22 1
HONG KONG
No Warrant? No Problem: ISPs’ Role in Voluntary Disclosure of Users’ Metadata to Authorities
L
ast September, the Hong Kong Transparency Report revealed the staggering number of user data requests made by the Hong Kong Police Force (the Police) to Internet service providers (ISPs). The report came as a revelation as it disclosed the fact that not all user data requests were made under court orders, and that such requests were sometimes acceded to by ISPs voluntarily. In the aftermath of the unprecedented Umbrella Movement, the practice of warrantless user data requests raise serious questions as to the extent to which the Police can easily obtain online activists’ real identities with the help of ISPs and, more importantly, the legality of such practice.
regarding legality of warrantless requests is thus ambiguous. The Police knows and does not dispute that it could be rejected without legal consequences on the receiving parties. If such requests are not acceded to, they can then try to obtain a court order to compel the ISPs to disclose the data. Given the consequences of the requests, which had the effect of revealing someone’s true identity and uncloaking his or her anonymity, it is worrying that the Police could actually opt for a route that bypasses judicial authorisation. While disclosure of data by ISPs pursuant to court orders is legal, the legality of voluntary disclosure
Edwin Chau
less any applicable exemptions of the Ordinance apply. Exemptions include s. 58(1)(a) ‘prevention or detection of crime’ and (b) ‘the apprehension, prosecution or detention of offenders’. However, they are not blanket exemptions that anything falling within it will automatically be qualified. While it is certain that a request from the Police would meet the first criteria, the second limb of the exemption test must not be overlooked. S. 58(2) stipulates that the exemption could only operate if the application of DPP3 ‘would likely prejudice’ the above matters.. The PDPO puts the liability on the parties who hold and choose to disclose the data instead of the requesters. The exemptions work as defences that data users – here the ISPs – can raise if they find themselves involved in legal proceedings for contravening DPP3. The crux of the issue of ISPs’ voluntary disclosure is thus whether they can show to the court that the second condition has been met. Objective test requirement to ‘prejudice’ in s. 58(2)
Police requests and voluntary disclosure In a LegCo meeting in April 2015, in response to a question on warrantless requests, a government representative confirmed that if such demands did not follow legal procedures, the ISPs could choose not to comply. Thus the status HKSLG · FALL 2015 · ISSUE 7
to a warrantless request by the Police is highly disputable. In Hong Kong, the only relevant legal framework is the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) under which Data Protection Principles 3 (DPP3) stipulates that personal data shall not be used without the data subject’s consent for any other new purposes, un-
When will non-disclosure of data prejudice matters such as detection of crime? Whether non-disclosure will likely prejudice the relevant purpose does not solely depend upon the subjective belief of ISPs. It is an objective inference, according to the Administrative Appeals Board’s 5-2006 decision on a similar case involving voluntary disclosure of client’s personal data by the Hong Kong Jockey Club to the Police. It is