Abstract The emergence of different forms of cyber technology has effectively transformed how information is disseminated and abuses can be done effortlessly. A person may voluntarily upload pictures or other information about himself on social media, but he may not consent to an investigator digging information about him albeit information published voluntarily by himself in the first place. The same goes with personal information disclosed by mandatory means. While it is wrongful to publish or disclose private information, the position may not be so clear in relation to publicly available information. Can a person disclose or publish private information of another person when such information is available to a certain category of people? Can a company compile personal data of litigants involved in bankruptcy proceedings and transfer such data to employment agencies for a fee? This article seeks to identify available actions in Hong Kong both under common law and the Personal Data (Privacy) Ordinance. It further analyses the existence of the so-called ‘right to be forgotten’ under the Ordinance focusing on two recent Hong Kong decisions on publicly available information. It compares with the position in the EU and concludes with a proposal to strengthen protection in these areas. INTRODUCTION The emergence of different forms of cyber technology has effectively transformed how information is disseminated and how we communicate. The prevalence of mobile technology enables individuals to publish information to a very large audience at their fingertips. While this must have a positive impact on the access and sharing of information, the associated negative consequences cannot be under-estimated. With the power of the internet, harassment and abuses can be done effortlessly and private individuals may find it extremely difficult to preserve their anonymity. Such cyber-bullying activities may take the form of posting harassing messages, personal information or photos in a discussion forum and in many cases the initiator may be difficult to trace in the online world. A norm of internet vigilantism has therefore emerged which encourages the shaming of one’s personal lives leading to further bullying activities.1 A person may voluntarily upload pictures or other information about himself on social media, but he may not consent to an investigator digging information about him albeit information published voluntarily by himself in the first place. The same goes with personal information disclosed by mandatory means. This is because information can be used subsequently in completely different contexts and may lead to extremely embarrassing and distressing results. The permanence of the material together with the searchability of the web enables the individual concerned to be re-victimized and thereby causing further damage.2 At the end of June 2016, a staggering 3,631,124,813 internet users were recorded worldwide with around 1,801,512,654 users in the Asia region.3 A compilation of the most popular social networks showed that Facebook currently has over 1871 million active users and 877 million users on QQ and 846 million users on WeChat, both dominating the Chinese market.4 Technology therefore enables the easy sharing and disclosure of information resulting in different types of invasive activities. In the United States, Megan Meier, a 13-year-old girl committed suicide after being bullied on a social networking platform and the bully was later identified to be the mother of Megan Meier’s classmate, and her personal details including her address and her husband’s name were revealed.5 Such ‘human flesh search’ activities also found their way in China and a video showing a lady stomping a kitten to death with her high heels went viral on the internet. This lady’s personal information including her name and employer’s details were made public and she lost her job in the end.6 Such online shaming activities are invasive leaving the targeted victim to be bullied anytime and anywhere. Personal information, although not necessarily confidential, is made publicly available and the psychological impact on these targeted victims can be far-reaching. Victims have been found to experience feelings of helplessness and depression.7 While all these stories mentioned above entail wrongful activities to a certain degree and therefore enabling the public to feel the need to condemn and shame these victims, one must appreciate that the public has no legal ‘right’ to condemn and the repeated disclosures or publications of private information is arguably a violation of a person’s dignity8 and it is this concept of dignity which differentiates privacy rights from other rights and interests associated with mere reputation. This notion of dignity has been recognized in various English privacy decisions although there is no separate cause of action for infringing a person’s dignity. In Campbell v. MGN,9 Lord Hoffman (though in the minority and ruled against Campbell) recognized the relationship between privacy and dignity and concluded that human rights law identified private information ‘as something worth protecting as an aspect of human autonomy and dignity’.10 In Mosley v. News Group Newspaper,11 the publication involved photographs of the claimant engaging in sado-masochistic activities and Eady J ruled that sexual activities are inherently private and the law protecting private life is to afford protection against the violation of a person’s autonomy, dignity, and self-esteem.12 Likewise in the more recent decision of Gulati v. MGN,13 the Court of Appeal agreed with the lower court that the power to grant damages was not limited to distress alone and could be extended to compensate the claimants for the misuse of their private information, since the claimants had been deprived of their right to control the use of the private information when the defendants hacked their voicemail boxes, even though in some circumstances no useful information had been obtained.14 Such recognition of a right to control information signifies the need to protect the underlying values of dignity and autonomy in privacy actions.15 In Hong Kong, the Basic Law recognizes the importance of privacy and the underlying values of dignity and autonomy. Article 28 states that ‘arbitrary or unlawful search of the body of any resident or deprivation or restriction of the freedom of the person shall be prohibited’ and Article 29 further states that ‘the homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited’. Apart from protecting against intrusion to a person’s privacy, the Basic Law also provides for the protection of private communications. Article 30 states that ‘the freedom and privacy of communication of Hong Kong residents shall be protected by the law’ and ‘no department or individual may…infringe upon the freedom of communication of residents except in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences’. We all share information at some point in our lives. Such information can be personal and sensitive and the information can be provided voluntarily or mandatorily. A person may choose to share personal and intimate pictures with a closed group of friends on social media platforms. A director of a company, on the other hand, is required by the law to disclose his or her details at the Company Registry and such information is made publicly available upon a payment of a fee.16 While it is wrongful to publish or disclose confidential or private information, the position may not be so clear in relation to publicly available information. Can a person disclose or publish private and sensitive information of another person when such information is available to a certain category of people? Can a company compile personal data of litigants involved in criminal and bankruptcy proceedings and transfer such information to employment agencies for a fee? A person may be punished under criminal law if he or she has intruded on another’s privacy through the use of publicly available information. One relevant category of offences relates to the taking or distribution of nude photographs or material of a sexual nature. The law governing these articles can be found in the Control of Obscene and Indecent Articles Ordinance (COIAO).17 A thing is defined as obscene ‘if by reason of obscenity it is not suitable to be published to any person’ or ‘if by reason of indecency it is not suitable to be published to a juvenile’.18 Under section 21 of the COIAO, it is an offence to publish, possess (for the purpose of publication) or import (for the purpose of publication), any obscene article whether or not this person has knowledge that it is an obscene article. An aggrieved person may also rely on common law actions like defamation or copyright to pursue a civil remedy. However, these actions have their own limitation and criminal sanctions generally offer privacy protection only where the invasion of privacy also involves some moral wrongs or behaviour which is otherwise contrary to the interests of the public. Likewise, criminal sanctions can be limited in their privacy protectiveness due to the higher standard of proof require and are generally prosecuted at the discretion of the police. In Hong Kong, the Edison Chen scandal in 2008 ignited a series of online distribution of intimate pictures of local pop star Edison Chen and various Hong Kong actresses after a computer technician leaked them online. The photos made the rounds online through emails and on forums and were thus publicly available for at least for a short period of time. The use of publicly available information in Hong Kong had also contributed to various cyber-bullying incidents. For example, a bride-to-be was attacked on different online social platforms after she posted comments on the amount of wedding gift money she expected. Net users compiled details of the bride and shared images of the lady and her fiancé and the incident was so heated that nearly 1000 people expressed their intention to protest on her wedding day at the wedding venue.19 The courts in Hong Kong have not explicitly recognized an action of breach of privacy and claimants generally rely on data protection laws in breaches of privacy. This article therefore seeks to identify available actions under common law and the Personal Data (Privacy) Ordinance (PDPO) in cases of unauthorized use of publicly available information.20 It further analyses the existence of the so-called ‘right to be forgotten’ under the PDPO with a particular focus of two recent Hong Kong decisions on publicly available information. It compares the position in the European Union and concludes with a proposal in strengthening protection in this area without compromising other rights and freedoms. COMMON LAW ACTION OF BREACH OF PRIVACY The publication of personal information nowadays usually occurs in an online environment and while the internet’s capacity has been described as ‘one of the great innovations of the information age’,21 the impact of such publication or disclosure of personal information in mass media on individuals’ privacy can never be under-estimated. This is largely because of the internet’s capacity to have personal information or stories to go ‘viral’ more quickly and more widely than it had ever been before.22 Such publication may take the form of online postings in social media platforms or in other cases individuals or companies may collate personal information for commercial reasons. While one may justifiably object to the use or publication of private information, the stance may not be as clear if the information in question is publicly available or at least available to certain categories of people. An action of misuse of private information depends very much on whether the claimant has a reasonable expectation of privacy, as laid down in the House of Lords decision of Campbell v. MGN23 where Baroness Hale stated that the balancing exercise (as between privacy and freedom of expression) begins when the person publishing the information knows or ought to know that there is a reasonable expectation that the information in question will be kept confidential.24 In determining whether a person enjoys a reasonable expectation of privacy, the Court of Appeal in Murray v. Express Newspapers25 acknowledged the reasonable expectation test to be a broad one and factors including the nature and purpose of the intrusion, the absence of consent, and the effect on the claimant are considered to be relevant. Take for example, the circulation of intimate photographs which have already been leaked. Does it mean that the claimant concerned has no reasonable expectation of privacy because the photographs have been available to the public for a period of time? This issue was tackled in Mosley v. News Group Newspapers Ltd26 which involved the online publication of a video showing the claimant engaging in sado-masochistic activities. Eady J allowed the claim and granted damages to the claimant but refused the application of an interim injunction27 on the ground that the video was too widely available for the injunction to serve any purpose.28 However, there may be circumstances where a restraint on further publication is appropriate. In Green Corns Ltd v. Claverley Group Ltd.,29 the court granted an injunction restraining the publication of addresses of troubled children notwithstanding that such information was available at the Land Registry. The court recognized that further harm could be caused by the publication of such personal and sensitive information even though the information had been widely disseminated in previous occasions. Likewise, the Hong Kong courts also granted an injunction in relation to a dance clip and some semi-nude photographs of the claimant in the case of Sima Sai Er v. Next Magazine Publishing & Ltd.30 Judge Chow in this case did not follow Eady J’s decision in Mosley and recognized that a distinction had to be drawn between publication of information in a narrative form and the publication of a photograph or a video clip since ‘each publication is a fresh intrusion of privacy’.31 Recent United Kingdom decisions seemed to have departed from Eady J’s reasoning in Mosley and injunctions were granted in a number of media-related cases. In Rocknroll v. News Group Newspapers Ltd,32 the court granted an interim injunction against the defendant from publishing photographs showing the partially undressed claimant even though such photographs were available to the 1500 ‘friends’ on the claimant’s Facebook account and subsequently available to the public. Briggs J was not convinced that an injunction would serve no useful purpose particularly where there had been no evidence to show that the photographs had been widely accessed. In PJS v. News Group Newspaper Ltd,33 the Supreme Court allowed the claimant’s application for permission to appeal in relation to the Court of Appeal’s decision in ‘lifting’ the interim injunction. In this case, the claimant and his partner were in the entertainment business and an interim injunction was granted to restrain the defendant from publishing a story about his extra-marital sexual activities, based on a breach of confidence claim as well as the claimant’s privacy right under Article 8 of the European Convention of Human Rights. The Supreme Court held that the claim itself did not depend on confidentiality alone but also unwanted intrusion into one’s personal space and repetition of the disclosure of the claimant’s story was ‘capable of constituting a further tort of invasion of privacy, even in relation to persons to whom disclosure or publication was previously made—especially if it occurs in a different medium’.34 Even though the story, including the names of the people involved in the activities, was subsequently published in the United States, Canada as well as in a Scottish newspaper, the court was of the view that further publication would involve not only the disclosures of names and descriptions of the activities involved but also the most intimate details which would deepen the intrusiveness and distress felt by the claimant and, more importantly, his children.35 Lord Toulson, in the minority, disagreed with these findings. While acknowledging the private and sensitive nature of the information, his Lordship was of the view that the essential details had been widely accessible on internet sites that ‘the idea of [the story] still remaining secret in a meaningful sense is illusory’.36 In reaching this conclusion, his Lordship made a distinction between repeated publications of photographs and repeated publications of facts which are widely known, recognizing that the former would enable the viewer to focus on intimate personal details and therefore a fresh intrusion of privacy every time the photographs is viewed.37 In any event, this decision recognized that personal information, particularly in a visual format, deserves protection in appropriate circumstances even though such information is publicly available. The Irish Court of Appeal also had an opportunity to decide on the legality of the re-publication of certain publicly available information on social media platforms in CG v. Facebook Ltd.38 The claimant was a sex offender and brought an action against Facebook in relation to a Facebook page showing his picture, convictions, and the locality of his home. The court ruled that the publication of the claimant’s name, photograph, circumstances of his conviction, and the locality where he lived were cumulative information that the claimant had a reasonable expectation of privacy, although the mere posting of a photograph with no reference to the claimant’s name, address, or locality did not give rise to a reasonable expectation of privacy. The court accepted that context can be important but not necessarily decisive and whether or not the re-publication of private information amounts to an intrusion is essentially fact sensitive. Therefore, that context can ‘include the disclosure or repetition of information which itself is not protected but which together with other private information can lead to unlawful intrusion’.39 An analysis of the above cases shows that the basis of a privacy claim rests on whether the individual has a reasonable expectation of privacy and if yes, whether the disclosure outweighs the individual’s privacy. If such information is made publicly available mandatorily, the court may still find a reasonable expectation of privacy as seen in the Green Corns decision and the same goes with detailed facts of highly private activities even though some information had already been leaked to the public domain, albeit without the consent of the claimant, as seen in the PJS decision. The position may be is less clear if the claimant ‘made available’ such information to the public or has agreed to terms and conditions dictated by online sharing platforms which allow for public access of sharing. However, it is arguable as to whether such consent is made freely and the dictation of one-sided policy should not be taken to mean that privacy rights are voluntarily forfeited.40 In any event, the decision in Rocknroll demonstrated that publication on Facebook does not automatically deem the information to be in the public domain, even though the Facebook page allowed for unrestricted access.41 While there is no hard and fast rule in determining whether a particular claimant’s privacy has been infringed, it is submitted that a range of factors as listed in the Murray case will be taken into account in determining whether the claimant has a reasonable expectation of privacy. The fact that the information is in the public domain may compromise the claimant’s reasonable expectation of privacy but the Supreme Court decision in PJS should have provided some comfort to potential claimants. The focus is now switched to the additional intrusion that a claimant will suffer despite the likelihood of further internet or social media dissemination. But a further question arises from the decision: does the law restrict further publication because it causes distress even though the information is already in the public domain?42 If this is the case, then it matters not whether the information is in the public domain and thus offering protection to a claimant based on the level of distress caused by the republication of the information. Whether or not the information is confidential may be a factor to consider but the focus is clearly now on the level of intrusiveness when the information is used, disclosed, or published. ONLINE PUBLICATION OF PERSONAL INFORMATION IN HONG KONG: LEGISLATION A claimant may rely on a common law privacy action for the unwanted publication of private information but the lack of case law in Hong Kong leaves claimants to remain speculative as to how an action is formulated in the Hong Kong courts. Legislation may offer alternative redress and to qualify for protection under the PDPO, the information in question must fall within the scope of personal data. Personal data is defined as data that (i) relate directly or indirectly to a living individual; (ii) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (iii) that is in a form in which access to or processing of the data is practicable.43 The information in question does not extend to deceased people or corporations and data is defined as any representation of information (including an expression of opinion) in any document and includes a personal identifier.44 The scope of the meaning of data was discussed in the Court of Appeal decision in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data45 and the main issue in this case was whether the published photograph46 was within the meaning of ‘personal data’ and particularly whether the identification requirements as stated above were met. The court concluded that the requirements were not met since there was no act of data collection. That was the case because the photographer in question remained indifferent and ignorant of her identity. But the most important question lies on to whom an action under the PDPO can be brought against. A person may disclose or publicize sensitive information about the victim on a website which causes the victim distress and humiliation. The victim can rely on the PDPO only if it can be proved that the person in question is a data user under the PDPO. A data user is defined as a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of the data.47 Section 4 further states that a data user shall not do an act, or engage in a practice, that contravenes a data protection principle. Thus, the person/entity who discloses the information as well as the online intermediary (internet service provider or search engine) may be regarded as a data user if they control the collection or use of the data. There are six data protection principles (DPPs) in the PDPO and breach of any one of them may result in an enforcement notice served by the Privacy Commissioner.48 Failure to comply with an enforcement notice is a criminal offence.49 The more relevant DPP is DPP 1 and DPP 3 when a data user collects, uses, or discloses personal data of a data subject. DPP 1(2) states that personal data has to be collected by lawful and fair means and DPP 3 states that personal data shall not be used for a new purpose unless with the prescribed consent of the data subject. A person who compiles and publishes personal data of an individual may qualify as a data user unless he or she is able to rely on one of the exemptions under Part VIII of the PDPO. It is also noteworthy that a person may attract criminal liability if he or she discloses personal data of a data subject obtained from a data user without this data user’s consent and with an intent to obtain a gain or cause loss to the data subject.50 Thus, a cyber bully who downloads sensitive information or pictures from a public website which causes losses (which may include injury to feelings) may be caught by this section, so long the information disclosed constitutes personal data within the PDPO. A data user may be able to rely on a domestic use exemption if personal data held by that particular individual is concerned only with the management of his personal, family, or household affairs or such data are held only for recreational purposes.51 The scope of the defence, however, has not been tested in Hong Kong and it is arguable that the person who discloses such personal information on the internet or other social media platforms is only holding it for recreational purposes. The position in the EU is more clear-cut. The General Data Protection Regulation (GDPR)52 includes a new recital which explains the scope of a similar personal exemption: This Regulation should not apply to processing of personal data by a natural person in the course of a purely personal or household activity and thus without a connection with a professional or commercial activity. Personal and household activities could include correspondence and the holding of addresses or social networking and online activity undertaken within the context of such personal or household activities. However, this Regulation should apply to controllers or processors which provide the means for such personal and household activities.53 The wording of the recital suggests that a private individual who publishes personal information on social networking platforms in the context of personal or household activities may be able to rely on this defence. Arguably, a person who publishes private information of another individual in his or her own private Facebook account may be able to qualify for this defence, although the platform provider like Facebook in this case may still be governed by the provisions in the Regulation. Such a personal exemption is capable of being interpreted in different ways and a wide interpretation may help strengthen competing interests like freedom of expression but a full exemption from data protection requirements to any user who uploads private information of another as a private individual would totally undermine the effectiveness of data protection laws altogether.54 An expansion of the domestic exemption in Hong Kong to include online and social media activities within the context of personal and household activities will further clarify the scope of exemption in the modern world and thus strike a better balance between privacy and freedom of expression. So how about the collection of information from public sources? The Privacy Commissioner in Hong Kong had the opportunity to rule on this issue in the ‘Do No Evil’ application.55 In 2013, a mobile application (App) named ‘Do No Evil’ was created by Brilliant United Investments Limited (‘BUI’) which boasted a database of over two million Hong Kong Court litigation records from which subscribers could conduct litigation search. BUI promoted this App to its subscribers by claiming that they could conduct due diligence exercise on individuals before offering jobs for potential employees or signing tenancy agreements with prospective tenants. It was later revealed that such records were collected by Glorious Destiny Investment (‘GDI’) which provided the information to BUI. The Commissioner consolidated the investigation of these two cases and concluded that BUI had not participated in the collection, holding, or processing of the data in question and hence not a ‘data user’ as required under the PDPO. On the other hand, GDI’s main business was to collate publicly available litigation, bankruptcy, and company directors’ information into a database for its clients to perform background checks on target persons and its business was expanded to include smartphone users in Hong Kong. Upon downloading the App, a user will be given 10 credit points for a free trial experience of the App. A user can further purchase credit points for subsequent usage. A user can perform a search request for such data by inserting the target individual’s name as the search criterion and the App will transfer litigation and bankruptcy information from its server to the searcher’s smartphone. The Commissioner acknowledged that the public can obtain information relating to litigation, bankruptcy, and company registration at the Judiciary, the Official Receiver’s Office, and the Company’s Registry, respectively, and that GDI collects and collates such information from these sources, thus providing a ‘simple, reliable and low-cost channel to the general public to access the publicly available litigation information’.56 The Commissioner was satisfied that GDI was a data user under the PDPO and the main issue was whether DPP 3 had been contravened. DPP 3 states that personal data should not be used for any purpose other than for the purpose when the data was first collected. The Commissioner made it clear that personal data, whether made publicly available or not, would still be subject to the regime under the PDPO. The Commissioner found that DPP 3 was contravened because ‘data users should only use the data for the stated purposes, or in accordance with the purpose of the public register, or a directly related purpose’,57 and the use of the App exceeded the reasonable expectation of the complainants with regards to how such information in the public domain would be used.58 The Commissioner noted that the purpose of the App was inconsistent with the original purpose when the data was first collected. In reaching this conclusion, the Commissioner examined the purposes for which data held in the various government departments and the Judiciary could be used. A concern which the Commissioner raised was the difference between the original and subsequent use of the data. While there were stated purposes in relation to bankruptcy data and company directors’ data, such a stated purpose was not clear in relation to civil litigation data. The Commissioner acknowledged this point but nevertheless concluded that the original purposes must relate ‘to the spirit of the courts to ensure that court hearings are administered in an open and fair manner’.59 It is submitted that the decision was rather arbitrary in making such a conclusion on restricted use when such purpose is not explicitly stated as compared to other types of data (for example, the Company Registry in its terms and conditions of services data relating to company directors state that users of search services undertake not to make copies of the data obtained for resale purposes without the prior consent of the Registrar).60 It will be equally difficult to assume that GDI’s purpose is not related to the original purpose when it is obvious that the creation of the App is to facilitate the public to locate information, which is in line with the spirit of the courts to ensure the administration of fair and open justice. The Commissioner was particularly concerned with the ease that GDI offered in locating information and noted that members of the public would often need to spend a substantial amount of time if they wished to retrieve such information from the public registers. If ease of locating data is a determining factor, does the same apply to website searches of these public registers? In addition, the Commissioner opined that the use of personal data is regulated by the relevant authorities and public access to such data is ‘restricted to specific purposes, thus affording protection to the personal data of the data subjects from misuse’.61 On the other hand, the Commissioner criticized GDI’s inability to monitor and control the use of the personal data obtained through the App. The relevant authorities may have restricted the use of the data for certain purposes but it is also unclear as to how the Judiciary and the other public registers monitor the use of the data, given that such data can be easily searched on the internet.62 The second ground for finding GDI in breach of DPP 3 was that the App had exceeded the data subjects’ reasonable expectation. The reasonable expectation test used by the Commissioner was ‘whether a reasonable person in the data subject’s situation would find the re-use of the data unexpected, inappropriate or otherwise objectionable, taking into account the sensitivity of the data and the context of the data collection’.63 The Commissioner found the purpose of the App was inconsistent with the stated purpose of the use of the data and since the search function of the App allows the subscribers of the App to search freely via a smartphone at any time and any place, the data subjects would not expect their data to be used by unrelated parties for unrelated purposes. The Commissioner may have explained his interpretation64 of ‘directly related purpose’ under DPP 3(b) to include ‘the reasonable expectation of the data subject’ as a factor to be taken into account, it is submitted that the reasonable expectation of privacy test is developed by the courts for common law privacy actions which is very much a balancing exercise, taking into account other interests like freedom of expression.65 As discussed in the first part of the article, it is true that the fact that the information in question is publicly available does not necessarily mean that the claimant is not entitled to a reasonable expectation of privacy but this has to be balanced against the public interest to use such information. This was noted by the Commissioner in that the right of individuals to privacy is not absolute and a balance can be struck by Part VIII of the PDPO which specifically provides for a number of exemptions from the application of DPP 3.66 However, the Commissioner did not consider public interest or freedom of expression in any detail. The more relevant exemption under the PDPO is the news activity exemption which provides that the disclosure of personal data by a person to a data user whose business consists of news activity and there is reasonable ground for the data user to believe that the publication of the data is in the public interest.67 This specific defence has not been tested in the Hong Kong courts and it is uncertain as to the scope of the defence. But it is clear that this exemption is applicable only to data users whose business consists of news activities. In other words, a tabloid magazine or an online discussion forum may not be able to utilize this exemption because their business may not necessarily be regarded as news activities. Using the same reasonable expectation test but without an equally strong public interest defence may not necessarily be justified. In any event, even if the reasonable expectation test is legally justified, it is also questionable whether the test is necessary in this case. As argued by Greenleaf,68 users’ expectations can be relevant if personal data is provided voluntarily, but not so in the case where data are gathered by compulsion. This is because data subjects can only make the reasonable assumption that it will be only be used by third parties consistently with the stated purposes and therefore the expectations of the data subjects made no real difference in cases where information is compulsorily collected. There are obvious good policy reasons to protect publicly available personal data and it is not the aim of this article to argue for a public domain exemption69 but the Commissioner’s approach in this case may result in further uncertainties as to when the use of publicly available data is within the meaning of a directly related purpose. This is particularly true when there are no laws governing the re-use of public sector information. The original stated purpose can technically be drafted in the narrowest sense and therefore making every re-use a contravention of DPP 3. In addition, the Commissioner’s focus was specifically on whether GDI breached DPP 3 and the consequences that data subjects might suffer as a result. However, there was no real analysis on public interest as well as GDI’s interests. Contrast can be seen in the EU’s approach where Article 7(f) of the Data Protection Directive70 permits data processing that is necessary for the legitimate interests pursued by the data controller or third parties to whom the data are disclosed, except where such interests are overridden by the rights and freedoms of the data subject. The issue of public interest was subsequently considered in a Hong Kong administrative appeals board (AAB) decision in Webb v. Privacy Commissioner for Personal Data.71 In Webb, an appeal was brought by the appellant against an enforcement notice issued by the Privacy Commissioner requiring him to remove hyperlinks from his website which disclose the names of the parties set out in court judgments of matrimonial proceedings published on the Hong Kong judiciary’s website. The AAB concluded that the appellant’s publication was not consistent with the Judiciary’s original purposes of publishing the judgments (the original purposes being publishing legal precedents on points of law and procedure) and thus contravening DPP 3. Consistent with the decision in the ‘Do No Evil’ application and relying on the Court of Appeal decision in Re Hui Kee Chun,72 the AAB confirmed that DPP 3 is directed against the misuse of personal data and it matters not that the personal data is publicly available.73 It further agreed with the Commissioner’s findings on balancing freedom of press and privacy and concluded that in considering whether public interest is served in any news reporting, ‘public interest must involve a matter of legitimate public concern’74 and a distinction has to be drawn between ‘reporting facts capable of contributing to a debate of general public interest and making tawdry descriptions about an individual’s private life’.75 It is well accepted that public interest is not equivalent to matters that interest the public76 and the lack of public interest is very often justified if the data subject is not a public figure.77 However, public interest was considered only in relation to news reporting as opposed to being a factor to take into account in determining whether DPP 3 has been contravened. Thus, public interest can only be considered if a data user can rely on the news reporting exemption or other exemptions under Part VIII of the PDPO. Although these decisions have not received treatment from the higher courts, it is clear, at least from the Commissioner’s perspective, that the re-use of personal data in the public domain is subject to DPP 3 and data users must prove that their activities in question are directly related to the original purpose when the data were first used or collected. However, the focus on DPP 3 creates uncertainties as to what type of data usage is seen to be for the same or directly related purpose. As seen in the ‘Do No Evil’ application, the Commissioner was ready to conclude that GDI’s activities were for a different purpose even if the original data user, the Judiciary, did not state its intended purpose of collection in the first place. The Commissioner had rightly observed that GDI failed to ensure that the data generated from the search results of the App is accurate and valid but the Commissioner did not consider DPP 2, which requires a data user to take practicable steps to ensure that personal data are accurate in relation to the purpose that they are used and where there are reasonable grounds for believing that personal data are inaccurate, the data shall not be used unless and until those grounds cease to be applicable, whether by rectification or erasure of such data. Data users are responsible for the accuracy and validity of the data that is collected and used and is a clearer and more objective standard and it is submitted that the Privacy Commissioner should also rely on a breach of DPP 2 in issuing an enforcement notice to GDI. THE RIGHT TO BE FORGOTTEN: THE IMPACT OF THE GOOGLE SPAIN DECISION Perhaps it is worth looking at the EU’s position on publicly available data following the landmark decision of the CJEU in Google Spain v. AEPD and Mario Costeja Gonalez78 which has established that a ‘right to be forgotten’ exists under European data privacy law.79 The case concerned a Spanish lawyer who was identified in some bankruptcy proceedings pursuant to an order made by the Spanish Ministry of Labour and Social Affairs and was subsequently published in a newspaper and uploaded to an online archive maintained by the newspaper. The data subject made a complaint to the Spanish Data Protection Authority and upheld the complaint, requesting the contested links be removed from Google’s search results. The case was then referred to the CJEU and one of the issues before the court was whether there was an obligation for a search engine to remove links to otherwise lawful materials appearing on third-party websites. The court identified the data subject’s right to privacy and data protection as well as the interest of internet users in having access to the information and that a fair balance should be sought.80 In concluding that Google had to remove links to web pages which are indexed when a person’s name is searched for, the court made a number of remarkable rulings. First, the fundamental rights to privacy and data protection should, as a rule, override not only the economic interest of the search engine operator but also the interest of the public in accessing that information, unless there is a preponderant interest of the public in having access to that information.81 Therefore, it is not necessary to find prejudice being caused to the data subject. Second, the extent of liability of a search engine may differ from that of a website operator since the legitimate interests justifying the processing may differ and the consequences of the processing in relation to the data subject may not necessarily be the same.82 In fact, the court found that the list of results produced by the search engine operator had made access to the data subject’s information much easier and constituted a more substantial interference with the data subject’s right to privacy than a publication on a web page.83 Significantly, the court found that a web page publisher may in certain circumstances carried out solely for journalistic purposes and thus able to benefit from the derogations in the Directive but whereas a search engine operator may not benefit from such a derogation.84 The decision is likely to have profound implications and in particular on the role of online intermediaries as data controllers in the processing of personal data. However, it is also equally important to understand that this so-called right to be forgotten is not absolute. The court may have ruled that a data subject’s right to removal is not dependent on the prejudice caused to the data subject, but the right to be forgotten only applies if the processing in question is incompatible with the provisions in the Directive, and the existence of such a right is not based on the personal preferences of the data subject.85 The limitation of this right can be seen in the recent CJEU’s decision of Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni,86 where the court ruled that the right to delete may not always apply to information in public registers. In this case, Mr. Manni is the sole director of a building company which was awarded a contract for the construction of a tourist complex. Mr. Manni alleged that the complex did not sell well because the companies register contained information of him being the director and liquidator of a company which became insolvent in 1992 and he therefore sought an order requiring the Lecce Chamber of Commerce to erase, anonymize or block the data linking him to the liquidation of the company. The CJEU held that Mr. Manni could not request for the deletion of such personal data from the official register because the information is there to protect the interests of parties who intend to trade with the company and such information is necessary to remain in the register.87 The court further concluded that in exceptional circumstances, there may be overriding and legitimate reasons to limit access to such data and it is for the national courts to decide on such reasons on a case-by-case basis.88 In the present case, the mere fact that a tourist complex allegedly did not sell because potential purchasers have access to the data in question cannot be regarded as constituting an overriding and legitimate reason.89 Thus, the right to be forgotten, or more accurately, the right to delete should be viewed as a direct and qualified right to control one’s own data rather than a right to edit history and it is equally important to recognize that there are instances in favour of data retention. For example, where it is in the community’s interest that the data is kept (for example criminal records) or there are security reasons (for example criminal investigations) for doing so.90 The new EU General Data Protection Regulation91 thus provides for a number of limitations to this right in which Article 17(3) provides that the right to erasure92 does not apply if the processing of personal data is necessary for exercising the right of freedom of expression and information as well as for archiving purposes in the public interest, scientific, historical, or statistical purposes. These exemptions are particularly important in striking the correct balance when the Court in the Google Spain case failed to directly refer to the right of freedom of expression enshrined under Article 10 of the European Convention of Human Rights.93 A RIGHT TO BE FORGOTTEN IN HONG KONG? It is clear now that a right to be forgotten exists under EU law. The Manni decision follows the reasoning in the Google Spain case and a data subject may request for the de-listing if the processing is incompatible with the Directive. But a distinction needs to be made between these two cases: the Google Spain case is concerned with the ‘additional’ data processing carried out by a search engine94 whereas the Manni decision concerns data which is published in a public register. The ‘original’ publication may still be unlawful unless it falls within one of the exemptions. So what are the implications of these two cases to Hong Kong? Is there such a right to be forgotten in Hong Kong? As seen in the ‘Do No Evil’ application, a data user has to comply with DPP 3 which states that unless the prescribed consent of the data subject is obtained, personal data cannot be used for a new purpose. The compliance of DPP 3 applies to voluntarily or mandatorily obtained personal data and is irrelevant whether such data are publicly available or not. Although the right to be forgotten was not considered in the Hong Kong decisions, it is submitted that the outcome of both the ‘Do No Evil’ and Webb decisions resulted in a closer step to a right to delete since the use of publicly available data is considered use for a new purpose and a breach of DPP 3 if prescribed consent is not obtained. The right to delete makes little difference when the data user will be prohibited from using personal data for that new purpose upon the issuance of an enforcement notice. But it is worth noting that section 26 the PDPO provides for a limited right to delete which states that a data user must take all practicable steps to erase personal data where such data are no longer required for the purpose when it was used unless such erasure is against the law or it is in the public interest for the data not to be erased. It further states that the data user must take all practicable steps to erase the personal data notwithstanding that there are other data users who control the processing of the data.95 Furthermore, data access rights under DPP 6 give data subjects a right to correct inaccurate data. The Hong Kong decisions may be clear that publicly available data a still governed by DPP 3 and as seen in the analysis above, freedom of expression and public interest have not received sufficient consideration in these decisions. In an era of Big Data in which individuals are readily identifiable, it is of central importance that data subjects are sufficiently protected. However, it must also be appreciated that the development of data protection laws is constantly curbed by the developments of technology. The Privacy Commissioner in Hong Kong may have engaged the DPP 3 to limit the processing of publicly available data, but as noted by Lynskey, this principle of purpose limitation directly contradicts with the notion of Big Data, the objective of which is to mine substantial amounts of data to discover correlations.96 Without a mandatory breach notification system in Hong Kong, the purpose limitation principle enunciated under DPP 3 may simply prove to be unrealistic. In any event, the failure of the Commissioner to refer directly to freedom of expression lies on the limited exemptions that are available under the PDPO. As discussed above, the scope of the personal and domestic exemption is unclear and the news activity exemption can only be relied upon if data user’s activity is solely concerned with news gathering. Developments can be seen from the EU’s position in which the new Regulation shields processing for journalistic purposes as well as academic, artistic, or literary purposes.97 This new Regulation is technically available to any data user and is not restricted to persons in a professional capacity. An expansion of the available exemptions under the PDPO further balances the competing interest of freedom of expression without compromising privacy interests over personal data since the malicious disclosure of private information is unlikely to fall within these new purposes. Data protection is essential in a fast-moving world, but it is also important to ensure that the laws are realistic and other competing rights and interests are sufficiently considered and balanced in each and every case. CONCLUSION The above analysis shows that publicly available information is subject to protection. Both cases and legislation afford protection to claimants. The English authorities suggest that protection will not be denied merely because the information in question is not confidential. It is clear from the Supreme Court’s approach in PJS that the focus is on the intrusiveness of the publication of information and a claimant is still entitled to a reasonable expectation of privacy even though such information has already been widely publicized in other jurisdictions. However, apart from the interlocutory application of the Hong Kong case Sima Sai Er, there are no authorities on common law privacy actions in relation to publicly available information in Hong Kong. A claimant may alternatively rely on data protection laws. A person who publishes personal data of another person, albeit data that is publicly available, may be considered a data user and therefore needs to comply with the data protection principles under the PDPO, unless the personal activity exemption can be relied on. The position is clearer for commercial data users in relation to publicly available information. Both the decisions in Webb and the ‘Do No Evil’ application in Hong Kong suggest that data users have to comply with DPP 3 in respect of publicly available personal data. While this may be viewed as a step closer to a right to be forgotten in Hong Kong and undoubtedly offering stronger protection for data subjects, it is submitted that public interest and freedom of expression have not be considered fully in these decisions. This is especially important given that there are no laws which explicitly allows for the use of public information. There may be a number of exemptions available under the existing PDPO, but it is submitted that they are of limited application and that other rights and interests, in particular, freedom of expression and innovation, are not given sufficient weight and consideration. Unless further guidance is given, it is difficult to see how data protection can be reconciled with these competing interests. The new GDPR therefore provides for a useful template to develop a more consistent and realistic approach in balancing privacy and freedom of expression. First, the domestic and household activities exemption should be clarified so that individual publication falling short of being intrusive can rely on this exemption. Second, the news activity exemption should be expanded to include other purposes (e.g. artistic and academic purposes) to ensure sufficient weight is given to freedom of expression. Third, resorting to the purpose limitation principle enunciated in DPP 3 may be unrealistic taking into account the speed of technology advancement and without any substantive laws on governing the use of publicly available information, freedom of information and expression may inevitably be compromised. Thus, the ultimate goal is to sufficiently balance between privacy and freedom of expression, and an expansion of the currently available exemptions should be able to achieve this goal. 1 D Solove, The Future of Reputation: Gossip, Rumor and Privacy on the Internet (New Haven and London: Yale University Press, 2007) 98. 2 Law Reform Commission of Ireland, Issues Paper on Cyber—crime affecting personal safety, privacy and reputation including cyber-bullying (LRC IP 6-2014), 2. 3 World Internet Usage and Population Statistics, June 2016, http://www.internetworldstats.com/stats.htm (accessed 31 May 2017). 4 See http://www.smartinsights.com/social-media-marketing/social-media-strategy/new-global-social-media-research/ (accessed 31 May 2017). 5 A Facebook page entitled ‘Lori Drew – Murderer’ was created to shame and punish Lori Drew, the online bully. 6 R Spencer ‘Just Who Is the Glamorous Kitten Killer of Hangzhou?’ The Telegraph, 4 March 2006, http://www.telegraph.co.uk/news/worldnews/asia/china/1512082/Just-who-is-the-glamorous-kitten-killer-of-Hangzhou.html (accessed 31 May 2017). 7 See S Hinduja and JW Patchin ‘Offline Consequences of Online Victimization: School Violence and Delinquency’  J Sch Violence 6, 89–112. 8 See JQ Whitman ‘What Is Wrong With Inflicting Shame Sanctions?’  Yale Law J 107, 1055–92. 9  UKHL 22. 10 Ibid . 11  EWHC 1777 (QB). 12 Ibid . 13  2 WLR. 14 Ibid . 15 See further ASY Cheung ‘Revisiting Privacy and Dignity: Online Shaming in the Global E-Village’  Laws 3, 301–26. For a discussion of the control theory in privacy, see also B Rossler The Value of Privacy (Cambridge, Oxford, Boston, and New York: Polity Press 2005) 113, 129. 16 The Company Registry in Hong Kong provides an online search service and particulars of directors of a company, including the Hong Kong identity card number, is made available upon a payment. See https://www.stc.tid.gov.hk/english/bsg/Onlinecheck_wp.pdf (accessed 31 May 2017). 17 Cap 390. 18 See COIAO, section 2. 19 T-P Chen ‘How to Attract Protesters to Your Wedding’ The Wall Street Journal, 14 November 2012, https://blogs.wsj.com/chinarealtime/2012/11/14/how-to-attract-protesters-to-your-wedding/ (accessed 31 May 2017). 20 Cap. 486. 21 See the Canadian Supreme Court’s decision in Crookes v. Newton  SCR 269, . 22 See Cairns v. Modi  2 WLR 1015 . 23  2 AC 457 (HL). Lord Nicholls (minority) also stated that in determining the scope of an individual’s private life, the test is essentially whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy. See Campbell, n 9 . 24 Ibid . 25  ECDR 12 (CA). 26  EMLR 20. 27 Mosley v. News Group Newspapers Ltd  EWHC 687 (QB). 28 See also McKennitt v. Ash  QB 73 (CA) . 29  EMLR 31. 30 HCA 1500/2014  HKCU 1897. 31 Ibid . 32  EWHC 24. 33  UKSC 26. 34 Ibid . 35 Ibid . 36 Ibid . 37 Ibid . 38  EMLR 12. 39 Ibid –. 40 See L Edwards and L Urquhart ‘Privacy in Public Places: What Expectations of Privacy Do We Have in Social Media Intelligence?’  Int J Law Inform Technol 24, 279, 305. 41 Rocknroll, n 32 . 42 M Mills ‘Sharing Privately: The Effect Publication on Social Media Has on Expectations of Privacy’  J Media L 9, 45–71. 43 Ibid, section 2. 44 Ibid. 45  1 HKC 692. For a critique of the case, see R Wacks ‘What Has Data Protection To Do With Privacy?’  Privacy L Rep 6, 143. 46 The case concerned a young lady who was photographed in a public place without her knowledge and the picture was subsequently published in the appellant’s magazine together with some unflattering comments. The lady was embarrassed and humiliated and therefore made a complaint to the Privacy Commissioner in Hong Kong. 47 PDPO, section 2. 48 PDPO, section 50. 49 See PDPO, section 50A. 50 See PDPO, section 64. The maximum penalty these offences is a fine of HK$1 million and imprisonment for five years. 51 PDPO, section 52. 52 Regulation 2016/679 of the European Parliament and of the European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (repealing Directive 95/4/6/EC) (General Data Protection Regulation). 53 Ibid recital 18. 54 See N Xanthoulis ‘Negotiating the EU Data Protection Reform: Reflections on the Household Exemption’ in AB Sideridis, Z Kardasiadou, CP Yialouris and V Zorkadis (eds) E-Democracy Security, Privacy and Trust in a Digital World (Switzerland: Springer International Publishing, 2013) 135, 141. 55 Office of the Privacy Commissioner for Personal Data Hong Kong, Report No. R13-9744, 13 August 2013 https://www.pcpd.org.hk/english/publications/files/R13_9744_e.pdf (accessed 31 May 2017). 56 Ibid . 57 Ibid . 58 Ibid . 59 Ibid . 60 Clause 5 of the Terms and Conditions of the Companies Registry Electronic Search Services, https://www.icris.cr.gov.hk/csci/download/TNC_Subscriber.pdf. (accessed 31 May 2017) 61 Ibid . 62 See A Chiu ‘Data Protection Law Needs to Evolve to Tackle Privacy Challenges, Say Experts’ South China Morning Post, 25 November 2013 http://www.scmp.com/news/hong-kong/article/1365113/data-protection-law-needs-evolve-tackle-privacy-challenges-say (accessed 31 May 2017). See also, S Deane ‘Response to the Privacy Commissioner in Relation to Personal Data in the Public Domain’ Hong Kong Lawyer, December 2013, http://www.hk-lawyer.org/content/response-privacy-commissioner-relation-personal-data-public-domain (accessed 31 May 2017). 63 Office of the Privacy Commissioner for Personal Data Hong Kong, above n 55, . 64 Office of the Privacy Commissioner for Personal Data Hong Kong Data Protection Principles in the Personal Data (Privacy) Ordinance: From the Privacy Commissioner’s Perspective (2nd edn 2010) 60 https://www.pcpd.org.hk/english/resources_centre/publications/books/files/Perspective_2nd.pdf (accessed 31 May 2017). The Privacy Commissioner also issued a guidance note on the use of personal data obtained from the public domain and in there stated that the sensitivity of the personal data, the realistic risks of harm and the commercial use of personal data are factors to consider. 65 See Campbell, n 9, . 66 Office of the Privacy Commissioner for Personal Data Hong Kong, n 14 . 67 See PDPO, section 61. 68 G Greenleaf ‘Private Sector Uses of “Public Domain” Personal Data in Asia: What’s Public May Still Be Private’  Privacy Laws Business Int Rep 127, 13–5. 69 In Singapore, the Personal Data Protection Act 2012 is the main piece of legislation on data protection. According to the Act, the data protection principles do not apply to publicly available data (Second Schedule para 1(c); Third Schedule para 1(c); Fourth Schedule para 1(d)) and publicly available data is defined to mean personal data that is generally available to the public (section 2). 70 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data  OJ L281/23. 71 Administrative Appeal No. 54/2014, 27 October 2015. 72 CACV 4/2012, 1 February 2013. In Re Hui Kee Chun, the appellant was found by the Commissioner to have contravened DPP 3 in relation to a tape recording of a conversation between the appellant and the data subject which was subsequently made available on the internet. 73 Webb, n 71, . 74 Ibid . 75 Ibid. 76 For example, in the New Zealand case of Hosking v. Runting  1 NZLR 1, the court held that a matter of general curiosity will not satisfy the test of public interest and a considerable level of legitimate public concern is needed to justify the defence. See Hosking v. Runting  1 NZLR 1 –. 77 M Peguera ‘In the Aftermath of Google Spain: How the “Right to be Forgotten” Is Being Shaped by Courts and the Data Protection Authority’  Int J L Inform Technol 23, 325, 333. 78 Case C-131/12 Google Spain SL v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez ECLI:EU:C:2014:317. For a thorough legal analysis of the decision, see D Lindsay ‘The “Right to be Forgotten” by Search Engines under Data Privacy Law: A Legal Analysis of the Costeja Ruling’ J Media L 6, 159–79. 79 This ‘right to be forgotten’ is now explicitly included in the European Union’s General Data Protection Regulation (the Regulation) which was passed in April 2016. Art. 17 of the Regulation states that a data subject has to right to obtain erasure of personal data concerning him or her upon the following grounds: (a) the personal data are no longer necessary in relation to the purposes for which they were collected processed; (b) the data subject withdraws consent; (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation; (f) the personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) (in relation to services directed to a minor). 80 Google Spain, n 78 . 81 Ibid . 82 Ibid . 83 Ibid. 84 Ibid . 85 O Lynskey ‘Control over Personal Data in a Digital Age: Google Spain v AEPD and Mario Costeja Gonzalez’  Modern L Rev 78, 522, 528. 86 Case C-398/15 Commercio, Industria, Artigianato e Agricoltura di Lecce v. AEPD. 87 Ibid , . 88 Ibid . 89 Ibid. 90 Bernal argued that there are five categories of reason as to why data need to be preserved regardless of the data subject’s wishes. They include (i) paternalistic reasons, (ii) communitarian reasons, (iii) administrative or economic reasons, (iv) archival reasons and (v) security reasons. See PA Bernal ‘A Right to Delete?’  Eur J L Technol, 2, http://ejlt.org/article/view/75/144 (accessed 31 May 2017). 91 The EU General Data Protection Regulation, n 52. 92 It should be noted that the right to erasure in Art. 17 EU of the EU General Data Protection Regulation is wider than the ‘right to be forgotten’ as recognized in the Google Spain case. 93 Lynskey, n 85, 530. 94 M Peguera ‘In the Aftermath of Google Spain: How the “Right to be Forgotten” Is Being Shaped in Spain by Courts and the Data Protection Authority’  Int J L Inform Technol 23, 325, 326. 95 PDPO, section 26(2a). 96 Lynskey, n 85, 530. 97 The EU General Data Protection Regulation Art. 85(2). © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For permissions, please e-mail: firstname.lastname@example.org.
Statute Law Review – Oxford University Press
Published: Jan 24, 2018
It’s your single place to instantly
discover and read the research
that matters to you.
Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.
All for just $49/month
Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly
Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.
All the latest content is available, no embargo periods.
“Whoa! It’s like Spotify but for academic articles.”@Phil_Robichaud