Our release on 13 August 2013 of the report on the investigation into the smartphone app "Do No Evil" ("DNE") has generated a great deal of feedback, in particular from some members of the Information & Communication Technology ("ICT") industry.
This is understandable as the case brings out a very important point, namely, the use of personal data collected from the public domain is subject to the Use Limitation Principle under the Personal Data (Privacy) Ordinance (the "Ordinance").
Display of an art piece in the public does not mean the author agrees to its unrestricted copying. The underlying legal concept, namely, intellectual property right, is now commonly accepted. In contrast, the right to personal data privacy is relatively new and it falls on our shoulders to enforce the Ordinance and promote compliance with its provisions.
In the past two months therefore, I have devoted a great deal of efforts in explaining the legal points behind the DNE case and responding to queries. For example, I have contributed articles to two major local newspapers and the Hong Kong Lawyer.
On two occasions, at the request of the media, I participated in a face-to-face interactive dialogue with Legislative Councillor (IT) Mr Charles Mok and the reports capture well the salient points of our discussion.
http://hk.apple.nextmedia.com/news/art/20130824/18392615
Further, our latest newsletter runs a cover story on this subject, together with ten sets of FAQs.
I note that Mr Mok and the Wireless Technology Industry Association ("WTIA") had conducted an online survey to collect industry opinion on this subject, and announced the results late last week, namely, over 60% of the respondents disagreed with our handling of the DNE case.
With respect, the survey is inherently defective. The sample size of 128 respondents calls in question the representativeness of the survey. The questionnaire assumes the respondents have a thorough understanding of the legal and factual analysis of the DNE case and there were leading questions which suggest answers; as such they threaten validity.
As always, my decision on complaint cases is based on evidence and legal grounds. The survey, however, did not address our arguments which led to the conclusion of the case.
We are a regulator tasked with adjudication of complaints of privacy intrusion. A decision in favour of one party is almost certainly the other party’s source of dissatisfaction.
Hence we are used to receiving adverse feedback from either of the two parties involved and whose interests may have been jeopardised as a result of our determination. The formal channel for the party who would like to dispute our determination is to lodge an appeal with the Administrative Appeal Board. The results of an industry opinion survey, even if they are statistically valid, serve little useful purpose in this regard.
It was alleged that our determination on the DNE case served to stifle technology innovation, dampen the development of the creative industries and in particular, the SMEs. This is an over-statement. Every case has to be determined on its own merits.
Privacy is a fundamental human right but it is not an absolute right. It has to be balanced against other rights and public and social interests. The exemptions in Part VIII of the Ordinance reflect the existing balance. If any sector really feels strongly about being regulated on their use of public domain personal data, they could always lobby for amendment of the Ordinance by introducing appropriate additional exemptions. Until that is achieved, the bottom line for any business, regardless of its size and nature of business, must be to comply with the existing law.
I have great admiration for the ICT industry as its efforts improve our lives and enhance business efficiency. Many ICT professional associations are mindful of the importance of privacy and data protection, and have invited us to speak on the subject to their members on numerous occasions. The seminars of the Hong Kong Association of Interactive Marketing are worth noting here. Further, I am very pleased that the Hong Kong Computer Society on its own initiative compiled in 2012 a Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance. I am also grateful that the iProA has assisted us for over two years in providing public seminars on privacy protection in the use of ICT.
I welcome the opportunity to promote in the ICT sector awareness and understanding, and compliance with the Ordinance. I believe communication can allay worries and doubts.
Indeed, we participated in a seminar specially arranged by Mr Mok on 30 August 2013 for ICT practitioners, in which we explained the legal requirements highlighted in the DNE case and answered queries raised by the participants. Regrettably, the turnout was low. We will be organising another seminar on this topic in January 2014, in an attempt to reach out to more people concerned with the issue.
I sincerely hope that WTIA would share our mission to protect privacy: a fundamental human right under the law. I also hope that Mr Mok could wear his other hat as the founding member of Hong Kong Human Rights Monitor and sympathise more with those persons whose privacy have been or could potentially be intruded.
On our part, we will continue to enforce the Ordinance without fear or favour; and promote compliance with the Ordinance by engagement with the industries and the general public.