Speeches, Presentation & Articles

Speeches, Presentations & Articles

Date: 9-11 September 2002

A Short Paper on
Data Protection, Freedom of Expression
and Freedom of Information
- Conflicting Principles or Complementary Rights?

presented by

Raymond Tang
Privacy Commissioner for Personal Data, Hong Kong SAR

at Workshop 8 of the
24th International Conference of Data Protection
and Privacy Commissioners

9 - 11 September 2002 ~ Cardiff, Wales

1 POSITION TAKEN

I would like to address the proposition put by drawing upon the experience of the Office of the Privacy Commissioner for Personal Data in Hong Kong ("the PCPD"). I want to develop that learning and supplement it with the findings of research we undertake annually into community perceptions of personal data privacy. In addressing the issue that I have been asked to speak to - the case for separate regulation of privacy and freedom of information - I am merely seeking to offer a contrarian view for the purpose of prompting debate. I am fully aware that a growing number of jurisdictions have combined the statutory regulation of data privacy and freedom of information ("FoI") and, no doubt, others are actively weighing the arguments for so doing. I would not therefore wish to convey the impression that I am engaged in some didactic endeavour designed to preach a moral sermon to those of you in the audience that operate a combined regime.

I should perhaps state at the outset that I am a firm believer in contextualism. My honest opinion is that either of the two models proposed may be perfectly tenable in a given context. It is the substance of that context that determines the extent to which either model is appropriate and efficacious in terms of the needs of a particular jurisdiction. In truth therefore I have an open mind about the proposition and can see merits in both systems. However, my task today is to convey to you the virtues of distinctly separate regulatory authorities to deal with data privacy and freedom of information. I feel rather more comfortable in adopting this stance because in Hong Kong there is no FoI legislation and consequently no commissioner to represent that interest.

That the citizens of Hong Kong take their personal data privacy rights seriously is in no doubt. They are also increasingly prepared to exercise those rights. The evidence for this is in the rapid increase in caseloads, notably over the past 3 years, for those of our staff in the Operations Department.

At this point I can only speculate on what would happen if a proposal to merge the statutory powers I have in relation to personal data privacy were extended to include FoI powers. Initially I think that, in Hong Kong, confusion would prevail. That confusion would emanate from perhaps the rather simplistic, yet attractive notion that no man/woman can serve two masters. I am also fairly sure that those members of our Legislative Council that are generally pro-privacy, would raise, and want to debate at length, the prospect of a conflict of interest^1.

Why do I think that confusion would be likely to prevail? My explanation draws upon two observations which compound one another. First, I think that ignorance around FoI (or, at least, a lack of understanding of the subject) would be a substantial barrier to disseminating the essential message. I will return to this point later. Secondly, I think that currently there is no general sense that there is a need for FoI legislation. I cannot recall any recent media story of substance on the subject. If my impression is correct, I question whether it is the Administration's role to assume responsibility for creating that need and then servicing it? Thirdly, I think that we would have a perceptual problem on our hands built upon the view that that there is an essential contradiction in one commissioner assuming the role of arbiter between two different sets of values that could come into conflict with one another.

Before developing my arguments further I think it would be beneficial, given the international flavour of this conference, to offer some background to personal data privacy, freedom of expression and FoI in Hong Kong.

¹ Coincidentally we are currently confronting this very issue in seeking to deal with calls from the financial sector to allow the sharing of positive credit data. The carefully constructed proposals and safeguards, which are intended to assist financial institutions to access positive credit data for credit reporting and scoring purposes and on which views are being sought in a public consultation exercise launched by the PCPD, are seen by some as a diminution of the personal data privacy interests of the individual. Striking a balance between those interests and the wider public interest has been no mean feat.

2 THE LEGAL BACKGROUND TO PERSONAL DATA PRIVACY, FREEDOM OF EXPRESSION AND FoI IN HONG KONG

PERSONAL DATA PRIVACY

In 1992-1993 the Law Reform Commission's ("the LRC") sub-committee on privacy began to research the issues associated with personal data privacy in Hong Kong. At that time FoI, though touched upon by the members of the committee was not given serious consideration. The outcome of the LRC's discussions was a recommendation that Hong Kong draft personal data privacy legislation. This recommendation was accepted by the then Administration and in 1994 Hong Kong opted for a legislative approach to personal data privacy that consisted of a statutory framework and regulatory mechanism. The Personal Data (Privacy) Ordinance ("the PD(P)O") was enacted in 1995 and took effect in December 1996. The primary purposes of the PD(P)O were to protect the individual's personal data privacy rights and to safeguard the free flow of personal data to Hong Kong from restrictions by countries that already had data protection laws in place. In effect the PCPD has become the leading advocate and defender of personal data privacy rights in Hong Kong as distinct from any rights that may be associated with FoI.

The PD(P)O is a comprehensive piece of privacy legislation that has been instrumental in raising the profile of privacy in the community from it being an item of curiosity, to a human right that is valued. Over the past 5 years or so, the independently commissioned research that the PCPD has undertaken indicates that the community has come to regard privacy as a social policy of importance ranked third out of seven policy portfolios behind unemployment and air pollution (please refer to Figure 1).

The perceived benefits are not exclusively in favour of the data subject. The same research indicates data users hold positive attitudes towards the long-term benefits to be obtained from compliance with the provisions of the PD(P)O (please refer to Figure 2).

Without wishing to sound too self-serving I am gratified to see that our combined endeavours have been able to achieve these sorts of outcomes in the relatively short life of the PCPD to date.

The notion of privacy is also given legal force in Hong Kong by virtue of the SAR's obligation under several international covenants:

Universal Declaration of Human Rights (UN 1948) ~ Article 12

'No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.'

European Convention on Human Rights ~ Council of Europe 1950 ~ Article 8

'Everyone has the right to respect for his private and family life, his home and his correspondence.'
'There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others.'

International Covenant on Civil and Political Rights ~ (UN 1976) ~ Article 17

'No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.'
'Everyone has the right to the protection of the law against such interference or attacks.'

The letter and spirit of these international covenants is also enshrined in HKSAR legislation, and, as part of our municipal laws, given legal effect.

Hong Kong Bill of Rights Ordinance (1991) ~ Article 14
Protection of privacy, family, home correspondence, honour and reputation.

'No one shall be subjected to arbitrary or unlawful interference with his privacy, home or correspondence, nor to unlawful attacks on his honour and reputation.'
'Everyone has the right to the protection of the law against such interference or attacks.'

Basic Law of the HKSAR ~ Articles 30 and 39

Article 30

'The freedom and privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication or residents except that the relevant authorities may inspect communication in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences.'

Article 39

'The provisions of the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social and Cultural Rights, and the international labour conventions as applied to Hong Kong shall remain in force and shall be implemented through the laws of the Hong Kong Special Administrative Region.

The rights and freedoms enjoyed by Hong Kong residents shall not be restricted unless as prescribed by law. Such restrictions shall not contravene the provisions of the preceding paragraph of this Article.'

There can be little doubt therefore that privacy is a value that has been internalised by the citizens of Hong Kong and institutionalised by the government of the HKSAR, most obviously in the Office of the Privacy Commissioner for Personal Data.

FREEDOM OF OPINION AND EXPRESSION

These fundamental freedoms are addressed in the following articles.

Hong Kong Bill of Rights Ordinance (1991) ~ Article 16

Everyone shall have the right to hold opinions without interference.
Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, or in writing or in print, in the form of art, or through any other media of his choice.
The exercise of the rights provided for in paragraph (2) of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary -
a) for the respect of the rights and reputations of others; or

b) for the protection of national security or of public order, or of public health or morals.

The Basic Law of the HKSAR ~ Article 27

Hong Kong residents shall have freedom of speech, of the press and of publication; freedom of association, of assembly, of procession and of demonstration; and the right and freedom to form and join trade unions, and to strike.

FREEDOM OF INFORMATION

As mentioned previously there is no FoI legislation in the HKSAR, which may explain why it is neither a burning issue nor a very visible one. More to the point I do not foresee, in the short to medium term at least, that that will change. Why? Primarily because the calls for FoI are sporadic and usually from interest groups that have, so far, been unable to attain the critical mass necessary to convince the Hong Kong SAR government of the benefits of drafting such legislation.

One result of the occasional and somewhat fragmented calls for FoI legislation is, I would venture to suggest, that the lay person is generally unaware of FoI or what it means in tangible terms, and, therefore, unable to relate the attributes of FoI to benefits that could be brought to the individual. To that extent FoI has not captured the imagination of the masses; at the grass roots level it is something of a nebulous concept. Another explanation for this indifference may be that democracy, in the sense of the comprehensive set of values and freedoms usually associated with it, is of fledgling status in Hong Kong.

Nonetheless in 1995 the Administration of the day launched a Code of Access to Information ("the Code") that was no doubt predicated on the belief that the availability of information is both an index and function of good government. At that time openness and transparency became something of a mantra among those management consultants charged with reinventing government and making it more accountable. Policy on freedom of information was accordingly made the subject of an administrative function, underpinned by a review and complaints handling procedure. By the end of 1996 all Government departments were covered by the Code.

The essential governing principle is that the Government will make available information that it holds, unless there are valid reasons for not doing so. Interestingly, the Code does address some personal data privacy issues. For example paragraph 2.15 of the Code is titled Privacy of the Individual and the subject dealt with in the following manner:

Information which may be refused

2.1 A department may refuse to disclose information, or may refuse to confirm or deny the existence of information, in the categories and for the reasons set out below, which will normally be referred to if a request is refused.

Privacy of the individual

2.15 'Information about any person (including a deceased person) other than to the subject of the information, or other appropriate person, unless -

a) such disclosure is consistent with the purposes for which the information was collected, or

b) the subject of the information, or other appropriate person, has given consent to its disclosure, or

c) disclosure is authorised by law, or

d) the public interest in disclosure outweighs any harm or prejudice that would result.'

In re-reading this provision it appears to me that those responsible for drafting the Code were sufficiently aware of privacy to be able to incorporate some safeguards into the text of it. Although they were operating under a remit to deliver greater transparency there was at least an awareness of the requirement to strike a balance between openness and the need to protect public and private rights, and personal and commercial privacy.

The Code allows for the refusal of a request for information or a refusal to confirm or deny the existence of information in categories such as defence and security, law enforcement and improper gain or advantage. The right to refusal in such categories is determined by submitting the request to a "harm" or "prejudice" test, which covers both actual harm and prejudice and the reasonable expectation of harm and prejudice. Where a government department withholds information it is expected to consider whether the public interest in disclosure of information outweighs any harm or prejudice that may result.

The Code allows for an independent Ombudsman to review any government department's decision to refuse to disclose information However, from March 1995 to March 2002, only twenty-six complaints had been lodged with the Ombudsman. Two cases were considered to have withheld information without sufficient justification.

3 THE MERGING OF VALUES AND REGULATORY MECHANISMS ~ SOME ISSUES

The generic term 'human rights' assumes different dimensions which are complementary in nature and give rise to a certain 'wholeness'. Of course that 'wholeness' is subject to change and privacy is a relatively recent addition to the human rights afforded to the individual. However, it is clear from the reporting of alleged abuses of human rights that codifying them in international covenants, though symbolically important, is very distinct from ensuring that they are adequately protected on a day-to-day basis. For that to happen there must be political will, appropriate legislation and an effective regulatory mechanism. An effective regulatory mechanism is one that commands the respect of the community and is impartial and equitable in enforcing human rights legislation. It is for that reason that I would adopt the stance that the merging of regulatory functions needs to be subjected to something akin to a feasibility study. Only if functions are seen to be complementary, rather than in conflict, can the marriage work. Whether that is the case is dependent, to my mind, upon something I have already alluded to, public perception.

Allow me to try to examine this a little more closely. Clearly there are some commonalities between personal data protection, freedom of expression and FoI. However, although the personal rights arising from the three sets of values may be complementary, within the overall context of human rights, their expression, in terms of the benefits to be derived from these rights by the individual, can only be achieved if the legislative structure and regulatory framework underpinning them are seen to be equitable. That perception is likely to be influenced by perceptions of the mechanism's efficacy, efficiency, transparency and accountability. However, perhaps more important than all of these conditions is the need for regulatory authorities to avoid conveying the impression that they are in any way compromised by the potential for a conflict of interests. Circumventing that potential for conflict would require a subtle separation of these rights and their respective benefits. I say subtle because I think that the natural tendency of an institution charged with upholding these rights would be to use economic or accounting expediency to 'force' some coalescence of at least two of them. If the resultant institutional structure giving effect to these rights were to convey some sort of administrative amalgamation of them then there is always the prospect of the discreteness of any individual right being subject to strain. To my mind, that is wholly undesirable.

The central issue for debate involves not simply a matter of whether the three rights are complementary but whether there may be potential for conflict of interest in the course of enforcing those rights. Such conflict may manifest itself in a number of forms. If judgements are seen to be arbitrary or lacking in consistency then the impartiality and objectiveness of the processes involved in investigating cases would come into question, and rightly so. This brings me to the matter of the fundamental integrity of the regulatory mechanism which, I suggest, is ultimately determined in the court of public opinion.

4 THE PERCEPTION IS THE REALITY

John Lindsay, a former mayor of New York on the campaign trail for a second term in office, once observed: "In politics, as in life, the perception is the reality²." The power of perception cannot be under-estimated and such power can be put to advantage, or give rise to disadvantage, in different forms and in different situations. I would like to take that idea and apply it to the argument for not merging personal data privacy and FoI in one office.

² In point of fact he won a second term partially because of the aura he projected. The perception he created among the electorate was that he could relate to people of all walks of life and possessed “the common touch,” even though he came from a privileged background. It was as much this perception as the policies he was associated with that rewarded him with a second term in office.

The thrust of my case is that the credibility of a regulatory system is ultimately based upon public perceptions. People see what they want to see, hear what they want to hear and are influenced by selective recall. The big question therefore is what do members of the public 'see' in a single office that combines the roles of privacy and FoI commissioner? As I have suggested, such an organizational configuration runs the risk of projecting an image characterised by confusion. As the two sets of rights challenge each another it is almost inevitable that the public perception will be formed, that there is an essential conflict of interests. Frankly, it matters not whether that is the actual case because the perception can 'delude' people into believing what they choose to believe and what they choose to believe may not be favourable in terms of their attitudes towards the office of a combined commissioner. If that were the case then I think there is the risk that collective perceptions of the community, which may degenerate into prejudices, could effectively undermine the moral authority of that office. If that were to happen my view is that this would strike at the very heart of the system. Equally as significant it would create a "lose-lose" situation.

Let me apply this line of argument to Hong Kong by way of an illustration. In the HKSAR, the PCPD is perceived by the community as the advocate and champion of personal data privacy. Although at the present time it is an unlikely event, what would be my analysis if the PCPD were to assume responsibility for newly passed FoI legislation? With a history that has been exclusively devoted to personal data privacy the overlay of an FoI remit would mean that our Office would have to involve itself in the perception management business. Perceptions alone would be enough to cause damage to the level of public confidence invested in such a regulatory system. If conflict of interests were to be perceived at the inception of a combined office then that perception strikes at the very core of the regulatory system, and the ensuing erosion of confidence becomes a damning indictment of its creation and creator. The damage would have been done and correcting that damage would make considerable demands upon the skills of the most accomplished spin doctor.

However, I recognise that my argument is influenced by my own experience as a privacy commissioner and that, of course, is context-specific. That context may be idiosyncratic, if not unique, and therefore I am not putting forward a view that can be universally applied to other jurisdictions that exhibit different structural features and social components. As a person who sees merit in contextualism I must acknowledge that Hong Kong is not the United Kingdom and what suits one may very well be contrary to the interests of another.

For the purpose of our discussion, allow me to cite three principal objections to the creation of a combined office. Again, I stress that these objections may be perceived rather than actual.

1) Information 'versus' Privacy

"Versus" may overstate my case a little but I believe that from a perceptual standpoint that is precisely how any conflict of interests might be paraphrased. Information precedes privacy in that without information there can be no infringement of personal data privacy rights. Accordingly, an Information Commissioner would be expected to protect the right that FoI legislation confers upon the public, namely the right to be informed of, and have access to, official information. In exercising this right the most obvious problem would be dealing with official information that contained private information. For some FoI proponents this would not be an issue because the stance taken would be that the rights pertaining to private information should be subordinated to the public's right to know. What justification is there for asserting that the public's right to know reigns supreme and at the expense of the public's right to a reasonable expectation of personal data privacy? Where do you draw the line between the exercise of these rights and how do you draw the line in practice? What day-to-day problems arise from striking a balance between the two, and can you expect to walk that fine line in a consistent and impartial manner that exemplifies an equitable judgement?

2) The Inviolability of the Public's Right to Know

How far should the public's right to know intrude into the private affairs of another, especially the lives of public figures and media personalities? Should those in either category, upon assuming some public significance, be expected to abandon any hope of preserving and protecting their privacy? Does the argument that the public's right to know extend to the citizens of Canada knowing what their Prime Minister has for breakfast or, for that matter, who he has breakfast with? Should the glare of the public spotlight cast a shadow over all aspects of the Prime Minister's privacy, twenty-four hours a day?

Surely there are great difficulties involved in giving definition to fairness, reasonable access, and a reasonable expectation of privacy. Certainly those charged with clarifying those definitions face an unenviable task. Yet it is a task that must be undertaken if for no other reason than that cited by the French scholar Voltaire who said, "Define your terms and we shall talk." Those of us with a legal training know this only too well in that ill-conceived definitions give rise to a plethora of problems associated with interpretation and application of the law. In short, practice becomes precarious simply because a lack of clarity impacts upon an ability to devise sound criteria for decision-making purposes. If decision-making becomes fudged the operation and maintenance of a regulatory authority is placed in jeopardy.

3) Grey is not a 'Good'Colour

Any contest of values is likely to give rise to grey areas. Where there are grey areas the focus inevitably switches to judgmental issues such as objectivity and fairness. Grey areas confront the decision-maker with imponderables that can so easily degenerate into a compromise of one set of values in one set of circumstances and another set of values in another set of circumstances. This type of arbitrariness does nothing to promote faith in the concept of fairness, and that does not make for a good regulatory mechanism.

My primary objection therefore is that situation-specific decision making gives rise to an unacceptable level of risk that, in turn, has ramifications for continuity and regulatory consistency. The legal splitting of fine hairs in FoI and privacy judgements confounds the layman. I don't think that I am alone when I say that I firmly believe it to be the duty of legal practitioners in public service to clarify rather than obfuscate issues so that the learning can readily be communicated, and communicatable, to persons on the proverbial Clapham omnibus.

Review and Appeal may not be the answer

By way of a supplementary to the issues generated by 'greyness' it is my view that the corollary of this phenomenon is that it tends to result in the construction of an elaborate review and appeal mechanism. Such a mechanism, erroneously in my view, tries to both rationalise the imperfections of the regulatory system and convey to the general public that all is well. I do not think that is so, in fact I believe that a very different interpretation can be made, which is, that the elaborateness of the review and appeal mechanism is directly proportional to the magnitude of the inadequacies of the regulatory system. Far from conveying a sense in the community that the review and appeal mechanism is some sort of user-friendly safety net that the individual may seek reassurance in, there is at least an equal chance that its complexity is intimidating, and, for the lesser man, not a real option. Complexity, compounded by convoluted procedures and a lengthy procedural process, together with associated costs, dissuades all but the most tenacious complainant from exercising his/her rights.

5 CONCLUSION - An Issue of Confidence

The foundation of an effective and efficient regulatory system is the trust and confidence in the system on the part of those regulated. Argument aside an adverse ruling by an appellate body can seriously undermine regulatory integrity and confidence. In the final analysis, it comes down to an issue of confidence. If 'consumers' have confidence in products and services they will purchase them. If they don't, they will reject them. I do not think that because regulatory bodies reside in the public domain that they are immune to this very fundamental market principle. On the contrary, they should learn from and have an open mind towards other types of organisations that offer services to the public. Why? Because in many ways there are striking similarities between the office of a regulatory commissioner and a service-oriented company operating in the private sector. Both offer services to the public which are attempts to satisfy their wants and needs. In the process of consumption 'consumers' may well challenge the value of that service, or its delivery, and register a complaint. I would therefore suggest that we might do well to think 'outside of the box' and look at how other people face the challenges that I have outlined. Most importantly, we need to consider how they instill consumer confidence in the services they offer, and when that breaks down, as it does from time to time, the damage control mechanisms that are engaged in order to satisfy the customer and restore confidence.

I think the issues of trust and confidence are central to determining just how any regulatory mechanism is perceived, indeed both act as critical tests of the system. An analogy would be with the way in which the B2C consumer regards shopping online. In Hong Kong at least, shopping online accounts for a minimal proportion of total consumer expenditure in a city that is highly 'wired' and where consumers embrace new technologies with enthusiasm. Nonetheless, survey after survey into online shopping indicates that consumers just do not have trust and confidence in the Internet and E-vendors. Irrespective of the pledges made on the websites an abiding perception is that it is just not safe to shop online. Whether it is more or less safe to hand over a credit card in a physical transaction as distinct from transmitting those details over the Internet is a moot point. However, the perception is the reality and the perception says that E-vendors have to do a lot more to establish trust and confidence in this medium for it to become widely diffused.

In conclusion if we subscribe to the proposition that protection of personal information, as a public service, is best undertaken by an independent authority -untainted or unaffected by issues considered important by the authority of the day - then the separate regulation of privacy and FoI would appear to me to be the preferred model, at least, from the HKSAR's perspective. This is so because a separation of duties and powers is less likely to result in a situation in which the office is obliged to confront those issues that become the subject of public scrutiny and controversy.

Raymond TANG
Privacy Commissioner for Personal Data, HKSAR
Suite 2001, 20th Floor, Office Tower, Convention Plaza
No.1 Harbour Road
Wanchai, Hong Kong

E Mail: pco@pcpd.org.hk
Internet: http://www.pcpd.org.hk