Hong Kong Law Reform Commission

Chapter 9 - Personal Data (Privacy) Ordinance

• Application of the PD(P)O to the media
• Codes of practice under the PD(P)O
• Limitations of the PD(P)O
• Alternative of amending the PD(P)O

9.1 We examine in this chapter the extent to which the provisions of the Personal Data (Privacy) Ordinance (Cap 486) ("the PD(P)O") provide protection for the individual from unwarranted privacy intrusion by journalists and media organisations.[208] We go on to recommend that the Privacy Commissioner for Personal Data ("the Privacy Commissioner") should issue a code of practice in order to enhance the protection from such intrusion provided for under the PD(P)O. We then consider the limitations of the PD(P)O in this area and hence of such a code. Lastly, we consider whether the PD(P)O should be amended to provide for a comprehensive scheme of protection of privacy from intrusion by journalists and media organisations, not just privacy in relation to personal data, and conclude that this would not be desirable.

Application of the PD(P)O to the media

9.2 The PD(P)O aims to protect the privacy of individuals in relation to personal data.[209] News reports, newspaper and magazine articles, photographs and video footage relating to individuals from which it is practicable to identify the individuals concerned generally constitute personal data under the PD(P)O.[210] Accordingly, the collection, holding, use or processing of such material by journalists and media organisations are all governed by the provisions of the PD(P)O, including its data protection principles ("the DPPs")[211], subject to any applicable exemptions. On the other hand, to the extent that media organisations or their employees or agents engage in activities that do not result in the collection, holding, use or processing of personal data, then they are not subject to the PD(P)O. An example of such an activity would be the following of a known person by a journalist without actually taking any photograph of the person or otherwise recording his behaviour. No matter how intrusive such an activity may be with respect to the privacy of the individual concerned it is not something that is governed by the provisions of the PD(P)O.

The Data Protection Principles

9.3 DPP 1(1) provides that personal data must not be collected unless: (a) they are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data are adequate but not excessive in relation to that purpose. Sub-paragraph (a) poses no difficulty to a journalist or media organisation so long as the collection of personal data is for a journalistic purpose. Similarly, so long as the collection of personal data by a journalist or media organisation may reasonably be said to be necessary for or directly related to such a purpose and the personal data so collected are not excessive, sub-paragraphs (b) and (c) will be complied with.

9.4 DPP 1(2) requires that personal data shall be collected only by means which are both lawful and fair in the circumstances of the case. This means that a journalist or media organisation, in common with any other person, is prohibited from collecting personal data by means that are unfair in the circumstances of the case even if the means are lawful. For example, where personal data are collected by the use of deception, such a means of collection is likely to be treated as unfair if no public interest is at stake and hence contrary to DPP 1(2), even if the deception concerned is not unlawful. The Privacy Commissioner has advised that collection by means unknown to the individuals concerned (eg, photo-taking in public places using long-range lens or hidden cameras) is generally not considered to be a fair means of collection.[212] Other examples given by the Privacy Commissioner include the taking of photographs of individuals in private premises from outside without their consent, and the taking of photographs of individuals in public where they have made it clear that they do not wish to be photographed.[213] These means might nonetheless be considered fair if there is an over-riding public interest in the collection of personal data.[214]

9.5 Where personal data are collected from the individual who is the subject of the data (as may occur, for example, where a journalist records information given by an individual about himself during an interview) the provisions of DPP 1(3) require that all practicable steps shall be taken to inform the individual concerned of certain matters. In particular, the individual must be explicitly informed of the purpose for which the data are to be used. Accordingly, where a journalist or media organisation collects personal data from the individual who is the subject of the data for the purpose of publication or broadcasting, the individual should be explicitly informed of this.

9.6 The judgment of the Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data[215] has, however, limited the application of the various requirements of DPP 1 reviewed above to the collection of data relating to individuals whose identities are known to the collecting party or data of individuals the collecting party intends to identify (see below). Accordingly, where a journalist or media organisation, say, photographs or films an individual whose identity is unknown and whom the journalist or media organisation does not intend to identify, the photographing or filming of the individual is not subject to the provisions of DPP 1 even though the use of the photograph or film in a published or broadcast report may result in the individual being recognised and identified by his acquaintances.

9.7 DPP 2(1) requires that all practicable steps shall be taken to ensure that personal data are accurate having regard to the purpose for which the data are, or are to be, used. Given their time-sensitive nature, it will often be the case that there will be inaccuracies in personal data contained in news reports. However, so long as all practicable steps have been taken to check the accuracy of the personal data concerned, having regard to the fact that the purpose for which the data are to be used is news reporting, the requirements of DPP 2(1) will have been complied with.

9.8 DPP 2(1) also provides that where there are reasonable grounds for believing that personal data are inaccurate having regard to the purpose for which the data are, or are to be, used, the data concerned should either not be used for that purpose until those grounds cease to apply, or be deleted. Accordingly, a media organisation that includes personal data in, say, a news report knowing that the data are inaccurate would be in breach of DPP 2(1). Further, where it is practicable in all the circumstances of the case to know that personal data disclosed to a third party were and are materially inaccurate having regard to the purpose for which the personal data are, or are to be, used by the third party, DPP 2(1) provides that all practicable steps shall be taken to inform the third party that the data are inaccurate and to provide the third party with such particulars as would enable the rectification of the data.

9.9 At first sight, it might appear that these requirements of DPP 2(1) would require a media organisation to publish or broadcast (as the case may be) corrections of reports that contained inaccurate personal data. Indeed, in our Report on Reform of the Law Relating to the Protection of Personal Data[216], we recommended that the media be required to take all practicable steps to disseminate a correction where inaccurate data have been published.[217] On closer examination, however, it is doubtful whether DPP 2(1)'s requirements that recipients of inaccurate personal data be informed of corrections to that data are applicable to inaccurate personal data that have been broadcast or published to a general audience. This is because the relevant requirements of DPP 2(1) presuppose that the party that disclosed the personal data knows the purpose for which the data are, or are to be, used by each of the parties to whom the data have been disclosed. Such a presupposition does not seem to hold good for a publisher to a general audience, such as a newspaper publisher or broadcaster.[218] We are also not aware that anyone has sought to require that this be done in reliance on the provisions of DPP 2(1).

9.10 In Kam Sea Hang Osmaan v Privacy Commissioner for Personal Data[219], the Administrative Appeals Board was asked to consider a case in which an individual alleged that a magazine had published fabrications about him. The Board found, however, that a lie or fabrication about an individual falls outside the definition of personal data and, hence, that the provisions of the PD(P)O, including the provisions of DPP 2, did not apply at all in the case before it. Specifically, the Board said that:

"The wordings of the definition [of personal data in section 2(1) of the PD(P)O] are clear enough to exclude any fabrication or lies told about a person by another person. … A lie or fabrication always remains a lie or fabrication and can never convert into ‘personal data'."

9.11 With respect to the Board, there is no basis in the wording of the definition of personal data in section 2(1) of the PD(P)O for the contention that it excludes lies or fabrications. We also note that the Board's view would mean that the requirements of DPP 2, and the PD(P)O generally, apply where personal data are inaccurate as a result of inadvertence but not where the inaccuracy is deliberate. We cannot find any justification for such a distinction in the Ordinance. It is also at odds with our recommendation in our Report on Reform of the Law Relating to Personal Data (on which the PD(P)O was based)that all data relating to an individual that facilitate directly or indirectly the identification of the individual to whom they relate should be regulated by law "whether true or not".[220] A lie or fabrication is just as much an untruth as an inadvertent mistake. Accordingly, we respectfully consider that the views expressed by the Board on this matter are incorrect and hence that the application of DPP 2, and the PD(P)O generally, is not limited in the manner contended for by the Board in its decision referred to above.

9.12 DPP 3 provides that personal data must not, without the express consent of the data subject, be used for any purpose other than the purpose for which the data were to be used at the time of the collection of the data or a directly related purpose. Journalists and media organisations are therefore under an obligation to ensure that personal data collected by them for journalistic purposes are used only for these purposes or purposes directly related to them unless the data subject expressly agrees otherwise.

9.13 As a general rule, compliance with the requirements of DPP 3 should pose little difficulty for journalists and media organisations because the personal data they publish or broadcast will usually have been collected for journalistic purposes. On the other hand, DPP 3 does pose potential problems for persons who wish to disclose personal data to journalists or media organisations. If such data were not collected by such persons for use for journalistic purposes or purposes directly related thereto, which will often be the case, then such disclosure would be contrary to the requirements of DPP 3 unless the express consent of the subject is obtained. To address this restriction, an exemption is provided for in the PD(P)O to permit the disclosure of personal data to journalists and media organisations where this is in the public interest. Specifically, in accordance with section 61(2) of the PD(P)O, journalistic sources are permitted to disclose personal data to a journalist or media organisation for publication or broadcasting if they have reasonable grounds to believe, and reasonably believe, that publication or broadcasting of the personal data concerned is in the public interest, even though such disclosure would otherwise contravene the requirements of DPP 3.

9.14 DPP 4 and DPP 5 provide respectively for various requirements with respect to the security of personal data and openness about the personal data policies and practices of persons who collect, hold, process or use personal data, and other matters. Like any other body, to the extent that a media organisation collects, holds, processes or uses personal data, it is subject to these requirements.

9.15 In Apple Daily v Privacy Commissioner,[221] the Administrative Appeals Board overturned a ruling by the Privacy Commissioner that the publisher of Apple Daily had breached DPP 4 by publishing the name of the street to which victims of an attack had moved out of fear of a further assault by their assailant. The basis for the Privacy Commissioner's decision was that the publication of the address in Apple Daily had put the individuals concerned at risk because their assailant might learn of their new location from the article and attack them again. The Privacy Commissioner concluded that this was a breach of DPP 4 because DPP 4 provides for a requirementto take all practicable steps to ensure that personal data are protected against unauthorised or accidental access having particular regard to the harm that could result from such access. The Privacy Commissioner ruled that Apple Daily had failed to meet this requirement by publishing the street name in the article.

9.16 The Administrative Appeals Board disagreed. It found that DPP 4 was intended to ensure that personal data are held in a secure manner. In publishing the personal data concerned, Apple Daily was using the data in such a way that the public would inevitably gain access to it and no question of "unauthorised or accidental" access arose. The Board concluded that: "Access is gained by reason of the publication and is not accidental in nature."

9.17 DPP 6 makes general provision for an individual to have the right to access and correct personal data of which he is the subject. These general provisions are elaborated upon in Part V of the PD(P)O, which contains detailed provisions on compliance with such data access and correction requests.[222]

9.18 Potentially, the exercise of these rights by individuals who are the subjects of personal data collected by journalists or media organisations for journalistic purposes prior to publication or broadcasting of the personal data concerned could have an inhibiting effect on the journalistic process. To avoid this consequence, section 61(1) of the PD(P)O provides that personal data held by a person, whose business consists, in whole or in part, of a journalistic activity,[223] solely for the purpose of that activity, or a directly related activity, are exempt from the requirement to comply with data access requests unless and until the data are published or broadcast. The net effect of this exemption is that under the PD(P)O individuals have no right of access to, and correction of, their personal data held by journalists or media organisations for a journalistic purpose before the data concerned are published or broadcast.

Rights of redress

9.19 An individual who believes that a journalist or media organisation has breached any of the provisions of the PD(P)O, including the provisions of the DPPs, in relation to personal data of which he is the subject may make a complaint to the Privacy Commissioner.[224] However, in accordance with section 61(1) of the PD(P)O, where the data are held for the purpose of a journalistic activity, the Privacy Commissioner may not carry out an investigation of the complaint unless and until the personal data concerned have been published or broadcast. Further, in accordance with the same section, the Privacy Commissioner may not carry out an investigation of a suspected breach of the PD(P)O on his own initiative, ie in the absence of a complaint from the data subject or a person duly authorised on his behalf to make a complaint,[225] in relation to personal data held by a journalist or media organisation for the purpose of a journalistic activity, whether or not such data have been published or broadcast.[226]

9.20 If, having carried out an investigation of a complaint against a journalist or media organisation over which he has jurisdiction, the Privacy Commissioner concludes that the journalist or media organisation concerned is contravening a requirement of the PD(P)O, including a requirement of the DPPs, or has contravened the PD(P)O and is likely to continue or repeat the contravention, he may serve an enforcement notice on the journalist or media organisation concerned.[227] Such a notice may direct the person on whom it is served to take such steps as are specified therein to remedy the contravention found by the Privacy Commissioner. For example, in a suitable case such a notice could require a journalist or media organisation not to engage in a specified means of collecting personal data that the Privacy Commissioner has concluded is unfair in all the circumstances of the case. While a breach of a DPP is not by itself an offence,[228] a contravention of an enforcement notice is an offence,[229] as is a breach of any of the requirements of the main body of the PD(P)O.[230] Up until 1 March 2003, the Privacy Commissioner had issued only two enforcement notices against the media: the first against a magazine publisher[231] and the second against a newspaper.[232] Since the Administrative Appeals Board has set aside the enforcement notice in the second case on the ground that the Commissioner had misconstrued DPP 4,[233] and the Privacy Commissioner's decision in the first case was based on the same construction of DPP 4 it too must be regarded as wrongly decided.

9.21 Where a data subject suffers damage, including injury to feelings, by reason of a contravention of the PD(P)O in relation to personal data of which he is the subject, he has a right to compensation for that damage.[234] To enforce this right the data subject must initiate legal proceedings. To date there has been no publicised case in which such proceedings have been brought against a journalist or media organisation. Indeed, as far as is known, only one action involving a claim for compensation under the PD(P)O has been brought to trial.[235]

Protection of freedom of the press

9.22 The PD(P)O contains a number of provisions to prevent its being used to interfere unduly with journalistic activities. Some of the provisions concerned are based in part on the relevant recommendations made in our Report on Reform of the Law Relating to the Protection of Personal Data[236] "to accommodate free speech rights of the media".[237] The remainder were either included by the Administration in the Personal Data (Privacy) Bill or introduced in amendments to the Bill at its Committee Stage in response to concerns expressed in the relevant Bills Committee of the Legislative Council.

9.23 By virtue of section 61(1) of the PD(P)O, the Privacy Commissioner may not carry out inspections of personal data systems used by media organisations. As already noted, by virtue of the same section he also cannot undertake an investigation on his own initiative into a possible breach of the Ordinance in relation to personal data held for the purpose of a journalistic activity, whether or not the data have been published or broadcast. Even where the Privacy Commissioner receives a complaint of such a contravention, he cannot investigate it unless and until the personal data concerned have been published or broadcast. In addition, where the Privacy Commissioner does exercise his investigatory powers within the aforementioned limits, journalists' sources are protected from disclosure by the provisions of section 44(2) of the PD(P)O. According to this section, a journalist cannot be compelled to disclose his source of information unless a judge of the Court of First Instance, on an application made by the Privacy Commissioner, directs the journalist to furnish the Commissioner with such information. Lastly, as also noted above, exemptions are provided for in the PD(P)O from: (a) the use limitation provisions of DPP 3 to enable the disclosure of personal data to journalists and media organisations where it is in the public interest for the data to be published or broadcast; and (b) the data subject's right of access to his personal data where the data are held for the purpose of journalistic activities unless and until the data are published or broadcast.[238]

Codes of practice under the PD(P)O

9.24 In accordance with section 12(1) of the PD(P)O, the Privacy Commissioner may approve and issue codes of practice for the purpose of providing practical guidance for the observance of the DPPs and other requirements of the PD(P)O. In the event that a person fails to observe any provision of an approved code of practice, evidence of that failure may be given in evidence in any proceedings against that person for a contravention of the relevant provision of the Ordinance.[239]

9.25 Accordingly, the Privacy Commissioner may approve and issue a code of practice on the application of the DPPs and other provisions of the PD(P)O to the news media. Such a code would be particularly helpful in giving guidance on what types of data collection methods may be deemed unfair under DPP 1(2), and how the requirements of DPP 2 governing the accuracy of personal data may be complied with by the print and broadcast media. It could also clarify under what circumstances the collection of personal data would be regarded as excessive in relation to journalistic purposes contrary to DPP 1(1) and how the notification requirements of DPP 1(3) may be complied with by journalists and media organisations when collecting personal data from individuals who are the subjects of the data. In addition, such a code could give guidance on the application of the exemption from DPP 3 provided for in section 61(2), which permits the disclosure of personal data to journalists and media organisations in certain circumstances that would otherwise contravene the provisions of DPP 3 (see above). It could also spell out clearly the limitations of the protection provided by the PD(P)O with respect to privacy intrusion by journalists and media organisations, a matter we address in detail below.

9.26 The Consultation Paper recommended that the Privacy Commissioner should issue a code of practice on the collection and use of personal data for journalistic purposes for the practical guidance of publishers, broadcasters, journalists, Internet users, and other members of the public. The Privacy Commissioner is a body independent of both the industry and the Government and the code could be enforced by the use of the Privacy Commissioner's statutory powers and the sanctions provided for under the PD(P)O. In the event that an individual believed that the code had been contravened in relation to his personal data, he could make a complaint to the Privacy Commissioner, subject to the limits already mentioned, who has a well-established machinery to handle complaints of contraventions of the PD(P)O. Issuing such a code would also increase the awareness and understanding of the public and the media of the application of the Ordinance to the media, including the limitations to the protection from privacy intrusion that it provides for in this area.

9.27 The Law Society, the Hong Kong section of JUSTICE, and HK Democratic Foundation supported the sub-committee's proposal. The HKJA appeared to have no objection to the Privacy Commissioner's drawing up a code provided that the media is involved in the process and clear public interest defences are included so that legitimate investigative journalism is not threatened. The Privacy Commissioner has not made any specific comment on this proposal.

9.28 We see no reason why we should depart from the view expressed in the Consultation Paper that the Privacy Commissioner should approve and issue a code of practice in this area, other than to make it clear that such a code should not be limited only to the collection and use of personal data. We have already indicated a number of other provisions of the PD(P)O that we believe the code should cover, including the provisions of DPP 2 on the accuracy of personal data. We leave it to the Privacy Commissioner to decide what further provisions should be covered by the code having carried out the necessary consultation with interested parties.[240]

Limitations of the PD(P)O

9.29 As the protection that a code of practice under the PD(P)O may provide is constrained by the limits of the provisions of the PD(P)O itself, it is necessary to consider what those limits are in order to determine whether the issuing of a code as recommended above could on its own provide adequate protection and redress to potential and actual victims of unwarranted privacy intrusion by journalists and media organisations.

9.30 Protection of privacy in relation to personal data – The object of the PD(P)O is to protect the privacy of individuals in relation to personal data by regulating the collection, holding, processing and use of personal data. It does not aim at protecting individuals from unwarranted privacy intrusion as such.[241] "Personal data" is defined as meaning any data:

"(a) relating directly or indirectly to a living individual;

(b) from whom it is practicable for the identity of the individual to be directly or indirectly ascertained; and

(c) in a form in which access to or processing of the data is [reasonably] practicable".[242]

"Data" is in turn defined as meaning "any representation of information (including an expression of opinion) in any document", and "document" is defined as including documents in writing and discs, films, tapes or other devices in which data are embodied and are capable of being reproduced.

9.31 Personal data relating to a living individual – Since the PD(P)O defines "personal data" as data relating to a living individual, the proposed code could not cover unwarranted publicity given to a deceased person's private life. Accordingly, bereaved relatives and friends have no right to complain under the Ordinance if personal data about their deceased relative or friend have been collected or used in a manner that would be a breach of the DPPs if the deceased were alive.

9.32 Information must be in a recorded form – By virtue of the definitions of personal data, data and document (see above), the PD(P)O does not apply to information relating to an individual that is not recorded. If the personal information disclosed by someone does not involve the disclosure of a record of the information or of information inferred from a record of the information, the disclosure does not constitute a disclosure of personal data within the meaning of the PD(P)O and hence could not be governed by a code of practice issued under it.[243] Likewise, if the personal information collected by someone is not subsequently put into a recorded form, the collection does not constitute a collection of personal data within the meaning of the Ordinance. Accordingly, information concerning an individual that is communicated orally is not subject to the provisions of the Ordinance so long as it has not been inferred from a written record. On the other hand, if such information is subsequently put into a recorded form (for example, written down or inputted into a computer file), it becomes personal data at that point and hence subject to the provisions of the PD(P)O provided it is practicable to identify the individual who is the subject of the information and the information is in a form in which access or processing is practicable.

9.33 By the same token, the PD(P)O does not, and hence a code of practice issued under it could not, operate to control visual or aural surveillance by a journalist using only his own senses unless and until the information obtained by these means has been recorded and even then only if the resulting data meet all the other parts of the definition of personal data. Likewise, an individual who carries out a body search or who searches the premises of another without authority could not have any liability under the Ordinance and hence these activities could not be governed by a code of practice issued under it.

9.34 Practicable to ascertain the identity of data subject – On its face, the requirement of the definition of personal data that it must be practicable to ascertain the identity of the individual to whom the data relate is a purely objective test to be applied by reference solely to the data concerned and without reference to any other information known by the party holding or receiving the data concerned. On this basis, a media report about an individual that does not directly identify him, and from which it is not practicable to identify him indirectly from the report alone, would not constitute personal data and hence would not be subject to the requirements of the Ordinance. This would be so even though the relatives or other acquaintances of the individual concerned are able to identify him indirectly through a combination of what is said in the article about him and their own knowledge of him. One example of this in this context is the publication of a photograph of an individual without otherwise identifying him in the related article. The individual's relatives and other acquaintances are able to identify him because they recognise him in the photograph but no one else is.

9.35 However, given that this part of the definition of personal data is given such fair, large and liberal construction and interpretation as will best ensure the attainment of the object of the PD(P)O,[244] the better view appears to be that account should be taken of other information that may be in the possession of the party holding or receiving the data concerned. On this basis, the photograph and accompanying article in the example given above (insofar as they relate to the individual concerned) would be considered personal data as far as the individual's relatives and other acquaintances are concerned. The Legal Director of the Privacy Commissioner's Office has expressed his personal view that where data about an individual are made available to third parties "generally" (as opposed to a specific party), it is "usually impossible" to give individual consideration to the question of whether a party who has thus acquired the data happens to possess other information which would render it practicable for him to ascertain the identity of the individual to whom the data relate.[245] While this is undoubtedly the case, it is reasonable to expect media organisations to have general regard to the fact that their broadcasts or publications may be seen by persons, such as relatives or other acquaintances of the subjects of their reports, who have knowledge that would enable them to identify the subjects concerned, even though the reports do not directly identify them. Indeed, the reason why the facial features of individuals in photographs or film clips are commonly obscured is presumably to prevent their identification by persons whom the media organisation concerned reasonably believes may otherwise identify them.

9.36 The Eastweek case – In Eastweek Publisher v Privacy Commissioner for Personal Data,[246] the plaintiff's photographer took a photograph of the complainant in a public street. The photograph was later used to illustrate an article about women's fashion in Hong Kong, in which the complainant's dress sense was criticised. After a hearing as part of his investigation into the complaint, the Privacy Commissioner found inter alia that the photograph had been taken using a long-range lens without the complainant's knowledge or consent, and that after it appeared in the magazine concerned, the complainant's colleagues and others made fun of her and made her too embarrassed to wear the same clothing (which was new) again. As a result of his investigation into the complaint, the Privacy Commissioner concluded that there had been a breach of the requirement of DPP 1 to collect personal data by means that are fair in the circumstances of the case (ie that the taking of the photograph had been a collection of personal data by means that were unfair in the circumstances of the case).[247] The Court of First Instance upheld the Privacy Commissioner's finding on an application for judicial review.[248] However, a majority of the Court of Appeal held otherwise.[249]

9.37 Requirement to identify or intend to identify the data subject – DPP 1(2) provides inter alia that personal data shall be collected by means that are lawful and fair in the circumstances of the case. The Court of Appeal in the Eastweek case held that a contravention of DPP 1(2) requires two elements to be present: (a) an act of personal data collection; and (b) doing this by means which are unlawful or unfair in the circumstances. With respect to (a), a majority of the Court was of the view, as noted above, that it is of the essence of the required act of personal data collection that the data user must thereby be compiling information about "an identified person" or about "a person whom the data user intends or seeks to identify".[250] That this requirement is not expressly provided for in the Ordinance was explicitly recognised by one of the judges in the majority, Godfrey VP, thus: "I know this is not expressly spelled out in the legislation but I am satisfied from the way in which that legislation is framed that that is its underlying purpose …".[251] The majority further pointed out that if the identity of the person to whom the information relates is not known to the data user, then the latter could not comply with a data access or correction request under the Ordinance.[252]

9.38 The Court found that the photographer, the reporter and Eastweek remained completely indifferent to, and ignorant of, the complainant's identity right up to and after publication of the offending issue of the magazine. The Court therefore held (Wong JA dissenting) that taking her photograph did not constitute an act of personal data collection relating to the complainant. The fact that the photograph, when published, was capable of conveying the identity of the subject to a reader who happens to be acquainted with that person did not make the act of taking the photograph an act of data collection if the photographer and his principals were acting without knowing or being at all interested in ascertaining the identity of the person being photographed.[253]

9.39 Personal privacy vs information privacy – In the view of Ribeiro JA, as he then was, the complainant in the Eastweek case would be entirely justified in regarding the article and the photograph as an unfair and impertinent intrusion into her sphere of personal privacy.[254] Indeed, the Court of First Instance observed that the complainant's real complaint related to the invasion of her privacy, which the publication of her photograph in the magazine represented, rather than the unfair collection of data about her.[255] But as Ribeiro JA pointed out, the PD(P)O does not purport to protect "personal privacy" as opposed to "information privacy". The Ordinance is not intended to establish general privacy rights against all possible forms of intrusion into an individual's private sphere.[256] The complainant was therefore left without a remedy under the PD(P)O and the consequence of the principles laid down in Eastweek is that any individual whose privacy is intruded upon by a journalist has no redress under the PD(P)O if the journalist or his employer or principal has not identified and does not intend to identify the individual concerned.

9.40 Security Safeguards Principle (DPP 4) – As noted above, in Apple Daily v Privacy Commissioner,[257] the Administrative Appeals Board ruled that DPP 4 is not applicable to personal data when the data are used for publication. On the basis of this ruling, DPP 4 provides no protection for an individual the publication of whose personal data by a media organisation creates a risk that he may suffer harm from someone who "accesses" the data as a result of the publication. Hence, a code of practice issued under the PD(P)O could not help prevent such a risk based on the provisions of DPP 4.

9.41 Enforcement notices – The Privacy Commissioner does not have a power to award compensation to a person who suffers damage because of a contravention of a DPP, nor does he have the power to undertake proceedings on behalf of such a person. However, as noted above, a person who believes that there may have been a contravention of the PD(P)O with respect to his personal data may make a complaint to the Privacy Commissioner. As already noted in this context, however, the Privacy Commissioner's powers of investigation in relation to such complaints are restricted to those concerning personal data that have been published or broadcast.[258] Where, following such an investigation, the Privacy Commissioner is satisfied that the person complained against is contravening the PD(P)O or has contravened it "in circumstances that make it likely that the contravention will continue or be repeated", he may serve on the person concerned an enforcement notice directing the person concerned "to take such steps as are specified in the notice to remedy the contravention" within the specified period.[259] However, other than his power to publish a report of the result of his investigation and make such recommendations or other comments as he thinks fit,[260] the Privacy Commissioner has no power to take further action against the party complained against where there is no likelihood of a further or continued contravention of the Ordinance.

9.42 Privacy Commissioner's views – The Privacy Commissioner agreed that existing legislation and the common law were not sufficient to provide adequate protection against privacy intrusion by media organisations and unwanted publicity.[261]

9.43 Conclusion – The PD(P)O does not, and was not intended to, provide a comprehensive system of protection and redress for potential and actual victims of unwarranted privacy intrusion by journalists and media organisations. The main reason for this is that the provisions of the PD(P)O are concerned only with privacy in relation to personal data, not privacy rights in general. Intrusive behaviour by journalists or media organisations that does not involve the recording of information relating to identifiable individuals simply does not engage the Ordinance. The PD(P)O also has no application to data relating to deceased individuals.

9.44 Further, if a journalist or media organisation collects data about an individual whose identity is unknown and there is no intention by the journalist or media organisation to identify him, the collection of the data does not engage the provisions of the PD(P)O governing the collection of personal data.[262] In addition, some provisions of the PD(P)O are not easily applied to personal data that are published generally or broadcast.[263] As noted above, the Administrative Appeals Board has pointed out the inapplicability of the security provisions of the Ordinance to personal data when they are so used.[264] Generally published or broadcast personal data also do not appear to be susceptible to the application of the PD(P)O's provisions on the dissemination of corrections of inaccurate personal data. [265]

Alternative of amending the PD(P)O

9.45 Some respondents asked the Sub-committee to consider the alternative of expanding the scope of the PD(P)O to cover general privacy rights so that the Privacy Commissioner may protect privacy in general as opposed to privacy in relation to personal data only. A number of legislators and district councillors are also inclined to give additional powers to the Privacy Commissioner to deal with complaints about press intrusion.[266] A related option is to empower the Privacy Commissioner to rule on alleged breaches of a journalists' code on media intrusion.

9.46 For the following reasons, however, we are not in favour of amending the PD(P)O so that the Privacy Commissioner may adjudicate on complaints about privacy intrusion generally by journalists or media organisations:

(a) The fact that the Privacy Commissioner is directly appointed by the Chief Executive may render his involvement unacceptable to some sections of the press. Indeed, the process of selecting the right candidate to fill the post left vacant by the first Privacy Commissioner has been criticised on the ground that the Government had not invited applications from interested parties to fill the post.

(b) Under the current structure of the Ordinance, the press has no say in the adjudication and appeal processes. The application and interpretation of the Ordinance is a matter solely for the Privacy Commissioner, the Administrative Appeals Board, and the Courts by way of judicial review or in civil proceedings brought by individuals who have suffered damage by reason of breaches of the PD(P)O in relation to personal data of which they are the subjects. Amendments could be made to address this objection but that would create a two track system of complaint handling, one for media complaints and the other for all other complaints.

(c) Entrusting the task of balancing personal privacy and press freedom to the Privacy Commissioner, whose brief is to protect personal privacy in relation to personal data in accordance with the provisions of the PD(P)O, may not command the confidence of some sections of the press.

(d) Empowering the Privacy Commissioner to deal with complaints against the press would result in a single person ruling on the conduct of a journalist or media organisation, albeit subject to appeal to the Administrative Appeals Board in certain circumstances and judicial review generally. In contrast, the decisions of a press council would be collective and a council with press and public representatives could bring in a diversity of opinion and experience to the issues concerned.

(e) Widening the scope of the Privacy Commissioner's remit would have resource implications for the Government as his office is wholly funded from the public purse. If the necessary additional funding were not forthcoming, the Privacy Commissioner would find himself having to undertake new responsibilities with insufficient resources. This would inevitably result in his being less able to carry out his existing responsibilities.

9.47 Since the PD(P)O does not, and hence a code of practice issued under it could not, protect individuals from all kinds of unwarranted media intrusion and we consider it undesirable to widen the scope of the Ordinance to provide for it to do so, in the following chapter we consider other options that do not require the establishment of a press council.