Documente Academic
Documente Profesional
Documente Cultură
Note to users: Articles in the Epubs ahead of print (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware that
although EAPs do not have all bibliographic details available yet, they can be
cited using the year of online publication and the Digital Object Identifier (DOI)
as follows: Author(s), Article Title, Journal (Year), Volume(Issue), EAP (page
#).
The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue.
Collated print versions of the article will contain an additional volumetric page
number. Both page citations will be relevant, but any EAP reference must
continue to be preceded by the letters EAP.
ISSN-0729-1485
Copyright 2017 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or
by any means electronic, mechanical, photocopying, recording or otherwise,
without the permission of the owner of the copyright. All enquiries seeking
permission to reproduce any part of this publication should be addressed in
the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart,
Tasmania 7001, Australia.
editor@jlisjournal.org
IP Addresses as Personal Data Under Hong Kongs
Privacy Law: An Introduction to the Access My Info
HK Project
Abstract
This paper critically reviews the approaches taken to the question of whether IP
addresses ought to be classified in this way in Hong Kong and in the European Union
(EU). Jurisprudence related to the EU Data Protection Directive and the
forthcoming General Data Protection Regulation both treat IP addresses as
personal information. This results in robust protection for IP addresses under
European law. In Hong Kong, however, the jurisprudence is limited to two lower court
decisions that are inconsistent with one another, and neither show a deep appreciation
for the importance IP addresses may have in revealing the behaviour and activities of
Hong Kong residents online. The Privacy Commissioner for Personal Data has likewise
not shown an interest in challenging the approach taken by the courts thus far
regarding this issue.
Noting this relative lack of attention, this paper introduces the Access My Info: Hong
Kong (AMI:HK) project. AMI:HK is a platform for users to make data access requests
to telecommunications service providers in Hong Kong. The project should reveal if
there is consistency in the Hong Kong providers approach to their access obligations
under the Personal Data (Privacy) Ordinance, in particular the question of whether
they treat IP addresses as personal data within the meaning of the law.
Introduction
EAP 1
Journal of Law, Information and Science Vol 25 2017
If third parties can obtain this connection, then the implications for personal
privacy are profound, since theoretically IP addresses can be used to log all
kinds of online behaviour, whether it is participating in political or religious
activism online, sharing family recipes, accessing pornography, infringing
copyright by sharing music, or teenagers seeking information about human
sexuality. A study conducted by the Office of the Privacy Commissioner of
Canada, for instance, found that an IP address allowed them to determine that
the individual assigned that address had visited websites related to:
1 Office of the Privacy Commissioner of Canada, What an IP address can reveal about
you (May 2013) <https://www.priv.gc.ca/en/opc-actions-and-
decisions/research/explore-privacy-research/2013/ip_201305/>.
2 Wikipedia logs the IP addresses of all contributors.
3 Office of the Privacy Commissioner of Canada, above n 1.
EAP 2
IP Addresses as Personal Data Under Hong Kongs Privacy Law
Though Hong Kongs privacy regime, the Personal Data (Privacy) Ordinance
(PDPO),4 is modelled on the European Unions Data Protection Directive,5
treatment of IP addresses under it is not well developed. There is limited
judicial commentary on the issue and no clarity as to whether Hong Kong ISPs
consider the IP addresses of their subscribers to be personal data and thus
protected by Hong Kongs privacy law.
EAP 3
Journal of Law, Information and Science Vol 25 2017
next, depending on how often their ISP rotates the addresses. It might also
change every time they restart their modem or router.
However, the fact that the IP addresses of home broadband users change over
time offers no meaningful privacy protection. An ISP knows exactly who was
assigned any given IP address at any given moment. In other words, PCCW
(an ISP that provides home broadband services) knows that IP address
10.7.44.214 was assigned to broadband subscriber Cynthia Chung from 6:34 am
9 January 2016 to 9:12 pm 11 January 2016. This also means that PCCW knows
that any website that was accessed by IP address 10.7.44.214 in that timeframe
was almost certainly accessed by Cynthia or someone in her household.
This implicates significant privacy issues: message boards log the IP addresses
of the authors of every single comment, search engines know the IP address
behind each query, online newspapers know which IP addresses clicked on
which links, and every pornography website knows the IP addresses of its most
common visitors. If approached by a third party seeking the identity of the
individual who posted a politically sensitive comment from IP address
10.7.44.214 on the Golden Forum message board at 8:03 pm on 10 January
2016, PCCW has the technical means to provide that information and thereby
unmask Cynthias political beliefs. In short, if website logs of the IP addresses
of visitors can be connected to the IP address subscriber information logs held
by ISPs, then anonymity on the web is virtually impossible to maintain
(assuming a user takes no steps to intentionally mask their IP address by use
of a Virtual Private Network (VPN)). Only if PCCW considers their IP address
logs to be personal information might Hong Kongs privacy law regulate
when they can provide assistance to a third party seeking to make such a
connection.
unless an ISP is in a position to distinguish with absolute certainty that the data
corresponds to users that cannot be identified, it will have to treat all IP
information as personal data, to be on the safe side. 8
EAP 4
IP Addresses as Personal Data Under Hong Kongs Privacy Law
In a subsequent paper, the Article 29 Working Party confirmed that this basic
approach ought to also be followed by search engines. 9
The relevant jurisprudence coming out of the Court of Justice of the European
Union (ECJ) has been consistent with this approach. In Scarlet Extended SA v
Socit belge des auteurs, compositeurs et diteurs SCRL (SABAM),10 SABAM, a
collective of copyright owners and publishers, sought an order requiring
Scarlet, an ISP, to prevent individuals from using its system to send or receive
musical works within SABAMs portfolio through the use of a systematic filter
that would analyse the content of all data shared by subscribers. The ECJ found
that such a mandatory filter failed to strike a fair balance between the right to
intellectual property, on the one hand, and the freedom to conduct business,
the right to protection of personal data and the freedom to receive or impart
information, on the other.11 In reaching this conclusion, the Court argued that
all parties had accepted that IP addresses are protected personal data because
they allow users to be precisely identified.12
EAP 5
Journal of Law, Information and Science Vol 25 2017
individual.14 Since the law did allow that in the event of cyber-attacks [a
competent authority could] take the steps necessary to obtain that information
from the ISP and to bring criminal proceedings,15 this threshold was met.
The approach taken in Patrick Breyer also seems consistent with recital 26 of the
EU Data Protection Directive, which states that when answering the question of
identifiability, account should be taken of all the means likely reasonably to be
used either by the controller or by any other person to identify the said
person.16 This implies that it is not necessary under the Data Protection Directive
that the data controller be able to immediately identify the individual through
her IP address in order that the information be treated as personal data; rather,
there simply must be a reasonable chance of them doing so given the means at
their disposal.
In Hong Kong, the legal protection of privacy is obtained in several ways. The
Basic Law,19 the quasi-constitution that grew out of the agreement between the
United Kingdom and China regarding the restoration of Chinese sovereignty
14 Ibid [49].
15 Ibid [47].
16 Data Protection Directive [1995] OJ L 281/31, recital 26.
17 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ L 119/1.
18 Ibid recital 30.
19 Basic Law of the Hong Kong Special Administrative Region of the Peoples Republic of China
(Basic Law).
EAP 6
IP Addresses as Personal Data Under Hong Kongs Privacy Law
over the territory,20 provides for the physical, territorial and communications
privacy of residents of Hong Kong vis--vis the state. Article 28 of the Basic Law
prohibits arbitrary or unlawful search of the body, article 29 prohibits
arbitrary or unlawful search of, or intrusion into [the home], and article 30
protects the freedom and privacy of communication.
Of course, both the Basic Law and the BORO relate to the relationship between
the individual and the state, and so it falls to the PDPO to generally govern the
privacy rights of individuals in Hong Kong in other circumstances. The PDPO
is a comprehensive data protection regime, and (coming into effect in 1995) was
the first of its kind in Asia. Like other comprehensive regimes,25 it traces its
conceptual roots to the fair information principles of the Organisation for
Economic Co-operation and Development Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data,26 which form the substantive core of the law:
the six Data Protection Principles (DPPs).27
20 Joint Declaration of the Government of the United Kingdom of Great Britain and Northern
Ireland and the Government of the Peoples Republic of China on the Question of Hong Kong,
opened for signature 19 December 1984, [1985] UKTS 26 (entered into force 29 May
1985) (Joint Sino-British Declaration).
21 See, eg, Democratic Party v Secretary for Justice [2007] 2 HKLRD 807, 819 where
Hartmann J argued that Art 30 of the Basic Law does not seek to protect privacy
simpliciter.
22 International Covenant on Civil and Political Rights, opened for signature 19 December
1966, 999 UNTS 171 (entered into force 23 March 1976) (ICCPR).
23 Hong Kong Bill of Rights Ordinance (Hong Kong), cap 383 (BORO).
24 This language mirrors art 17 of the ICCPR.
25 See Stuart Hargreaves, Data Protection Regimes in Christopher Anglim (ed)
Privacy Rights in the Digital Age (Grey House Publishing, 2016).
26 Organisation for Economic Co-operation and Development, OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data (23 September 1980)
<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyan
dtransborderflowsofpersonaldata.htm> (OECD Guidelines).
27 PDPO (Hong Kong), cap 486, s 4; PDPO (Hong Kong), cap 486, sch 1. The six DPPs
are the data collection principle, the accuracy and retention principle, the data use
EAP 7
Journal of Law, Information and Science Vol 25 2017
DPP3, the data use principle, requires that personal data collected about a data
subject cannot be used for a new purpose without the explicit consent of the
data subject, subject to certain exemptions.28 Generally, this has been taken to
mean that data cannot be transferred by a data controller to a third party
without such consent (or where there is a relevant exemption). However, for IP
addresses to benefit from this protection, they must first reach the threshold of
being personal data, defined under the PDPO as data relating directly or
indirectly to a living individual, from which it is practicable for the identity of
the individual to be directly or indirectly ascertained.29 The PDPO also defines
practicable as meaning reasonably practicable,30 a question to be answered
by taking into account all relevant data controlled by the party.31
principle, the data security principle, the openness principle, and the data access and
correction principle.
28 PDPO (Hong Kong), cap 486, Part 8.
29 PDPO (Hong Kong), cap 486, s 2(1).
30 Ibid.
31 Also referred to as the totality test: Office of the Privacy Commissioner for Personal
Data, Data Protection Principles in the Personal Data (Privacy) Ordinance from the
Privacy Commissioners perspective (2nd Edition), (2010) 2.19
<https://www.pcpd.org.hk/tc_chi/publications/files/Perspective_2nd.pdf>.
32 Telecommunications Ordinance (Hong Kong), cap 106, s 7; See Hong Kong
Communications Authority, Guidelines for the Application of Services-Based Operator
(SBO) License (5 March 2013) <http://www.coms-
auth.hk/filemanager/statement/tc/upload/127/gn32013e.pdf>.
33 See Hong Kong Communications Authority, Telecommunications Ordinance (Chapter
106) Services-Based Operator Licence (19 May 2016) <http://www.coms-
auth.hk/filemanager/common/licensing/SBO_form_conditions_e.pdf>.
34 The government relied on an earlier version of this licence to deflect a query from a
LegCo member as to whether IP addresses constitute personal data under the PDPO:
see Constitutional & Mainland Affairs Bureau, LCQ17: IP addresses as personal
data Constitutional & Mainland Affairs Bureau (Press Release, 3 May 2006)
<http://www.info.gov.hk/gia/general/200605/03/P200605030211.htm>.
EAP 8
IP Addresses as Personal Data Under Hong Kongs Privacy Law
Poon Dep J granted the relief, finding that the necessary elements were met.
The applicant was able to establish that serious tortious or wrongful activities
had been occurring (heavy copyright infringement), the applicant had a bona
fide belief that the alleged wrongdoers were infringing its rights, and that
HKBN was facilitating this infringement. 37 In deciding to exercise the Courts
discretion to make the order, Poon Dep J noted that section 58 of the PDPO
provides an exemption to DPP3 (the use limitation principle that would
otherwise prevent an ISP from handing over personal information without
consent) where the new use of the data is for the prevention or detection of
crime or unlawful or seriously improper conduct, if it can be shown that
applying DPP3 in such circumstances would prejudice the ability to remedy
that conduct. Poon Dep J concluded that such prejudice would in fact occur if
EAP 9
Journal of Law, Information and Science Vol 25 2017
the Norwich Pharmacal order were not granted, and therefore ordered HKBN to
provide Cinepoly with the subscriber information.38
However, at no point did Poon Dep J argue or conclude that the IP addresses
themselves were personal data within the meaning of the PDPO. Rather, the IP
addresses were simply the mechanism by which the personal data (name, ID
card number, billing address, etc) of the subscribers could be obtained. In dicta,
however, Poon Dep J nonetheless acknowledged that the use of IP addresses
was connected to individual privacy:
Some online copyright infringers may well think that they will never be caught
because of the cloak of anonymity created by the P2P programs. They are wrong.
And from now on, they should think twice. The court can and will, upon a
successful application, pull back the cloak and expose their true identity. 39
However, Poon Dep J also went on to argue that for the Court to order a
connection of their IP addresses to their subscribers identity would not be an
intrusion into their privacy, [because the] protection of privacy is never and
cannot be used as a shield to enable them to commit civil wrongs with
impunity.40 This evinces some muddled thinking. On the one hand, Poon Dep
J appears to accept that IP addresses can be used to eliminate the anonymity of
internet users in Hong Kong if an ISP connects them to a particular user, a
decision that necessarily reduces the privacy of the individual whose identity
is disclosed. This makes sense. However, Poon Dep J then goes on to argue that
this is not an intrusion of privacy because privacy cannot be a shield to commit
wrongdoing.
Now, it is fair to argue that the Court did not feel the need to treat IP addresses
as personal data in Cinepoly because it was not necessary on the facts of the
case. Recall that the applicants already possessed the IP address information and
EAP 10
IP Addresses as Personal Data Under Hong Kongs Privacy Law
sought to use it to obtain other personal data. But this seems inconsistent with
the recognition by the Court that the IP addresses were ultimately the key to
unlocking the online activities of the alleged copyright infringers. Inclusion of
IP addresses within the category of personal data would not have altered a
result based on section 58.
The second significant case in the Hong Kong courts touching on this issue
related to the conviction of a mainland-based journalist in 2006 by the Changsa
Intermediate Peoples Court for transferring state secrets to foreign entities. He
had used a Yahoo! email account to send notes on secret files from his office
computer and his conviction was obtained in part thanks to the disclosure of
related personal data by Yahoo! Holdings (Hong Kong) Ltd (YHHK) to the
relevant authorities in China. 41 This data included user registration details
associated with the email account in question, associated IP addresses, login
metadata and certain email content. The appellant lodged a complaint with the
Office of the Privacy Commissioner for Personal Data (PCPD) arguing that
this was a breach of DPP3. The PCPD concluded in its Report that IP addresses
were not personal data within the meaning of the law, because they are
information about an inanimate computer, not an individual. [A]n IP
address cannot alone reveal the exact location of the computer concerned or the
identity of the computer user.42
The PCPD also determined that YHHK was not a data user within the
meaning of the law, since although it was the legal owner of the Beijing
subsidiary and thus may have had control of the information generally, 43 it had
no control over the disclosure of the information in question because it was
compelled to disclose it under the Criminal Procedure Law of the People's Republic
of China.44 Furthermore, there was no contravention of DPP3 in the PCPDs
view thanks to terms of service and privacy policies that stated that YHHK
might share certain information in response to court orders and legal
processes.45 As a result, the Commissioner concluded, the disclosure was a use
41 Though the applicant was based in the mainland and used a Yahoo! account
registered through a Beijing-based Yahoo! subsidiary, YHHK was the legal entity
that owned that subsidiary and was therefore responsible for it.
42 Roderick B Woo, The Disclosure of Email Subscribers Personal Data by Email
Service Provider to PRC Law Enforcement Agency (Report No R07-3619, Office of
the Privacy Commissioner for Personal Data, Hong Kong, 14 March 2007) [8.10]
<https://www.pcpd.org.hk/english/enforcement/commissioners_findings/inves
tigation_reports/files/Yahoo_e.pdf>.
43 Ibid [8.22].
44 National Peoples Congress, 1 July 1979; Ibid [8.25][8.26].
45 Woo, above n 42, [8.38][8.40].
EAP 11
Journal of Law, Information and Science Vol 25 2017
for a purpose consistent with the original purpose of collection and therefore
there was no violation of DPP3.46
Unsatisfied with this outcome, the appellant brought the case, Shi Tao v PCPD,47
before the Administrative Appeals Board (AAB) as was his right under the
PDPO. He argued, inter alia, that the correct approach to the question of
whether IP addresses constituted personal data was not about whether they
themselves were data per se, but whether they were when combined with other
relevant data.48 The PCPD argued in response that personal data itself had to
have biological significance in relation to the individual.
The AAB split the difference between these two positions, concluding that IP
information even when coupled with other information disclosed, does not
constitute personal data within the meaning of the PDPO.49 On this particular
set of facts, the AAB concluded, there was no evidence that the user
information related to the IP address revealed the applicants identity (that
information was an anonymous Yahoo! email address, the business address
where the computer sending the email was located, and the time and date the
message was sent).50 They therefore concluded that none of the information (not
just the IP addresses) transmitted by YHHK to the state authorities in China
was personal data within the meaning of the PDPO.
Though not necessary given their conclusion that there was no personal data
at issue, the AAB went on to consider whether DPP3 had been breached, in case
they were wrong on their conclusion about the nature of the data. They
disagreed with the PCPDs Report in part, finding that YHHK was a data user
within the meaning of the PDPO, because it had control over the information
in question as a matter of course. The fact that it was compelled by a
government entity to transfer the information did not strip the company of that
status generally.51
The AAB agreed with the PCPD, however, that the appellant had given his
consent to the transfer of his information in the contemplated circumstances
thanks to the terms of service and privacy policy associated with his email
account. It disagreed with the PCPD that conceptually the transfer was
therefore a use consistent with the purpose of the original collection. Instead,
46 Ibid [8.41].
47 Shi Tao v Privacy Commissioner for Personal Data [2008] 1 HKC 287 (Shi Tao).
48 Ibid [54].
49 Ibid [62].
50 Ibid [63][67].
51 Ibid [71].
EAP 12
IP Addresses as Personal Data Under Hong Kongs Privacy Law
Returning to the critical question of the nature of IP addresses, the AAB in Shi
Tao appeared to reject the treatment of IP addresses in Cinepoly. The AAB
suggested that because the user information sought by the applicants in
Cinepoly was reliably personal (names, ID card numbers, and addresses), then
in that context IP addresses would constitute personal data when coupled with
that information. However, the AABs application of this principle to the facts
before it in Shi Tao seems unsatisfying. As noted, the AAB found that the IP
address information transferred by YHHK could not identify an individual
without being coupled with more information, and thus did not satisfy the
definition of personal data under the PDPO. Yet the identity of the appellant
was relatively easily determined once the Security Bureau had the locational
information associated with that IP address, since it was trivial for them to
determine who had access to the computer in question at the relevant time.
There seems little justification for holding that the existence of an additional
step (even one out of the hands of the data user) that must occur before the
biographical level of personal data is revealed somehow strips away the
ability of IP address data to be personal data. Regrettably, the PCPD has not
indicated any disagreement with the conclusion of the AAB in Shi Tao, citing it
in 2010 in its own document explaining the proper interpretation of the PDPO.53
In any event, what we are left with is that the legal status of IP addresses as
personal data within the meaning of the PDPO is unclear. The jurisprudence
provides us with only two somewhat conflicting court decisions, neither of
which is from an appellate level court.
It was with this legal background that the Access My Info: Hong Kong
(AMI:HK) project was launched in 2016 in the hopes of better understanding
generally how data users in the telecommunications sector interpret their
obligations regarding a data subjects access to personal data under the PDPO,
and specifically whether they consider IP addresses to fall within that concept.
52 Ibid [95].
53 Office of the Privacy Commissioner for Personal Data, above n 31.
EAP 13
Journal of Law, Information and Science Vol 25 2017
The project provides an easy-to-use web portal allowing Hong Kong residents
to submit data access requests in either English or Chinese to eight different
mobile phone and internet service providers. It is written in simple language,
with an easy to use interface, requiring a minimal number of steps. AMI:HK
does not act as agent of the data subject, but rather assists them in generating a
request that they can then submit via email, or print and submit through the
post. At the time of writing, the site had been used to generate 1603 requests.
AMI:HK does not log any user data on the server side; the process is handled
on the client side. Participants can request call logs, geolocation data, IP address
logs, subscriber info, etc, but cannot make a blanket request for all personal
data, since under both the PDPO56 and the relevant Guidance Note data users
can reject requests that are too general.57
Though the PDPO requires that data access requests be made using a
prescribed form,58 the automated nature of AMI:HK means this form is not
used. However, the relevant Guidance Note strongly advises data users
against denying access requests for such technical reasons; 59 the PCPD also
indicated in discussion with project members that they expect recipients of
access requests to comply with any request that adheres to the spirit of the
form, even if the form itself is not used.
EAP 14
IP Addresses as Personal Data Under Hong Kongs Privacy Law
retention periods.
The results also reveal that though providers are aware of and adhere to the
PDPOs guidelines regarding response timelines, the overall process remains
extremely lengthy. Most significantly for our purposes, up to the time of
writing not a single telecommunications provider presented with a data access
request through AMI:HK has provided the IP addresses assigned to the
subscriber as part of its response.
While a subsequent paper will provide a full analysis of the results of the
project once completed and provide a detailed set of policy recommendations
in response, these preliminary results reveal a certain amount of inconsistency
amongst Hong Kongs telecommunications providers regarding their
approach to the procedural requirements of DPP6. However, there is no reason
to suppose at this stage that any of the eight telecommunications organisations
subject to requests through AMI:HK view IP addresses as personal data within
the meaning of the PDPO. If this proves accurate as the project continues and
IP addresses are not viewed as personal data, then this suggests a need for the
PCPD to address a clear gap in Hong Kongs privacy framework, given the
importance of IP addresses to the personal privacy of Hong Kongs residents.
Conclusion
EAP 15
Journal of Law, Information and Science Vol 25 2017
providers voluntarily adopt more stringent privacy protections than ISPs and
telecommunications providers. What is required, then, is to give proper
recognition to IP addresses as a critical piece of the personal data of Hong
Kongers. This means reform that goes beyond issuance of a Guidance Note by
the PCPD; the protection must become a clear and enforceable part of the PDPO
itself. The GDPR offers a model for how this could be done and, in our view,
the Hong Kong government would be wise to give serious consideration to
similar changes. The PDPO has undergone only one significant amendment
since its introduction (a series of reforms in 2012 related primarily to direct
marketing), and it is critical that Hong Kong not be saddled with an outdated
data protection regime as the rest of the world moves forward.
EAP 16