With the advent of computer technology and abundance of information on the internet readily accessible by the public at virtually no cost, it is increasingly straightforward and cost-effective for individuals and organizations to seek information about one another for various purposes, for example for due diligence by business entities on their acquisition targets in the commercial world. On the other hand, it is also increasingly common to see internet doxing (起底) activities intended for “public trial by the netizens” (網絡公審) happen on online social media platforms. (For the purposes of this article, internet doxing means searching for and publishing private or identifying information about a particular individual on the Internet).
Recently, the Privacy Commissioner for Personal Data Stephen Wong Kai-yi has revealed in a radio interview that his office received a staggering number of over 200 complaints about Police officers being the subject of internet doxing. The Commissioner criticized that certain pictures and social media posts initially shared on the internet by some police officers for purely recreational reasons have been maliciously extracted and reposted on internet forums and other social media platforms with the ulterior motive of identifying those police officers who the perpetrator regards, rightly or wrongly, as “rogue” or “dirty” cops so that they could be castigated and ridiculed by other netizens. In particular, the Commissioner seemed to be of the view that such internet doxing could potentially be illegal because of the following reasons:- (1) even though the data was retrieved from the public domain, the data was there for a restricted purpose; (2) reposting was not authorised by the author; and (3) the extraction and application of the data might have been for an ulterior motive such as criminal threat or defamation.
Insofar as these internet incidences are concerned, this article aims to examine the surrounding legal issues arising from the specific question — have we unintentionally breached the law by conducting internet doxing?
Is mere investigation of personal data lawful?
Mere investigation, i.e. searching for and collating information without publishing it on the internet is lawful so long as it is obtained legally from the internet for domestic purpose, i.e. the information collected is kept by the user itself and not subsequently shared on the internet. This domestic purpose is specifically allowed by section 52 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). It is commonplace for individuals and organizations including law firms to undertake investigative and due diligence process. For example in a commercial deal, a prudent party would usually conduct internet due diligence on their counterparties. Many individuals also collect information on the internet for example about a celebrity for recreational purpose. Such activities themselves for own reading or information shall be lawful provided always that such information is obtained in a lawful manner.
Is collating, consolidating and reporting of personal data found from public domain lawful?
What if you make a further step from mere retrieval and investigation to collate, consolidate and reporting? While the issue has never been tried at Court, there has been an investigation report published by the Office of the Privacy Commissioner for Personal Data in 2013 concerning a mobile app provider “Do No Evil” (起你底). Do No Evil (起你底) compiled a database of various personal information of individuals collected from the public records of various government institutions where the users of the app (mainly employers) could access such information as litigation and bankruptcy records of the targeted individuals before considering hiring them. The Commissioner was of the view that the app had breached PDPO because: (i) it was not in line with Data Protection Principle (“DPP”) 3 of the PDPO as personal data is used outside the original purpose of being available in public authorities [to be further discussed below]; (ii) data subjects had reasonable expectation of privacy. It is perhaps not surprising to note that such views were subject to legal criticism. First, “reasonable expectation of privacy” has no place in PDPO. Even if “reasonable expectation of privacy” exists, individuals waive such expectation or cease to have such expectation when their data have lawfully and officially been published in public domain. Second, nowhere was the “original purpose” stated in those public authorities. It appears artificial to imply certain restriction over the scope of purpose. In any event, in this particular case, the mobile app provider was only required by the Commissioner to cease disclosing data. The case was not brought to the Court system for adjudication and the legal issue therefore remains unsettled.
Is reposting of personal data found from public domain lawful?
PDPO imposes onerous obligations over data users in handling personal data received from the internet. DPP3 specifies that personal data should not be used for a new purpose without the prescribed consent of the data subject. “New purpose” under this principle refers to any purpose other than the one which was originally intended for when it was provided or collected or a directly related purpose. “Prescribed consent” means the express and voluntary consent given by the data subject in writing which has not been withdrawn. The Guidance on Use of Personal Data Obtained from the Public Domain published by the Office of the Privacy Commissioner for Personal Data makes it clear that “the fact that a data subject’s personal data can be obtained from the public domain shall not be taken to mean that the data subject has given blanket consent for use of his/her personal data for whatever purposes.” This view has also now been judicially affirmed in the court case of Re Hui Kee Chun CACV 4/2012. This evinces the PDPO’s strict objective to ensure personal data is kept adequately protected from misuse and abuse. For example, if a data user extracts different pieces of personal information of the data subject (from the same source or different sources) on the internet and publishes such information in a combined form on a social media platform, such as Facebook, this may breach DPP3 as each piece of information may have been initially provided for one or more specific purposes and their combination could potentially constitute a “new purpose” forbidden by DPP3.
Furthermore, in such a case, even if the data user does not himself makes adverse comments about the individual, if there is realistic risks of harm, including identity theft, financial loss, harassment, injury to feelings of the individual (such as allowing other forum users to hurl harassing comments on the individual), the data user may also breach section 64 of the PDPO, which prohibits usage of personal data with the intent to (a) obtain gain for himself/herself or another person or (b) cause loss to the data subject or (c) if the disclosure causes psychological harm to the data subject. An offence under this section is punishable by a fine of $1,000,000 and to imprisonment for 5 years. It should be noted that this section was rarely invoked in the past. The actual application of this section could be problematic. First, it requires investigation on the state of mind of the data user because an “intent” is required. Second, psychological harm to the victim is largely subjective. The government emphasized, prior to the promulgation of PDPO, that the court will rely on expert evidence to prove whether disclosure of information has caused psychological harm to the victim.
It may also be worth noting that there are statutory exemptions to the above position under Part VIII of the PDPO. In brief, it would be lawful if the “new purposes” are:-
- prevention or detection of crime (section 58);
- prevention of serious physical or mental harm of any person (section 59);
- it is required by law to do so or it is for exercising or defending a person’s legal rights in Hong Kong (section 60B);
- it is published by a news activity business (section 61);
- it is for research and statistics where the identity of the data subject is kept anonymous (section 62); and
- emergency situation which calls identification of an individual who is reasonably suspected to be or is involved in a life-threatening situation (section 63 C).
OLN provides a range of legislative compliance legal services. If you have any questions on the above, please contact one of the members of our Team.
Disclaimer: This article is for reference only. Nothing herein shall be construed as legal advice to any person. Oldham, Li & Nie shall not be held liable for any loss and / or damage incurred by any person acting as a result of the materials contained in this article.