For enquiries, please call Connie Yip at 9407 5454. E-mail: cyip@questexasia.com R 56 <strong>Computer</strong>world <strong>Hong</strong> <strong>Kong</strong> Nov 2009 www.cw.com.hk
VIEWPOINT CHARLES MOK Should IP addresses constitute personal data? The government’s consultation paper for the review of the Personal Data (Privacy) Ordinance (PDPO) is long overdue. The ordinance was passed in 1996, before the Inter<strong>net</strong> became popular—let alone Web 2.0 and social media—and is thus far behind public awareness and expectation by the. The public naturally wants “maximum protection,” but as the consultation document rightfully states: “balance is needed between safeguarding personal data privacy and facilitating continued development of information and communications tech- in spite of technological change”—that is, it should maintain technological neutrality. Sensitive data No<strong>net</strong>heless, the IT sector is among the sectors most directly affected by this ordinance. An example: the proposal in the con- “sensitive personal data”—a new introduction to the ordinance that would call for a higher degree of protection by the data users, and hence heavier punishment in case of data-leakage. The government’s rationale is that such biometric data are inalterable, thus damage caused to data-owners would be severe and permanent. However, why single out biometric data to be made “sensitive,” while in other jurisdictions such as Australia and the UK, sensitive personal data includes criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, health information, and sexual orientation? technology in schools for attendance keeping, the effects have Charles Mok is the president of Inter<strong>net</strong> <strong>Society</strong> <strong>Hong</strong> <strong>Kong</strong>, and Member of the <strong>Hong</strong> <strong>Kong</strong> Information Technology Federation. He has been in the IT industry for almost 20 years, and is active in a number of advisory committees and statutory bodies of the HKSAR government already been chilling for local companies providing such solutions. While the PCO guidelines maintains that biometric solutions are acceptable as long as it is not mandatory, or that such high level of secure access control is no<strong>net</strong>heless many biometric solution provid- ers have simply seen their business dry up since this summer. Another main concern for the IT sector is the proposal to regulate data processors—such as application developers, Inter<strong>net</strong> service or web hosting providers, which provide outsourced services to the actual data users that hold the personal data of the subjects. Previously, data processors were not regulated by the ordinance. With the advent of cloud computing, this is a void to be addressed. All users affected Should data processors be regulated directly by the ordinance, or indirectly—meaning the data user must “ensure that its data processors provide security protection to personal data at a level comparable to itself,” as required by the ordinance? Data subjects would have redress against data users, who would in turn have redress under contractual law with the data processor. The IT sector is among the sectors most directly affected by this ordinance There are many other areas in the consultation that will affect all businesses handling any type of personal data, including its customers and employees. For instance, should there be mandatory disclosure to data subjects in case of a breach? Also, the document proposes further empowering the Privacy Commissioner by making it an offense in cases of unauthorized obtaining, disclosure and sale of personal data—or repeated contravention of a data protection principle—and allowing the Commissioner to impose mo<strong>net</strong>ary penalty on serious contravention of data protection principles. However, the document also reveals some recommendations made by the Commissioner but not taken up by the government—the IT sector should consider whether IP addresses constitute personal data. While IP addresses by themselves won’t identify users, there are circumstances where combined with other data, IP addresses will be critical in identifying their users. It is unfortunate that the government has chosen not to even consult this important issue, which would produce better guidelines for the industry going forward. The Personal Data (Privacy) Ordinance consultation document is at http://www.cmab.gov.hk/doc/issues/PDPO_Consultation_ Document_en.pdf and the deadline for responses is November 30, 2009. www.cw.com.hk Nov 2009 <strong>Computer</strong>world <strong>Hong</strong> <strong>Kong</strong> 57