[2008] 1 HKC

A

B

Shi Tao v Privacy Commissioner for Personal Data

287

SHI TAO v PRIVACY COMMISSIONER FOR PERSONAL DATA
ADMINISTRATIVE APPEALS BOARD
ADMINISTRATIVE APPEAL NO 16 OF 2007
MR JAT SEW-TONG SC (PRESIDING CHAIRMAN), DR CHEUNG CHI-TONG
ALBERT AND MR CHIU SAI-CHUEN NICHOLAS (MEMBERS)
25 SEPTEMBER, 26 NOVEMBER 2007

C

Human Rights – Right to privacy – Personal data privacy – Disclosure of
email account information to Mainland authorities – Disclosure made by
Beijing agent of Hong Kong company under compulsion of law – Whether
disclosure of ‘personal data’ – Whether breach of data protection principle –
Personal Data (Privacy) Ordinance (Cap 486) ss 2(1), (3)

D

人權 – 私隱權利 – 個人資料私隱 – 向內地當局披露電郵戶口資
料 – 香港公司的北京代理以強制法律申請披露 – 是否屬披露「個
人資料」 – 是否違反保護資料原則 – 《個人資料(私隱)條
例》(第486章)第2(1), (3)條

E

F

G

H

I

The appellant, a journalist in Mainland China, was convicted of the crime of
illegally providing state secrets to foreign entities outside the People’s Republic
of China (PRC) and was sentenced to 10 years’ imprisonment. The verdict of the
Mainland court indicated that the appellant used his personal email account with
‘yahoo.com.cn’ (Yahoo! China) to send secret information overseas and that
Yahoo! Holdings (Hong Kong) Ltd (YHHK) furnished account holder
information to the Mainland authorities. The respondent Commissioner carried
out an investigation following a complaint lodged on behalf of the appellant.
YHHK explained that although it owned the yahoo.com.cn website at the material
time, the website was managed separately in Beijing by two Mainland entities and
the disclosure was handled by the legal teams of that website reporting directly to
YHHK’s parent in the United States, Yahoo! Inc (which confirmed that the
Beijing management team had provided the State Security Bureau of Mainland
China with user registration information, Internet Protocol (IP) log-in information
and certain email contents). The Commissioner concluded that the IP address of
an internet account holder was not personal data within the meaning of the
Personal Data (Privacy) Ordinance (Cap 486); that YHHK was not a data user
within the meaning of the Ordinance; that the Ordinance had no extra-territorial
application; that even if Data Protection Principle 3 applied to the disclosure
complained of, there was no contravention of that principle; and that the
exemption in s 58 of the Ordinance was not applicable. The appellant appealed to
the Administrative Appeals Board, contending that the Commissioner erred in law
in reaching these conclusions.
Held, unanimously, dismissing the appeal:
(1) The definition of ‘personal data’ in the Personal Data (Privacy) Ordinance
(Cap 486) had two limbs, ie data (a) relating directly or indirectly to a living
individual; and (b) from which it was practicable for the identity of the individual

Select target paragraph3