PCPD - Proposals to amend the privacy law for better protection of online personal data

Proposals to amend the privacy law
for better protection of online personal data

1.    The Office of the Privacy Commissioner for Personal Data (PCPD) issued the following statement in response to media reports concerning the need to consider the creation of a new offence.

2.    In response to the recent incident on the online distribution of nude photographs, the PCPD issued a media release on 19 February stating its stance on the matter. In paragraph 17 of that media release, Commissioner Woo was quoted as saying, “The incident demonstrates clearly to the Administration that there is a pressing need to actively consider changing the law by the creation of a new offence for knowingly, without the consent of the data user, obtain or disclose personal data held or leaked by a data user or the selling of personal data so obtained. This can serve as an effective deterrent in sanctioning irresponsible behaviour in handling personal data online.”

3.    Under the current provisions of the Personal Data (Privacy) Ordinance, contravention of a data protection principle per se does not attract criminal sanction. Thus there exists a loophole which allows the irresponsible behaviour of persons who, in flagrant disregard of the personal data privacy of the original data user, can sell or trade in personal data collected without consent or personal data which have been leaked. Cases where personal data privacy is so abused primarily include :

i)    the unauthorized access and collection of customers’ personal data by a staff of a bank or a telecommunications company for the purpose of selling them to debt collection agents or third parties for profits; or
ii)    the use of personal data for personal gains of the collector, such as the sale of the data to direct marketing companies or for perpetuating crime by theft of identity.

4.    It is timely for the Administration to consider amending the Ordinance to provide appropriate sanction along the line of section 55 of the Data Protection Act in the UK.

5.    In the UK, personal data protection is offered in law by section 55 of the Data Protection Act which came into force on 1 March 2000 making it an offence (with certain exemptions) to obtain, disclose or procure the disclosure of personal information knowingly or recklessly, without the consent of the data user and fine as penalty was imposed. According to figures provided by the UK Information Commissioner’s Office, some 1,000 section 55 complaints were received in the six years since the operation of the Act. 25 prosecutions were brought between mid-November 2002 to January 2006, which nearly all resulted in convictions.

6.    Mr. Woo wishes to stress that the proposed offence (with appropriate exemptions) is not intended to and should not interfere with the normal and innocuous internet browsing activities of web users.