[2008] 1 HKC A B Shi Tao v Privacy Commissioner for Personal Data 287 SHI TAO v PRIVACY COMMISSIONER FOR PERSONAL DATA ADMINISTRATIVE APPEALS BOARD ADMINISTRATIVE APPEAL NO 16 OF 2007 MR JAT SEW-TONG SC (PRESIDING CHAIRMAN), DR CHEUNG CHI-TONG ALBERT AND MR CHIU SAI-CHUEN NICHOLAS (MEMBERS) 25 SEPTEMBER, 26 NOVEMBER 2007 C Human Rights – Right to privacy – Personal data privacy – Disclosure of email account information to Mainland authorities – Disclosure made by Beijing agent of Hong Kong company under compulsion of law – Whether disclosure of ‘personal data’ – Whether breach of data protection principle – Personal Data (Privacy) Ordinance (Cap 486) ss 2(1), (3) D 人權 – 私隱權利 – 個人資料私隱 – 向內地當局披露電郵戶口資 料 – 香港公司的北京代理以強制法律申請披露 – 是否屬披露「個 人資料」 – 是否違反保護資料原則 – 《個人資料(私隱)條 例》(第486章)第2(1), (3)條 E F G H I The appellant, a journalist in Mainland China, was convicted of the crime of illegally providing state secrets to foreign entities outside the People’s Republic of China (PRC) and was sentenced to 10 years’ imprisonment. The verdict of the Mainland court indicated that the appellant used his personal email account with ‘yahoo.com.cn’ (Yahoo! China) to send secret information overseas and that Yahoo! Holdings (Hong Kong) Ltd (YHHK) furnished account holder information to the Mainland authorities. The respondent Commissioner carried out an investigation following a complaint lodged on behalf of the appellant. YHHK explained that although it owned the yahoo.com.cn website at the material time, the website was managed separately in Beijing by two Mainland entities and the disclosure was handled by the legal teams of that website reporting directly to YHHK’s parent in the United States, Yahoo! Inc (which confirmed that the Beijing management team had provided the State Security Bureau of Mainland China with user registration information, Internet Protocol (IP) log-in information and certain email contents). The Commissioner concluded that the IP address of an internet account holder was not personal data within the meaning of the Personal Data (Privacy) Ordinance (Cap 486); that YHHK was not a data user within the meaning of the Ordinance; that the Ordinance had no extra-territorial application; that even if Data Protection Principle 3 applied to the disclosure complained of, there was no contravention of that principle; and that the exemption in s 58 of the Ordinance was not applicable. The appellant appealed to the Administrative Appeals Board, contending that the Commissioner erred in law in reaching these conclusions. Held, unanimously, dismissing the appeal: (1) The definition of ‘personal data’ in the Personal Data (Privacy) Ordinance (Cap 486) had two limbs, ie data (a) relating directly or indirectly to a living individual; and (b) from which it was practicable for the identity of the individual

Select target paragraph3