Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

the case. More detailed explanations can be found in the Guidance Note on Proper

Handling of Data Access Request and Charging of Data Access Request Fee by Data

Users

issued by the Commissioner.

10.63

The Commissioner’s views on assessing the fee for complying with a data access request

were examined by the AAB in AAB No. 37/2009. The case concerns three data access

requests made by an individual to a government department and a substantial amount

of personal data requested (which was estimated to involve around 6,000 pages of

documents and covered a period of more than ten years). The department requested a

fee of more than HK$14,000 for complying with the data access request which was

disputed by the data requestor as being excessive. The AAB held that a purposive

approach should be adopted when interpreting and applying the term “excessive”

under section 28(3) and that the charging provision had to be construed strictly and

must be cost related. According to the AAB, the data user is only allowed to charge the

requestor for the costs which are “directly related to and necessary for” complying with

a data access request. Any fee which exceeds the costs of compliance will be

considered excessive. The AAB considered that what is “direct and necessary” is not the

same as “reasonable” and a data user should consider the question of whether it is

possible to comply with the data access request without incurring the individual item of

cost. If the answer is “yes”, then the data user should not charge the cost incurred for

that particular item.

10.64

The decision in AAB No. 52/2011

further builds on the above fee-charging principle.

Firstly, if a data user chooses to comply with a data access request in a form that is more

costly, it is not able to charge a fee higher than what would otherwise be chargeable if

it had complied with the request in a form that was less costly. In short, a data user is only

entitled to recover those costs which are the lowest out of all the alternative courses

available to the data user in order to comply with a data access request. Secondly, a

data user bears the evidentiary burden to show that the costs incurred for complying

with a data access request are not only directly related and necessary, but are also not

“excessive” in the circumstances of the particular case. Hence, if the data user has

created an extraordinary situation whereby excessive costs have been incurred, it might

be against the clear words of section 28(3) to allow such costs to be borne by the data

subject.

10.65

Some examples of expenses that data users might try to charge for complying with a

data access request, which are individually examined below, include:

•

fees for seeking legal advice or professional service;

•

office overheads;

•

direct labour costs and necessary expenses;

•

photocopying; and

•

flat-rate fee.

Available on the Website:

https://www.pcpd.org.hk//english/resources_centre/publications/files/DAR_e.pdf

In this appeal case, the requested data was held in a laptop which crashed and the data user had to incur a huge fee

to recover the data from its back-up tapes.