Published in Issue 13 of the PISA Journal.
Allan Dyer
The Review of the Personal Data (Privacy) Ordinance addressed the question of some of the deficiencies of the current law, but it failed to look at wider questions about how we use information, and failed to keep up with current trends. This is about the complex relationships between Copyright, Privacy, Obscenity and Free Speech. The Information Age has changed things in ways we do not yet fully understand, and our laws on all of these cannot cope.
I am not saying that we should demand immediate laws controlling the latest internet concern, and the next concern, and the next, until we have a complex tangle of unintelligible restrictions. Quite the opposite, we need to step back and look at the wider picture, without compartimentalisation into "privacy", "copyright" and so on.
Privacy and Copyright
For example, how do developments in photography affect individual rights? The Edison Chen case raised this for intimate pictures of celebrities, but the situation has changed already. Current cameras can do facial recognition and tag photos automatically, or facial recognition may be applied by social networks, or third parties scraping photos from multiple sites. Should the subject of a photo have control of how it is used? In what circumstances? Under our current legislation, there is no protection for the subject of the pictures. The photographer has copyright, but is copyright appropriate? Copyright is a contract between the creator of an artistic work and Society: the creator gets time-limited rights to make money, and Society gets the work in the long run, but many pictures are not intended to be published.
My thought is that the Data Protection Principles fit this case very well. Take a look at Principle 3 - personal data should be used for the purposes for which they were collected or a directly related purpose, so distributing to strangers on the internet is forbidden, unless the subject gives permission. That matches how I would like the law to protect this type of information. The problem, however, is enforcement. All the Privacy Commissioner can do at the moment is to issue an "enforcement notice", then, if the offence is repeated, the offender can be prosecuted. Why do you need to leak private information TWICE – once it is leaked it stays leaked.
Punishment
Once a leak has happened, the damage is done. Therefore there must be a deterrent punishment. What surprises me is that, in the case of the Octopus Rewards Program, the Commissioner has even shied away from issuing an enforcement notice. In that case, the information was sold to third parties for millions of dollars, yet apparently it was not likely that a contravention would continue.
Of course, facial recognition is not perfect, so who takes responsibility for the accuracy? How would you feel if you could not get a job because a recruitment company you've never heard of had scraped an image off someone's social network page and wrongly tagged a face as you in a photo of a drunken brawl? Data Protection Principle 6 (subjects have rights of access to and correction of their personal data) should apply, but what should the mechanism be? Social networks are also addressing some of these concerns, mainly in response to their outraged users, but the complexity of the controls and the frequent changes are really adding to the confusion. There is also a clear conflict of interest: social network sites are generally free to the users, because, as others have ably summarised it, you are their product. The sites are collecting their user's information and selling it, most obviously as a means to target advertising, so they are not well-placed to lead a debate on how such information should be protected.
Economics
So now we come to economics: information can be worth money. Do you realise how much valuable information about your family's shopping habits you are giving out when you use a supermarket loyalty card? Of course, it is a trade, I get 0.2% discount, they get to know more about how I shop than I know. Hong Kong is known for its free market economy, but, any economist will tell you, markets are efficient when buyers and sellers have the same level of information. If I was a supermarket, I would be planning to put RFID chips in the loyalty cards, and update the prices as you approach the shelves.
It is not just supermarket economics. I predict a crisis in the health insurance market. All insurance is based in ignorance: neither the insurer nor the insured knows what is going to happen, so the insurer sets the premium according to the probabilities. Too much knowledge destroys that, and medical science and information technology are providing that knowledge. Already, genetic factors involved in many diseases are known, and more are being discovered and DNA sequencing is becoming cheaper. Will we be required to provide a genetic sample when we apply for health insurance, and some people get very low premiums (they are not at risk), and others get unaffordable premiums? DNA is personal information, how much more personal can you get? Do we want privacy laws that prevent insurers demanding a sample? What if an insurer takes your enquiry form and carefully processes it to recover DNA from the sweat left by your fingers? This clearly falls under Data Protection Principle 1 (provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject), but could such a case be prosecuted under the current law?
Sensitive Data
One of the things the consultation asked was whether "sensitive" data should be given greater protection. I don't think you can divide data by sensitivity. It depends on how the data is used. I constantly shed DNA, as dead skin cells, without worrying, until someone uses my DNA to decide my health insurance premium. I do not find my HK ID card number to be embarrassing, I hold birthday parties, and even tell people my mother's maiden name. These are not items of information that need to be kept secret. Until, of course, some idiot who knows nothing about security decides that they can be used to authenticate my identity for something, like activation of my credit card or access to my phone records.
I would like to see this mis-use of personal data as supposedly "secret" authentication tokens stamped out. The practice always was insecure, but we have increasing repositories of shared personal information that can be searched by strangers – social networks again. A friend posts a remark about how much fun their had at your birthday party, and suddenly a criminal has the last piece of information they need to mis-use your credit card.
Holistic View
I have mentioned social networks several times, but this is mainly because they have become very popular in the last few years, and greatly enhanced the dissemination of some types of information. However, right from the time one ape watched a second ape give a piece of fruit to a third ape and gesticulated about it, people have gossiped. Over the years, the boundary between what Society considers private information and public information and how we should trade a profit from information has changed in response to changing IT. We need a review that takes a holistic view of how laws should control the Information Society we are building.