1. Whilst it would not be appropriate for us to express our views on individual cases or a specific practice without the details of the facts and specific circumstances, staging an exhibition of this nature and functions may generally raise concerns about personal data privacy risks which are regulated under the Personal Data (Privacy) Ordinance in Hong Kong (the “Ordinance”).
2. Under the Ordinance, “personal data” is defined as any data which relates to a living person and can identify that person. The data exists in a form in which access to or processing is practicable. Apart from written documents, data in other forms such as video or visual image are also covered under the Ordinance.
3. Under the Ordinance, “data user” is also defined as a person, who either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
4. Moreover, if it is not possible for one to ascertain the identity of the person from the footages, it may not amount to “personal data” as defined and therefore not regulated under the Ordinance.
5. It appears that webcam users’ footage would be exposed without their knowledge and open up a backdoor for malicious use. Where collection of the personal data is involved:
a) the artist (i.e. the data user) must comply with the requirements under the Ordinance including the six Data Protection Principles (“DPPs”) which regulate data users who control the collection, holding, processing or use of personal data. According to case law, there is no collection of personal data by a party unless that party is thereby compiling information about an identified person or about a person whom it seeks or intends to identify. The data protection principles will not be applicable if no collection of personal data is involved;
b) webcam manufacturers who satisfy the definition of “data users” (see paragraph 3 above) are also required to observe the requirements under the Ordinance including the six DPPs.
6. If a person suspects that his privacy rights relating to personal data are being encroached or abused, he should first raise his concern with the individuals / organisations concerned. If he is dissatisfied with their response, he can then lodge a complaint with the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”). Upon receipt of the complaints, the PCPD will take appropriate follow up action. If there is a prima facie case, the PCPD may initiate a formal investigation to decide if there is contravention of the Ordinance.
7. In respect of relevant offences and compensation under the Ordinance:
a) The Privacy Commissioner may serve an enforcement notice on the data user who contravenes a DPP in order to remedy the contravention and to prevent its recurrence, and it is an offence for the data user not to comply with the enforcement notice. The offence attracts a fine of HK$50,000 and imprisonment for two years and, in the case of a continuing offence, a daily fine of HK$1,000.
b) Section 64 of the Ordinance stipulates that a person commits a criminal offence if he/she discloses any personal data of a data subject which was obtained from a data user without the latter’s consent and with an intent to (i) obtain gain for himself/herself or another person, or (ii) cause loss to the data subject. It is also an offence if the unauthorised disclosure causes psychological harm to the data subject. The maximum penalty for the offence is a fine of HK$1,000,000 and imprisonment of 5 years.
8. We note that the artist and the subsequent disclosure of the images are outside the jurisdiction of Hong Kong, the Ordinance does not apply. Nevertheless, as Hong Kong or her citizens appear to be involved or depicted in the images, the PCPD may consider referring appropriate cases to overseas data protection authorities for follow-up actions pursuant to international cooperation arrangements. The PCPD will continue to keep track of the development and take necessary action where appropriate.
The Privacy Commissioner for Personal Data, Hong Kong (the “Privacy Commissioner”), Mr Stephen Kai-yi WONG, would also like to remind users of Internet-connected devices to stay smart as “data protection is in your hands”, and provides the following general tips on protecting their own personal data:
For those data users that control the collection, holding, processing or use of the personal data, they shall comply with the requirements under the Ordinance, including the six DPPs, in particular:
The Privacy Commissioner issued the “Guidance on CCTV Surveillance and Use of Drones” which offers advice to data users (both organisational and individual data users) on determining whether CCTV should be used in given circumstances and how to use CCTV responsibly. The “Guidance on Use of Personal Data Obtained from the Public Domain” was also issued to assist data users to comply with the requirements under the Personal Data (Privacy) Ordinance (the “Ordinance”) when collecting and using personal data from the public domain. Members of the public can visit our website (www.PCPD.org.hk) to get more practical tips on protecting personal data.
(The above reply can be attributed to the Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong)