of insufficient protection of privacy, we may exercise restraint when we participate in society at large and adapt our behaviour both online and offline. This will jeopardise the very foundation for an open and healthy democracy.
Privacy is more than legal compliance
After five years of dedicated work on safeguarding privacy and protecting data, my take away is that this is definitely not a mere legal job.
The Privacy Commissioner is a multi-disciplinary job and I do not believe anyone has the time and the opportunity to get himself fully qualified in all the relevant disciplines like management, public administration, ICT, public relations, law and so on and so forth. At any rate, the Privacy Commissioner does not operate all by himself. It is incumbent upon him to form a professional team with all the necessary expertise, knowledge and experience; and to lead and motivate members of the team to perform efficiently and effectively.
I have the greatest respect for lawyers and I have relied a lot on my legal team in the discharge of my statutory duties. At the same time, I am convinced that privacy and data protection cannot be managed effectively by organisations and regulators if they are merely treated as a legal and compliance issue, with little or no involvement of the organisations' top management.
The law provides the minimum standards of privacy protection which may not meet the expectation of the consumer. A more effective response in this era of Big Data and rising public expectation for privacy protection is to be proactive and preventative, rather than reactive and remedial. Organisations should embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a top-down business imperative throughout the organisation. A strategic shift from compliance to accountability is required9.This entails the adoption of holistic and encompassing privacy management programmes that ensure robust privacy policies and procedures are in place and implemented for all business practices, operational processes, as well as product and service design.
Not coincidentally therefore, I have published a great number of investigation reports during my tenure which invariably received widespread media coverage and entailed serious public discussion. The reports serve to invoke the sanction and discipline of public scrutiny and discourage non-compliant behaviour on the part of the organisations involved in the investigations as well as other organisations facing similar data-protection issues. The effect is particularly pronounced with the adoption since June 2011 of a policy of naming the organization responsible for the privacy breach, thus ensuring that top management is involved in preventing and remedying the breach.
In parallel, I have convinced the Government, together with 25 companies from the insurance sector, nine companies from the telecommunications sector and five organisations from other sectors, to pledge implementing privacy management programmes so as to win the trust of citizens or customers. The Hong Kong Association of Banks also indicated that the banking industry supports this initiative.
Privacy protection as a competitive advantage
In this age of rapid technological advances, the technological hare is outrunning the regulatory tortoise. Indeed under the Personal Data (Privacy) Ordinance the technology providers may simply be data processors rather than data users and hence not subject to our direct regulation. It is therefore all the more important for us to appeal to them that as responsible corporate citizens, they should not be complacent with just compliance with legal requirements. Ultimately, customer attitudes and preferences will determine the success or failure of a product or service and the details of its offerings. Hence technology providers should be committed to building privacy and data protection into their products and services so as to meet the privacy expectations of customers and win their trust and loyalty.
It is encouraging to note that some technology giants are indeed adopting privacy protection as a competitive advantage, thus ensuring transparency, fair process and accountability in their business strategies and corporate policies10.
Concluding remarks
My tenure for the past 5 years has been an extraordinary experience that is both professionally and personally rewarding. I am proud to have been part of the mission to safeguard privacy and protect personal data, and to have made my own modest contribution.
As the head of the global legal team of a technology giant said when he bid me farewell, our mission is "noble and eternally-challenging" and we have "filled the big shoes of (our) role with aplomb and impact".
I would like to take this opportunity to express my deep gratitude to all stakeholders and privacy advocates for their understanding and support. I hasten to say that I am greatly indebted to my team for its exemplary dedication and hard work. I trust that despite the change in leadership, the passion of all team members will fuel continued progress and overcome the challenges ahead.
1 See our media statement and investigation report at www.pcpd.org.hk/english/news_events/media_statements/press_20120328.html
2 See our media statement dated 13 August 2013 and investigation report at www.pcpd.org.hk/english/news_events/media_statements/press_20130813.html
3 See our media statement at www.pcpd.org.hk/english/news_events/media_statements/press_20150728a.html
4 See media statement of Hong Kong Journalists Association dated 28 July 2015 at www.hkja.org.hk/site/portal/Site.aspx?id=A1-1380&lang=en-US
5 The government shelved legislative proposals to control access to company directors' personal data (see our media statement at www.pcpd.org.hk/english/news_events/media_statements/press_20130402.html) and to address the privacy risks of stalking (see my blog at www.pcpd.org.hk/english/news_events/commissioners_message/blog_13062014.html)
6 One of the major reasons is that with the free flow of information in an interconnected world, it is difficult if not impossible for the enforcement agencies and the aggrieved persons to establish the causal link between the disclosure of personal data by the data subject and the subsequent mishap that cause harm to him or her.
7 Our recent public attitude survey indicated that 46% of respondents had experienced misuse of their personal data in the past 12 months but only 11% of the aggrieved persons had lodged a complaint (see www.pcpd.org.hk/english/news_events/media_statements/press_20150728b.html)
8 Section 5 of the Personal Data (Privacy) Ordinance
9 For an exposition of this accountability concept, see my articles in Momentum and the Journal of the Hong Kong Institute of Chartered Secretaries at www.pcpd.org.hk/english/news_events/speech/files/2014_momentum.pdf and www.pcpd.org.hk/english/news_events/speech/files/201406_csj.pdf respectively
10 For example, Erin Egan, Global Chief Privacy Officer of Facebook has said, "Protecting people's information and providing meaningful privacy controls are at the core of everything we do." Similarly, Apple's CEO Tim Cook has said, "At Apple, we believe a great customer experience shouldn't come at the expense of your privacy."