288
Hong Kong Cases
[2008] 1 HKC
to be directly or indirectly ascertained. An IP address, together with other data,
could in certain circumstances constitute ‘personal data’. The question in the
appeal was not whether any personal data had been disclosed but whether
personal data of the appellant had been disclosed by YHHK. In the present case,
the IP log-in information provided by the Beijing management team, even when
coupled with other information disclosed, did not constitute ‘personal data’.
Neither the email address nor the IP address ex facie revealed the identity of the
appellant. The information provided only disclosed that the email was sent from
a computer located at the address of a business entity, and the date and time of the
transaction. It was not reasonably practicable from such information to ascertain
that it was actually the appellant who used the computer identified by the IP
address to send out the relevant email at the relevant time. Given that there was
no certainty that the registration information provided by an email user to Yahoo!
China website was authentic or reliable, the burden was on the appellant to put
forward credible evidence that such registration information held with the
Mainland authorities disclosed his personal data. In the absence of such evidence,
one could not conclude that the registration information in relation to the email
account necessarily contained personal data of the appellant. Accordingly,
although the information provided to the Mainland authorities related indirectly to
an individual, it was not such as would enable the identity of the appellant to be
ascertained directly or indirectly with reasonable practicability. Durant v
Financial Services Authority [2003] EWCA Civ 1746 considered. Cinepoly
Records Co Ltd & Ors v Hong Kong Broadband Network Ltd & Ors [2006] 1
HKC 433 distinguished (paras 61, 62, 67-70).
(2) YHHK was a ‘data user’ as defined in the Personal Data (Privacy)
Ordinance, assuming that the relevant information constituted ‘personal data’
under the Ordinance. It had, in the light of the corporate structure of the Yahoo!
group of companies, control over the relevant information. Even if the Beijing
management team disclosed the relevant information to the State Security Bureau
under the compulsion of law, the Beijing management team and hence its
principal, YHHK, still retained control over such information whether before or
after the relevant disclosure. The fact that the Beijing management team acted
under the compulsion of law did not and could not ‘vitiate’ their control (paras 81,
82, 83).
(3) Section 39(1)(d) of the Personal Data (Privacy) Ordinance empowered the
Commissioner to refuse to carry out or continue an investigation when the case
had no connection with Hong Kong. It was not a provision dealing with
extra-territorial application of the Ordinance (para 86).
(4) Even if the relevant information were regarded as ‘personal data’ under the
Personal Data (Privacy) Ordinance and even if YHHK were to be considered a
‘data user’ under the Ordinance, there had been no breach of Data Protection
Principle 3 because the appellant had given prescribed consent for such disclosure
when he accepted the terms of service and the privacy policy statement, which
indicated that Yahoo! or Yahoo! China was authorised to make disclosure ‘in
accordance with legal procedure’ (paras 94, 95, 99).
Cases referred to
Cinepoly Records Co Ltd & Ors v Hong Kong Broadband Network Ltd & Ors
[2006] 1 HKC 433, [2006] 1 HKLRD 255 (CFI)
A
B
C
D
E
F
G
H
I