The Personal Data Protection Ordinance (PDPO) and IP Addresses
In the context of Hong Kong, the PDPO provides a framework to protect personal data when it is transferred to another jurisdiction. The key principle is that a data user must inform a data subject of the purposes for which the personal data is collected, and the classes of persons to whom the personal data may be transferred. This information must be provided either before or at the time of collection.
The PDPO defines a data user as a person who, alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. This definition is broadly similar to that in many other data privacy regimes, including the Personal Data Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area. This means that the PDPO is intended to apply to a wide range of persons, and that it should cover most data transfer arrangements.
Section 33 of the PDPO contains a provision prohibiting the transfer of personal data outside Hong Kong unless certain conditions are met. This is a significant restriction that requires an assessment of whether the foreign jurisdiction’s laws and practices provide a level of protection similar to that of Hong Kong. If not, the data exporter must identify and adopt supplementary measures to bring the level of protection up to Hong Kong standards. These might include technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions that impose obligations on audit, inspection and reporting, beach notification and compliance support and co-operation.
However, there has been relatively little attention to how the PDPO applies to telecommunications service providers. In particular, the treatment of IP addresses is a major issue. This paper outlines the importance of IP addresses to personal privacy, compares the way in which they are treated under European and Hong Kong law, and introduces the AMI:HK project, which provides an easy-to-use website for Hong Kong residents to make data access requests to their telecommunications service providers.
AMI:HK is a collaborative project between members of the Open Data Society, including the Chinese University of Hong Kong’s School of Journalism and Communication, InMediaHK, Keyboard Frontline, Open Effect and Citizen Lab (developers of the original AMI project in Canada). Its purpose is to investigate how telecommunications service providers implement their obligations under the PDPO to provide data access to subscribers. This will help to reveal inconsistencies in the application of the PDPO and expose any gaps in data protection laws in Hong Kong. The project also has the potential to demonstrate that a collaborative approach to data transparency can be more effective than individual initiatives. More information on the project can be found here. The full report is available to download here.