In honour of the departure of the Privacy Commissioner, Harbour Times revisits this interview with Mr Allan Chiang.
The cease and desist order against GDI’s popular Do No Evil app unleashed a wave of criticism against Hong Kong’s Privacy Commissioner for Personal Data, Allan Chiang. Over time, criticism has muted as the issues surrounding this complex case have furrowed brows and generated debate. Harbour Times takes a closer look through interviews with the key players, GDI and the Privacy Commissioner. Civilisation level issues are at stake.
The civilised world has developed through evolution and revolution as man resolved the tension created by the advancement in the physical and mental realm. Technologies and ideas cause upheaval and demand adjustment. Our complex interacting institutions, common practices and machines make an unprecedented level of comfort, lifespan and freedom available unknown in the history of man. However, the closure of a simple app in the name of privacy has revealed yet another tension to be confronted as we shape and reshape society.
Give a little privacy, get a whole civilisation
In an ideal world, people would have perfect privacy and interact with perfect honesty. The modern capitalist society relies on key pieces of data not only being exchanged but also being made public. Marriage registries, vehicle registries, company registries and land registries are all examples of how the enforcement of property rights and laws have evolved with disclosure of personal data as a vital part of our functioning economy. Without them, land could not be bought and sold, marriage could not be legally executed, and companies would have no confidence. Our society would be primitive, existing on day to day barter.
Disclosure and spread of personal data was limited by technologies of transcription and communication. Now, technology has outstripped our laws and institutions to make it possible to collect, process, correlate and apply data in ways that the old institutions were not designed to handle.
Parliaments globally have struggled to protect the privacy of citizens for a wide range of valid reasons ranging from preventing identity theft and fraud, protecting citizens from persecution, preventing discrimination and because, to most, it just feels like privacy is something worth preserving. The advent of the Facebook generation may weaken this instinct, but generally, as people have more to protect, they have more reason to protect their privacy and themselves.
Laws and principles have evolved to try and resolve some of the these conflicts. Conflict is coming to the fore more and more often as our creativity and innovation confound old ways.
If it’s out there, why not?
“It’s not the collection we’re concerned about, it’s the use we’re concerned about.” Allan Chiang, Privacy Commissioner
The Do No Evil app (DNE) collated information from public, government, sources. It was a simple and powerful application of technology to do something that already was going on in a more expensive and slower format – due diligence. The government makes information public for this purpose. Those whose data is revealed may not like it, but accept it as a cost of doing business.
The ability to collect and transfer masses of data between entities made possible a range of negative effects, from nuisance (unwanted marketing) to criminal identity theft. Government sought to control this movement and manipulation of data. However, the ability of those with man or tech power to collate information stymied purely procedural and technological fixes. Governments needed to develop principles to legislate and forbid certain behaviours.
Hong Kong developed a Personal Data (Privacy) Ordinance, introduced in 1996, to control the unwanted sharing of information between parties. When giving data to a company, companies are required not to share that information without permission or to use the data for anything but its stated uses.
The use of public data, often made available by a well-meaning government, proved more complicated. If the information was already public, how could government control it?
The answer is embodied in a Principle of Limitation of Use enshrined in the Personal Data (Privacy) Ordinance. It is the idea that personal data should only be used for the purpose for which the subject (person) surrendered it.
DPP3 – Trying to close the barn door behind the horse
“Public domain data do not provide the purposes that the GDI intend to make use of.” Allan Chiang
As it is stated in the Data Protection Principle(DPP) 3: ‘unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.’ The same Principle that limits companies from on-selling or using a person’s data also prevents anyone from using public data in the same way. This was intended to protect the members of the public whose data was exposed by government agencies.
Exemptions for media, legal use and more are described in Part VIII of the Personal Data (Privacy) Ordinance. This is an attempt to resolve the desire to limit data use without smothering legitimate use of public information for a free press or all other public interests. It is possible that if Do No Evil had of been a newspaper claiming public interest instead of a profitable venture, it could have claimed to be exempt under DPO Part VII Section 61 (news).
It did claim to make the information available for a range of uses, however, that were not aligned with the stated uses of the various providing government bodies: screening potential employees and tenants (for landlords) and business partners were all selling points not specifically endorsed by the government databases that were being ‘scraped’ and sold in real time.
‘I, as the Privacy Commissioner, am responsible for protecting the privacy rights of the data subject, people who were affected.’
Accordingly, the Privacy Commissioner concluded after a detailed investigation that they were in violation of DPP 3 and, in effect, shut down DNE to protect the privacy of those involved. The reasonable expectation of the subjects (12 complainants in this case, plus many others who do not know they had been checked out behind their backs) had been deemed to have been violated by DNE’s expanded use of the data beyond its limitation.
A major objection to this was that the same practice was going on in law firms and those specialising in conducting due diligence. DNE was doing the same thing faster, cheaper. It’s a powerful argument, advocated by transparency specialists like David Webb: “”But any information that has gone through the courts is in the public domain so I don’t see why they’re forcing people to go down the corporate route.”
It’s just…different, y’know
The Privacy Commissioner’s answer was that lawyers and those conducting one to one service to clients would be expected to provide professional advice to ensure clients would understand this limitations of the information they were given and what they could and could not do under the law. With DNE, it was not possible. “Lawyers should understand what they can do under the law…, for example, whether the clients’ situation falls under the exemptions of the Personal Data (Privacy) Ordinance.”
While this may be true in many cases, it suggests like, that with many things, Hong Kong law enforcement is prompted by complaints. No complaints, no problem. People can use publicly sourced data to their heart’s content as long as no one complains. Visibility may have been DNE’s greatest sin.
Mr. Chiang conceded at separate points in our conversation that Hong Kong might have at best part-time specialists in privacy law as the law was new and there weren’t enough cases yet to provide a full time living as a specialist. He hadn’t received any complaints about lawyer misbehaviour and and so could not say definitely if things were in order. It makes sense – someone who had been denied tenancy or employment by a quiet background check would probably never know they were refused based on due diligence from government provided data.
Setting the ‘limited use’
If the information is public, how is a user to know what a permissible use is? Mr. Chiang is trying to use his limited influence to push government bodies to make clear what intended use is and, by extension, what is a reasonable expectation of persons whose data is released by government as a normal part of business. Ideally, departments will at some point move to make it clear through statute. Less ideal, but a good step forward, is to make users acknowledge proper use through a restriction notice – part of a form requesting access to information or via a sign up for online databases. Mr. Chiang reiterated his opinion that the SFC in maintaining a register of licensed persons was the best in class in this respect and was very enthusiastic on this point. Other government departments were less glowingly reviewed.
Government also deploys policy and physical blocks to protect personal data. For example, registered elector data is normally prohibited from being distributed in electronic form. If thousands of people had access to a digital copy of the millions of persons information, data leakage would be impossible to track. But LegCo candidates do get a copy in electronic form – with strict guidelines on its use and knowledge of the strict penalties for its misuse.
Isn’t it the government’s fault?
Harbour Times pressed the issue of release of data by the government. If government didn’t release it, it wouldn’t be in the public domain. Mr. Chiang strongly pressed the case for control of personal data even after it was public. He stressed it wasn’t control of all data, just personal data. If there was no control on publicly available personal data, there was another means of letting more horses out of the privacy barn.
Anyone who wanted to make use of private data obtained by nefarious or other means could simply publish it and then claim ‘it’s out there already!’ and make use of it to their heart’s content. Of all Commissioners arguments, this one held the most water. If there were no restraints on data used due to deliberate or accidental data leakage, hackers and data thieves would have free rein and all other laws would be rendered useless.
‘Unless exemptions apply, public domain personal data still needs to be protected under the use limitation principle.’
Again, exemptions were in place to protect the public’s interest in free speech, research, emergency response and more.
It ain’t easy, being private
Mr. Chiang readily agreed that it was a young field of law. As for tracking illegal transfer of data: “It’s not easy.”
He acknowledged the challenge of being in the role of having to make the call on new situations where technology was continually testing what was possible. He seemed to understand that his decisions would cause controversy and finer points were definitely open for discussion.
“Importantly the app’s database is invalid and inaccurate. First, it would be misleading to ascribe the data to an individual whose name is not unique. Further, a litigant could be innocent but the database did not invariably include the court’s judgement. Finally, the indefinite retention and use of the bankruptcy and litigation data would unduly stigmatise an individual and bar him from leading a life free from encumbrances.”
Harbour Times wasn’t so convinced by arguments relating to inaccuracies in data leading to discrimination as being an issue of privacy. Bad information could be covered by slander and libel laws. Sloppy or outdated data was a case of caveat emptor. People who chose to use an inaccurate version of DNE would suffer from bad information and there would be collateral damage from mistaken identities (mixed names) or plain errors, but those weren’t privacy issues per se. The Privacy Commissioner thought otherwise.
He did give the impression of being earnest and thoughtful, quite different from some dissenting media portrayals. His approach to making his thinking clear and providing guidance seemed thoughtful.
“My bottom line is really I’m trying my very best by producing a public report giving detailed analysis of the case. I’ve compiled a guidance for people to learn more about different examples, different scenarios. We have to apply it wisely. The law is there. The law is a couple of sentences: Use limitation principle. That’s it.”
Principles, laws, technology, civilisation
The release of personal data to the public domain by government to make the modern economy possible seems unavoidable. Indeed, as reported in Harbour Times June 21st edition, open data holds great promise to reshape government for the better. Killing it off through ill-thought legislation would be a shame and failure of our political community.
However, without legal restrictions, technology will render the entire concept of privacy null and void. Ideally, this won’t stop innovators like the young award winning entrepreneurs that created Do No Evil. They have been the casualties in this round of resolution and need our support. We will need, as a political class, to continue to evolve the laws and institutes we have to resolve the tensions arising from our march to the future. Resolving these tensions has brought us this far and will take us forward.