Response to HK's Privacy Commissioner for Personal Data
20 February 2013
Click here for a digitally-signed PDF version of this letter
Chief Personal Data Officer, for
Privacy Commissioner for Personal Data
Case No. 201302611
Thank you for your letter of 15-Feb-2013. In the interests of transparency, given that you have already aired your concerns by way of media statement on that date, we are publishing this reply. We also hereby seek your consent to the publication of your letter.
It is unclear from your letter whether it is a preliminary inquiry or you have, lacking complaints, initiated an "investigation" under Personal Data (Privacy) Ordinance (PDPO) s38(b). We hope that it is the former. We strive to comply with the laws of HK, and we respect the importance of the PDPO and your role in protecting private data. We are deeply upset and concerned by your letter and its possible implications for freedom of publication in, or into, Hong Kong, and we hope to work with you to remove those implications.
About Webb-site.com (Webb-site)
In order to address your enquiries, I will first provide you with context, a brief background on Webb-site. I founded Webb-site in 1998 as a non-profit platform for the promotion of better corporate and economic governance in Hong Kong. I heavily subsidize its running costs, and commit a lot of my time to its operation and to the activities around it. There are currently over 20,000 subscribers to a free newsletter distributed by e-mail.
We do not collect information about our subscribers, but it is clear from this list of the top 100 e-mail domains that they include a broad base of people including bankers, lawyers, financial regulators and academics, and also that many people use webmail providers.
Webb-site has never charged for access, but it eventually will need to adopt some form of revenue model, such as a "freemium" version, if it is to survive and cover its costs without my support. I don't anticipate that it will ever be "for profit".
One of the key elements of good governance is transparency and accountability, and the information that is needed to achieve that. Over the years, I have added functionality to the site which allows users to know more about the people and companies of Hong Kong and China, amongst others. There is now a "Webb-site Who's Who" (WWW) database, which includes all the directors of HK-listed companies since 1990. We also cover membership of statutory and advisory boards (in most cases since about 2000), licensees under the licensing regime of the SFC since 1-Apr-2003, members of the Executive Council, Legislative Council, District Councils, Chief Executive's Election Committee and others. There are over 100,000 past and present individuals, worldwide, in the database, and about 1.9 million organisations, including basic information on all companies registered in HK since 1865.
WWW compiles information about the different roles and interests of a person, for example, a director of a company who is a member of a governmental advisory body, or a legislator who is a director of a company. By bringing these data together in one place, it allows the public (including the media, academics, researchers, investors, potential customers of licensed professionals and so on) to more easily understand who is running their legislature, companies, advisory bodies and so forth, and what their other interests, or those of their associates, might be.
Webb-site is also a media organisation - we publish our own articles about corporate and economic governance, regulation, current affairs, government policies, civil liberties and so on. You can find a wide range of subjects in the Webb-site archive.
The database also contains links to relevant public documents about a person, such as media articles (on Webb-site or other media), court judgments and disciplinary press releases. So for example, if a public official is a company director and his company has been involved in unauthorised building works covered by media, the database would link this information together.
WWW also includes vast amounts of information on listed issuers, their securities and their advisers, including the Webb-site Total Returns series launched last year which allows investors to calculate total returns including reinvestment of distributions and other capital adjustments since 1994. We link the total returns system to the individual directors to show what the return on the stock has been while they were a director, averaged across their directorships, and similarly for advisers such as auditors.
There is no "campaign", as you put it, to compile data on directors - we have been compiling our database on people and organisations in HK since 1994, initially for our own investment research, and eventually made the database available to the public as WWW.
No new data
The compilation in WWW saves users a great deal of duplicated effort (in 2012 Webb-site served about 59.8 million page views, mostly in WWW), but in the case of each individual in WWW, the same information could have been compiled by anyone worldwide without using WWW. We are not adding to the sum of public knowledge. We do not take private data and make it public. Like many other online databases, we only use public sources and compile public data.
No collection from individuals in HK or elsewhere
The web server on which the public accesses Webb-site and WWW is in Chicago, USA, and although we build and maintain WWW from HK, we or anyone else could have done so from anywhere else in the world. Building such a database does not necessitate a presence in HK, because it does not involve collecting data from people in HK. WWW does not collect data from individuals, whether in HK or elsewhere.
All data in WWW come from public sources. These include:
- Company announcements, circulars and annual reports, which contain biographical information, including ages, relationships between directors, educational background and so on.
- Published birth notices, marriage notices and obituaries, online or in newspapers
- Other notices published in newspapers or the Gazette
- Published court judgments
- Rulings from the Insider Dealing Tribunal and Market Misconduct Tribunal
- Media releases from various regulators, including disciplinary matters
- Media releases from the ICAC
Policies of WWW
We would never include in WWW data which was illegally or accidentally published by others. For example, if a bank's database of people's names, credit card numbers and balances was leaked, we would not include it in our database.
We of course aim to keep WWW as accurate as possible. If someone informs us of an error in the data, or of outdated information, then we correct the error and make the update as soon as possible.
WWW is also a historic archive. We don't remove data just because some people find it inconvenient, as this would be censoring history and removing information that was available to anyone at the time it was published. Nor do newspaper archives (online or not) or public libraries redact their archives. The retention of data for future access is important for researchers who did not exist or were not active when the data were first published. This, by the way, is why we also need a law on retention of Government records.
It would be a sad situation for HK if our running WWW from HK was illegal in HK but would be legal if done outside HK, as it would mean that the domestic publication industry was being placed at a competitive disadvantage to those overseas, and it would amount to censorship of HK publication.
Other online media, such as Bloomberg Businessweek, also publish databases containing similar personal information. An example on a HK individual is here and our positions page on the same person is here. Sometimes the databases are available for free (as on Webb-site) and/or are supported by advertising, and sometimes they require payment.
Another example of online compilations is Wikipedia, the world's 5th most popular web site, which includes biographical pages on some HK individuals and their families, including family trees, dates of birth (where publicly known), relationships between individuals and so on. Online movie databases also include similar information on actors, including HK actors.
In the case of directors and individual substantial (5%) shareholders, some publications such as Insiders.hk include details of their transactions in shares. Those details must be obtained from the website of the Stock Exchange of Hong Kong Limited, where they are filed and published as required by law. Some sites also include analysis of the emoluments of individual directors, extracted from published annual reports and announcements.
WWW does not yet track share-dealings or directors' pay, but we may add those features in future, again using public data, if our resources permit and the law allows.
Access from within HK
If access within HK to databases like WWW, Bloomberg Businessweek or Wikipedia was constrained by the PDPO because its users would be "data users" (see below), then it would mean that internet publishers outside HK would have to detect users with HK IP addresses and refuse access, or put up extensive warning screens about the PDPO, effectively building a firewall around HK. That is one step away from the Great Firewall of China. A result of trying to access a site containing personal data from within HK might read:
"Sorry, we have detected that you are accessing this site from within Hong Kong. Collecting, holding or using (including disclosing or transferring) personal data on individual people from this site would make you a "data user" within the meaning of Hong Kong's Personal Data (Privacy) Ordinance, and as we cannot be sure that the contents of this site are disclosed and will be used for the purpose for which they were originally collected (or a directly related purpose), we cannot transfer the data to you and we cannot grant you access."
The scope of the PDPO
In our view, the clear legislative focus of the PDPO is to govern the way in which organisations collect private data from individuals and subsequently use it. Normally this is in connection with a service provided to the subject, such as services provided by doctors, dentists, hospitals, banks, insurers, credit card companies, stockbrokers, telecommunications service providers, loyalty card schemes and so on. Each of these is undoubtedly a "data user" within the meaning of the PDPO. They may also privately share it with partners and agents, subject to the provisions of the PDPO. The extent to which this may be done was the focus of the Octopus Cards investigation of 2010 and subsequent legislative amendments.
Quite properly, the PDPO imposes restrictions on what is done with private data by data users and their private transferees, but if you seek to extend its scope to what is done with public data, then you are stepping into the public arena and attempting to regulate what publishers can do with public information. It would in essence mean that the original publishers of public data would have a monopoly on that publication. Note that data (facts) are not creative works, and no copyright applies.
When the PCPD seeks to extend the application of PDPO to public data, it should take great care not to infringe on the constitutional freedom of speech, the media and publication provided by Article 27 of the Basic Law.
The PDPO came into operation in 1996. There are provisions in the PDPO, not yet activated, for a register of "Data Users" and "Data User Returns" to be filed annually to that register with fees payable, collectively known as the "Data User Return Scheme" (DURS). You consulted the market on activating those provisions in a consultation paper published together with a media statement on 7-Jul-2011. You proposed a phased approach, initially focussing on banking, telecoms, insurance and "organisations with a large database" (without proposing a definition of this). You did not state what further phase(s) you had in mind. On 28-Nov-2011, you responded to a media report regarding opposition to DURS. We can find no further mention of it.
If you implement DURS, then we are concerned that your "phases" could extend to cover compilers of public data such as WWW, Bloomberg, Reuters or Wikipedia accessible in HK. Again this could impinge on freedom of speech, the media and publication provided by Article 27 of the Basic Law.
When a law requires that data (personal or not) be filed for the purposes of public disclosure, then data filed under that law enter the public domain and cease to be private.
In the PDPO, "data user" is defined as:
"in relation to personal data, means a person who...controls the collection, holding, processing or use of the data"
Taken literally rather than purposively, this definition would mean that anyone who downloads and reads annual reports containing personal data, gazette notices appointing liquidators, lists of individual substantial shareholders' dealings, or details of directors' remuneration, or compiles it or otherwise uses it, would be "collecting", "holding" and "using" data and would therefore be a "data user". There is an exemption in s52 for personal data held for "recreational purposes" but we doubt that it would extend to this. Rather, the exemption is intended, for example, to allow keeping photos of friends taken at parties.
If such persons are "data users" under PDPO and the data are not exempt, then it would follow that under PDPO sections 18 and 19, the individual subjects of such data could file "data access requests" with such data users, who would be obliged to comply. An individual investor who does his homework, with a large collection of annual reports which contain data on thousands of individuals, could face an inundation of data access requests. So could entities like Bloomberg Businessweek or Wikipedia, with its vast collection of data on living individuals in HK, any of whom could file a "data access request".
So a literal interpretation would be unreasonable. One must look to the purpose of the law and legislative intent. It cannot logically be the legislative intent that people who read, download, or compile public data, should fall within the definition of "data users" under the PDPO.
Various laws require that data be filed for public disclosure. These include election laws, where addresses of candidates are published, the Land Registration Ordinance, where contracts for the sale and purchase of property are published, the Companies Ordinance, where ID or passport numbers, names and addresses of directors, secretaries and liquidators are published, and the Securities and Futures Ordinance, where dealings by substantial shareholders and directors are published. Some of these require payment to obtain the data, and some do not, but in either case, the data are in the public domain once they are published.
As a substantial shareholder myself, I have no right to object to disclosure of my interests as required by law, and I do not believe my consent is required for someone to take that information and republish it in their own database.
The Companies Ordinance and the purpose of HKIDs
WWW has not yet used directors' data directly from the Companies Registry, on grounds of cost. However, we note that under Section 45(1)(b) of the new Companies Ordinance (Ord. 28 of 2012), the Registrar must make the register available to the public:
"to ascertain the particulars of the company, its directors or other officers, or its former directors..."
The particulars referred to include their names, unique identifiers (a HKID or a passport number), address, date of appointment and date of cessation.
The Companies Registry once faced the same problem that WWW does, namely distinguishing between people with the same name appearing as directors of different companies, or in the broader case of WWW, different companies and other organisations. We note from the 1998/99 report of the Standing Committee on Company Law Reform, page 14, that the use of HKIDs was essential in resolving this problem:
"Once this expanded database is available for public search, it will be possible for the computer system to make the necessary cross-referencing with a director's other directorships using the director's [HKID number] as the unique identifier or passport number if there is no HKID No."
The purpose of including HKIDs in our database is the same purpose for which the Companies Registry publishes them, namely, to distinguish between individuals by using a unique identifier, rather than a non-unique name. Indeed, we struggle to imagine what other purpose the HKID in a database could have - it is a unique identifier, but that's all it is. It tells us practically nothing about the person.
Similarly, the original purpose of including HKIDs in published legal agreements or Gazette Notices of liquidations (which are some of our sources), is again to uniquely identify the person involved and avoid mistaken identity. We use those HKIDs for the same purpose within WWW. If we did not record the HKID number when it is publicly available, then there would be a higher probability of mistaken identity by WWW or by its users.
In building and maintaining WWW, we take great steps to try to avoid mistaken identity between individuals with similar or congruent names, or multiple identity, where we have two or more entries for the same individual who has appeared in different places, sometimes with a different or varied name.
Common identifiers, including HKIDs and other national IDs, are important to help us distinguish between individuals, and for researchers to look up public information on those individuals using the number. Simply knowing the first few digits of an HKID would not allow such research to be done, because most databases will not allow "wildcards" like "A123XXX" to be searched, and even if they did, you could get a thousand matches.
Currently, most of the individuals in our database do not have an HKID attached to them, because being not-for-profit, we seek to minimise costs and have not paid to access the public data from the Companies Registry or elsewhere. So instead of HKIDs, we normally have to distinguish based on other public data, such as their age, or an identifier assigned by another organisation, such as the SFC. This is sub-optimal. In the case of ages, two people can have the same name and age (particularly when we can only approximate the year of birth). In the case of an organisational ID, we cannot know whether a person licensed by one regulator is the same as a person who has been licensed by another, because they use different identifiers.
So people with histories under one authority might not show up under another authority, resulting in multiple identity in WWW. This problem would be solved if all regulators used the same set of identifiers in their public databases, a "common identifier" such as the HKID.
Identification is also sometimes impossible when the Government announces a list of appointments to a statutory or advisory body without saying anything about who the people are - not even an age, or the name of an employer. They might as well announce that they have appointed "Mr Anonymous" instead of a "Wong Wai Man" or a "Zhang Wei". Again, use of the HKID would tell the public whom they are referring to.
Incidentally, passport numbers are less useful than national IDs, because they change when they expire, so they have to be chained together to establish that they relate to the same person. In some countries which lack a national ID system, to distinguish between same-name individuals, their companies registry discloses the residential address or the date of birth instead. Residential addresses are less than ideal, partly because of the personal security issue, and partly because sons sometimes bear the same name as their fathers and live with them.
Abuse of public data
For the reasons stated above, we believe that WWW, similar compilations and their users are outside the scope of the PDPO. However, if people take public data, whether from the original publication such as the Companies Registry, Gazette or Stock Exchange, or from secondary compilations such as WWW, and then abuse those data to impersonate, defraud or harass, then there are laws which deal with those criminal offences. Such wrong-doers are not "data users" within PDPO, and they are outside the scope of your office, but they are criminals, and the Police and Department of Justice should handle that. Webb-site of course strongly opposes the abuse of such data.
In your media statement of 15-Feb-2013, you include a statistic about the number of police cases involving "use of ID cards relating to others". These case involve cards, not ID numbers alone. Some of the cards would be genuine but stolen or borrowed, and some fake. We do not see any relevance to the issue at hand, namely the compilation of public data by WWW. Anyone could obtain ID numbers from the same public sources that we did if they wanted to fake an ID card.
Another form of abuse is to treat the HKID number as a password by phone or online, when the card cannot be presented face-to-face. Given the public availability of HKIDs in the registries and numerous databases, any service provider which authenticates customers on the phone or online by asking for their HKID number is reckless and should be liable for any consequent loss. Fortunately, for financial transactions, the HKMA now requires not just a real password, but two-factor authentication, such as a digital certificate, a gadget, or a one-time password sent to the user's mobile phone. Similarly, the Communications Authority should also require its licensees to use other ways to authenticate their customers and not to use HKIDs.
The wider use of HKID numbers as identifiers, and the reversal of Government policy which treats them as secrets, would reduce identity fraud, for the simple reason that nobody is going to accept a well-known identifier as a password. It would not prove who you are.
The HKID Index
The HKID Index, which we launched as part of WWW on 12-Feb-2015, is an index of HKIDs in our database which has been compiled from public sources on the internet. Contrary to the headline in your media statement of 15-Feb-2013, "ID numbers of 1100 persons deliberately disclosed online", we did not disclose this information. It had already been disclosed in published documents, and one cannot disclose that which is already public. The HKID index merely compiled this data and provided a hyperlink to each public source. Anyone using Google or another search engine could have done the same.
We hope it was clear from the preamble on the original page that we were only using legally published data. Also, each ID number contained a hyperlink to the relevant source, and each name contained a hyperlink to the "Positions" page in WWW of the person concerned, again giving only public data, such as directorships and liquidatorships of various companies, roles on Government committees, awards from governments, and so on.
The HKID index allowed us to uniquely identify an individual using something more precise than his/her non-unique name, but by itself, it tells the user nothing about that individual. HKIDs should not be regarded as personal data. There should be a clear distinction between identifiers and personal data.
Amendments to the Companies Ordinance
Whether or not HKID numbers and home addresses should be published in the Companies Registry or the Gazette is a separate issue currently under heated debate, but at present, they are. We understand that your office has been a key proponent of seeking to partially redact HKIDs in the Companies Registry, and we are concerned that this may have been the motivation behind your letter, as you have never raised any query about any other public data on individuals in WWW before.
For what it is worth, we agree that correspondence addresses should be acceptable as long as they are valid for service of legal process. We are in a minority on that though, because 61% (so far) of respondents to an opinion poll running on Webb-site think residential addresses should remain disclosed while 31% think a correspondence address is acceptable and 8% are undecided.
However, an overwhelming 95% agree that the HKID numbers should not be restricted, with only 4% in favour of restriction.
The Companies Registry should demolish its pay-wall, like New Zealand has. A HK$18 fee won't stop a potential fraudster from getting the data, but it makes it expensive for third parties to compile and maintain the data of a large number of companies (including dissolved ones), thereby entrenching the monopoly of the Companies Registry, and it makes doing business in general more difficult. In reality, fraudulent use of the data is very rare, and the public interest in transparency outweighs this.
In the light of the above clarification, we hereby seek your confirmation that the compilation of public data on individuals, that is, data which have already been legally published, is not within the scope of the PDPO, and that as long as that is all that we are doing, Webb-site and the other publications which already compile public data are free to proceed. This would lift the threat to the freedom of publication in Hong Kong which your inquiry and media statement raises. Leaving these issues unresolved would not be in the public interest.
As a result of your intervention, we removed the HKID Index from WWW, and it will not return unless you provide that confirmation, but we also need to know that the compilation of other public data, such as positions held on boards and government bodies, substantial shareholders' dealings, directors' pay, directors share-dealings, and other public information on individuals will not face further actions from your office. Indeed, the entire publication industry needs to know.
We are most keen to remove the uncertainty created by your media statement and letter, both for Webb-site and the publication industry as a whole. If you have any outstanding concerns, then we would be pleased to meet with you to discuss them.
Founder and Publisher, Webb-site.com
© Webb-site.com, 2013