You are on page 1of 17

Title: IP Addresses as Personal Data Under Hong Kong’s Privacy

Law: An Introduction to the Access My Info HK Project
Author: Stuart Hargreaves and Lokman Tsui
EAP Date (approved for print): 15 November 2017

Note to users: Articles in the ‘Epubs ahead of print’ (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware that
although EAPs do not have all bibliographic details available yet, they can be
cited using the year of online publication and the Digital Object Identifier (DOI)
as follows: Author(s), ‘Article Title’, Journal (Year), Volume(Issue), EAP (page
#).

The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue.

Collated print versions of the article will contain an additional volumetric page
number. Both page citations will be relevant, but any EAP reference must
continue to be preceded by the letters EAP.

ISSN-0729-1485
Copyright 2017 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or
by any means electronic, mechanical, photocopying, recording or otherwise,
without the permission of the owner of the copyright. All enquiries seeking
permission to reproduce any part of this publication should be addressed in
the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart,
Tasmania 7001, Australia.
editor@jlisjournal.org
IP Addresses as Personal Data Under Hong Kong’s
Privacy Law: An Introduction to the Access My Info
HK Project

STUART HARGREAVES* AND LOKMAN TSUI**

Abstract

IP addresses have significant implications for personal privacy: if connected to a
particular subscriber, they can reveal a vast range of online behaviour. The question of
whether IP addresses are ‘personal data’ under a data protection regime is therefore
critical, as such a classification greatly limits the usage to which those addresses can be
put absent user consent.

This paper critically reviews the approaches taken to the question of whether IP
addresses ought to be classified in this way in Hong Kong and in the European Union
(‘EU’). Jurisprudence related to the EU Data Protection Directive and the
forthcoming General Data Protection Regulation both treat IP addresses as
‘personal information’. This results in robust protection for IP addresses under
European law. In Hong Kong, however, the jurisprudence is limited to two lower court
decisions that are inconsistent with one another, and neither show a deep appreciation
for the importance IP addresses may have in revealing the behaviour and activities of
Hong Kong residents online. The Privacy Commissioner for Personal Data has likewise
not shown an interest in challenging the approach taken by the courts thus far
regarding this issue.

Noting this relative lack of attention, this paper introduces the Access My Info: Hong
Kong (‘AMI:HK’) project. AMI:HK is a platform for users to make data access requests
to telecommunications service providers in Hong Kong. The project should reveal if
there is consistency in the Hong Kong providers’ approach to their access obligations
under the Personal Data (Privacy) Ordinance, in particular the question of whether
they treat IP addresses as personal data within the meaning of the law.

Introduction

Every networked device is assigned an Internet Protocol (‘IP’) address that
identifies it and that allows for communication with other networked devices.

* Assistant Professor, Assistant Dean (Undergraduate Studies), LLB Programme
Director, Faculty of Law, the Chinese University of Hong Kong.
** Assistant Professor, School of Journalism & Communication, the Chinese University
of Hong Kong.

EAP 1
Journal of Law, Information and Science Vol 25 2017

An Internet Service Provider (‘ISP’) has the ability to connect a home
broadband subscriber to a particular IP address, and the same is true of a
mobile communications provider that delivers internet connectivity to a
smartphone.

If third parties can obtain this connection, then the implications for personal
privacy are profound, since theoretically IP addresses can be used to log all
kinds of online behaviour, whether it is participating in political or religious
activism online, sharing family recipes, accessing pornography, infringing
copyright by sharing music, or teenagers seeking information about human
sexuality. A study conducted by the Office of the Privacy Commissioner of
Canada, for instance, found that an IP address allowed them to determine that
the individual assigned that address had visited websites related to:

search engine optimization training; Canada's advertising and marketing
community; web governance; identity management; privacy issues; legal advice
related to insurance law and personal injury litigation; a specific religious group;
fitness; online photo sharing; the revision history of a Wikipedia entry; and
specific entertainers which, in turn, exposed a variety of usernames.1

A search for information related to the IP address of one Wikipedia contributor2
revealed that they had:

edited hundreds of pages on Wikipedia about television shows, both North
American and international … [showing an] interest in TV shows [that] was
extensive and specific; edited dozens of pages on Wikipedia related to history
topics; participated in a discussion board about a television channel; and visited
a site devoted to sexual preferences following an online search for a specific type
of person.3

Consequently, European privacy law treats IP addresses as ‘personal data’
within the meaning of its data protection regimes, meaning they cannot be
transmitted by ISPs to third parties absent circumstances such as the consent of
the data subject or a court order.

1 Office of the Privacy Commissioner of Canada, What an IP address can reveal about
you (May 2013) <https://www.priv.gc.ca/en/opc-actions-and-
decisions/research/explore-privacy-research/2013/ip_201305/>.
2 Wikipedia logs the IP addresses of all contributors.
3 Office of the Privacy Commissioner of Canada, above n 1.

EAP 2
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

Though Hong Kong’s privacy regime, the Personal Data (Privacy) Ordinance
(‘PDPO’),4 is modelled on the European Union’s Data Protection Directive,5
treatment of IP addresses under it is not well developed. There is limited
judicial commentary on the issue and no clarity as to whether Hong Kong ISPs
consider the IP addresses of their subscribers to be ‘personal data’ and thus
protected by Hong Kong’s privacy law.

This paper outlines the importance of IP addresses to personal privacy,
compares the way in which they are treated under European and Hong Kong
law, and then introduces the Access My Info: Hong Kong (‘AMI:HK’) project.6
AMI:HK is a joint initiative of members of the Chinese University of Hong
Kong’s School of Journalism & Communication, InMediaHK, Keyboard
Frontline, Open Effect, and the Citizen Lab (developers of the original AMI
project7 in Canada). It includes an easy-to-use website that assists Hong Kong
residents in making data access requests to their telecommunications
providers. A key goal of the project is to learn whether Hong Kong ISPs and
mobile phone service providers treat IP addresses as personal data within the
meaning of the PDPO, and to help justify regulatory reform where necessary.

1 IP addresses and privacy

Simply put, IP addresses are unique identifiers assigned to every networked
device connected to the internet. An IP address may be either static or dynamic.
A static IP address is usually assigned by a network administrator to a specific
device and, as the name suggests, does not change. An office computer may,
for example, be assigned a static IP address that does not change, regardless of
who is using the machine. In contrast, a dynamic IP address does change,
sometimes at pre-set intervals and sometimes in response to network events.

Dynamic IP addresses are commonly used by ISPs to provide internet services
to home users. An ISP, for instance, might control a block of IP addresses from
which it then assigns temporary addresses to users, rather than assigning each
subscriber a permanent static address. This would allow an ISP to minimise the
overall number of IP addresses they must maintain. A home broadband user’s
IP address might be different from one day to the next, or one month to the

4 Personal Data (Privacy) Ordinance (Hong Kong), cap 486 (‘PDPO’).
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data [1995] OJ L 281/31 (‘Data Protection Directive’).
6 Welcome to Access My Info, Access My Info Hong Kong <https://accessmyinfo.hk>.
7 Welcome to Access My Info, Access My Info Canada <https://accessmyinfo.org>.

EAP 3
Journal of Law, Information and Science Vol 25 2017

next, depending on how often their ISP rotates the addresses. It might also
change every time they restart their modem or router.

However, the fact that the IP addresses of home broadband users change over
time offers no meaningful privacy protection. An ISP knows exactly who was
assigned any given IP address at any given moment. In other words, PCCW
(an ISP that provides home broadband services) knows that IP address
10.7.44.214 was assigned to broadband subscriber Cynthia Chung from 6:34 am
9 January 2016 to 9:12 pm 11 January 2016. This also means that PCCW knows
that any website that was accessed by IP address 10.7.44.214 in that timeframe
was almost certainly accessed by Cynthia or someone in her household.

This implicates significant privacy issues: message boards log the IP addresses
of the authors of every single comment, search engines know the IP address
behind each query, online newspapers know which IP addresses clicked on
which links, and every pornography website knows the IP addresses of its most
common visitors. If approached by a third party seeking the identity of the
individual who posted a politically sensitive comment from IP address
10.7.44.214 on the ‘Golden Forum’ message board at 8:03 pm on 10 January
2016, PCCW has the technical means to provide that information and thereby
unmask Cynthia’s political beliefs. In short, if website logs of the IP addresses
of visitors can be connected to the IP address subscriber information logs held
by ISPs, then anonymity on the web is virtually impossible to maintain
(assuming a user takes no steps to intentionally mask their IP address by use
of a Virtual Private Network (‘VPN’)). Only if PCCW considers their IP address
logs to be ‘personal information’ might Hong Kong’s privacy law regulate
when they can provide assistance to a third party seeking to make such a
connection.

2 IP addresses under European law

As a result, the importance of IP addresses to individual privacy is now well
recognised in European law. As far back as 2007 the Article 29 Working Party
argued that

unless an ISP is in a position to distinguish with absolute certainty that the data
corresponds to users that cannot be identified, it will have to treat all IP
information as personal data, to be on the safe side. 8

8 Article 29 Working Party, ‘Opinion 4/2007 on the concept of personal data,
01248/07/EN WP 136’ (Opinion 4/2007, European Union, 20 June 2007).

EAP 4
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

In a subsequent paper, the Article 29 Working Party confirmed that this basic
approach ought to also be followed by search engines. 9

The relevant jurisprudence coming out of the Court of Justice of the European
Union (‘ECJ’) has been consistent with this approach. In Scarlet Extended SA v
Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM),10 SABAM, a
collective of copyright owners and publishers, sought an order requiring
Scarlet, an ISP, to prevent individuals from using its system to send or receive
musical works within SABAM’s portfolio through the use of a systematic filter
that would analyse the content of all data shared by subscribers. The ECJ found
that such a mandatory filter failed to strike a fair balance ‘between the right to
intellectual property, on the one hand, and the freedom to conduct business,
the right to protection of personal data and the freedom to receive or impart
information, on the other’.11 In reaching this conclusion, the Court argued that
all parties had accepted that IP addresses are ‘protected personal data because
they allow users to be precisely identified’.12

The addresses in Scarlet Extended allowed users to be identified, of course,
because they were held by an ISP that could directly connect them to their
subscriber data. However, what if the data controller were not an ISP, but
rather a website operator? Should a website’s logs of the IP addresses of its
visitors still be classed as personal data, even though the website acting alone
does not have the mechanism to directly connect them to an identifiable
individual?

In Patrick Breyer v Bundesrepublik Deutschland the ECJ answered this in the
affirmative.13 Breyer brought an action seeking to prevent websites run by the
federal German government from storing IP addresses of visitors. As the IP
addresses were dynamic, the only way the website operators could identify
individuals would be to approach the relevant ISP and ask it to connect them
to a subscriber. The Court found that even dynamic IP addresses of visitors to
websites were properly classed as personal data when held by website
operators with the legal means to obtain information from a third party (such as
an ISP), that would then allow them to connect the address to a given

9 Article 29 Working Party, ‘Opinion 1/2008 on data protection issues related to
search engines, 00737/EN WP 148’ (Opinion 1/2008, European Union, 4 April 2008).
10 (C-70/10) [2011] ECR I–11959 (24 November 2011) (‘Scarlet Extended’).
11 Ibid [53].
12 Ibid [51].
13 Patrick Breyer v Bundesrepublik Deutschland (Court of Justice of the European
Communities (Second Chamber), C-582/14, 16 October 2016).

EAP 5
Journal of Law, Information and Science Vol 25 2017

individual.14 Since the law did allow that ‘in the event of cyber-attacks … [a
competent authority could] take the steps necessary to obtain that information
from the ISP and to bring criminal proceedings’,15 this threshold was met.

The approach taken in Patrick Breyer also seems consistent with recital 26 of the
EU Data Protection Directive, which states that when answering the question of
identifiability, ‘account should be taken of all the means likely reasonably to be
used either by the controller or by any other person to identify the said
person’.16 This implies that it is not necessary under the Data Protection Directive
that the data controller be able to immediately identify the individual through
her IP address in order that the information be treated as ‘personal data’; rather,
there simply must be a reasonable chance of them doing so given the means at
their disposal.

This reflects a relatively expansive interpretation given to personal data in the
EU, an interpretation that will be further solidified with the replacement of the
Data Protection Directive in May 2018 with the General Data Protection Regulation
(‘GDPR’).17 Recital 30 of the GDPR explicitly uses IP addresses as an example
of an online identifier that ‘may be used to create profiles of natural persons
and identify them’.18 Though it remains to be seen how the ECJ will interpret
the GDPR, given the jurisprudence under the Directive and the direct inclusion
of IP addresses into the recital, it is difficult to imagine the Court suddenly
embracing a more restrictive approach to the treatment of IP addresses as
personal data.

3 IP addresses under Hong Kong law

In Hong Kong, the legal protection of privacy is obtained in several ways. The
Basic Law,19 the quasi-constitution that grew out of the agreement between the
United Kingdom and China regarding the restoration of Chinese sovereignty

14 Ibid [49].
15 Ibid [47].
16 Data Protection Directive [1995] OJ L 281/31, recital 26.
17 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ L 119/1.
18 Ibid recital 30.
19 Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China
(‘Basic Law’).

EAP 6
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

over the territory,20 provides for the physical, territorial and communications
privacy of residents of Hong Kong vis-à-vis the state. Article 28 of the Basic Law
prohibits ‘arbitrary or unlawful search of the body’, article 29 prohibits
‘arbitrary or unlawful search of, or intrusion into [the home]’, and article 30
protects the ‘freedom and privacy of communication’.

Though judicial interpretation of these provisions by the courts has been
relatively narrow in scope,21 article 39 of the Basic Law also requires the
incorporation of the International Covenant on Civil and Political Rights 22 into
domestic legislation. This incorporation is achieved through the Hong Kong Bill
of Rights Ordinance,23 where article 14 ensures the ‘protection of privacy, family,
home, correspondence, honour, and reputation’.24

Of course, both the Basic Law and the BORO relate to the relationship between
the individual and the state, and so it falls to the PDPO to generally govern the
privacy rights of individuals in Hong Kong in other circumstances. The PDPO
is a comprehensive data protection regime, and (coming into effect in 1995) was
the first of its kind in Asia. Like other comprehensive regimes,25 it traces its
conceptual roots to the ‘fair information principles’ of the Organisation for
Economic Co-operation and Development Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data,26 which form the substantive core of the law:
the six ‘Data Protection Principles’ (‘DPPs’).27

20 Joint Declaration of the Government of the United Kingdom of Great Britain and Northern
Ireland and the Government of the People’s Republic of China on the Question of Hong Kong,
opened for signature 19 December 1984, [1985] UKTS 26 (entered into force 29 May
1985) (‘Joint Sino-British Declaration’).
21 See, eg, Democratic Party v Secretary for Justice [2007] 2 HKLRD 807, 819 where
Hartmann J argued that ‘Art 30 of the Basic Law does not seek to protect privacy
simpliciter’.
22 International Covenant on Civil and Political Rights, opened for signature 19 December
1966, 999 UNTS 171 (entered into force 23 March 1976) (‘ICCPR’).
23 Hong Kong Bill of Rights Ordinance (Hong Kong), cap 383 (‘BORO’).
24 This language mirrors art 17 of the ICCPR.
25 See Stuart Hargreaves, ‘Data Protection Regimes’ in Christopher Anglim (ed)
Privacy Rights in the Digital Age (Grey House Publishing, 2016).
26 Organisation for Economic Co-operation and Development, OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data (23 September 1980)
<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyan
dtransborderflowsofpersonaldata.htm> (‘OECD Guidelines’).
27 PDPO (Hong Kong), cap 486, s 4; PDPO (Hong Kong), cap 486, sch 1. The six DPPs
are the data collection principle, the accuracy and retention principle, the data use

EAP 7
Journal of Law, Information and Science Vol 25 2017

DPP3, the data use principle, requires that personal data collected about a data
subject cannot be used for a new purpose without the explicit consent of the
data subject, subject to certain exemptions.28 Generally, this has been taken to
mean that data cannot be transferred by a data controller to a third party
without such consent (or where there is a relevant exemption). However, for IP
addresses to benefit from this protection, they must first reach the threshold of
being ‘personal data’, defined under the PDPO as ‘data relating directly or
indirectly to a living individual, from which it is practicable for the identity of
the individual to be directly or indirectly ascertained’.29 The PDPO also defines
‘practicable’ as meaning ‘reasonably practicable’,30 a question to be answered
by taking into account ‘all relevant data controlled by the party’.31

It is also worth noting that General Condition 6 of the Services-Based Operator
Licence, which all ISPs and mobile internet providers are required to obtain by
the Telecommunications Authority under the Telecommunications Ordinance,32
obliges licensees to not disclose the ‘information’ of customers without their
consent or unless it is needed for the prevention or detection of crime. 33
However, ‘information’ is not defined in either the Licence or the
Telecommunications Ordinance, and so for the purposes of this paper we continue
to query the meaning of ‘personal data’ under the PDPO as it relates to IP
addresses.34

principle, the data security principle, the openness principle, and the data access and
correction principle.
28 PDPO (Hong Kong), cap 486, Part 8.
29 PDPO (Hong Kong), cap 486, s 2(1).
30 Ibid.
31 Also referred to as ‘the totality test’: Office of the Privacy Commissioner for Personal
Data, Data Protection Principles in the Personal Data (Privacy) Ordinance – from the
Privacy Commissioner’s perspective (2nd Edition), (2010) 2.19
<https://www.pcpd.org.hk/tc_chi/publications/files/Perspective_2nd.pdf>.
32 Telecommunications Ordinance (Hong Kong), cap 106, s 7; See Hong Kong
Communications Authority, Guidelines for the Application of Services-Based Operator
(‘SBO’) License (5 March 2013) <http://www.coms-
auth.hk/filemanager/statement/tc/upload/127/gn32013e.pdf>.
33 See Hong Kong Communications Authority, Telecommunications Ordinance (Chapter
106) Services-Based Operator Licence (19 May 2016) <http://www.coms-
auth.hk/filemanager/common/licensing/SBO_form_conditions_e.pdf>.
34 The government relied on an earlier version of this licence to deflect a query from a
LegCo member as to whether IP addresses constitute personal data under the PDPO:
see Constitutional & Mainland Affairs Bureau, ‘LCQ17: IP addresses as personal
data’ Constitutional & Mainland Affairs Bureau (Press Release, 3 May 2006)
<http://www.info.gov.hk/gia/general/200605/03/P200605030211.htm>.

EAP 8
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

In comparison to European law, the question of whether IP addresses reach the
legal standard of being ‘personal data’ under Hong Kong law is far from
settled; judicial consideration is both less conclusive and less coherent. Cinepoly
Records v Hong Kong Broadband Network35 was the earliest case to touch upon this
issue. A group of plaintiff music companies sought Norwich Pharmacal36 relief
against the defendant internet service provider for the names, Hong Kong
identity card numbers, and other information relating to 22 subscribers whom
the plaintiff believed were infringing its copyright through peer-to-peer
‘torrent’ software. Cinepoly already had the IP addresses of the subscribers,
and argued that since Hong Kong Broadband Network (‘HKBN’) had assigned
the subscribers those addresses, HKBN could also use them to provide
Cinepoly with the other information (name, identity card number, address, etc)
that they required to proceed with their main action. Norwich Pharmacal relief
was required because that information was arguably ‘personal data’ under the
PDPO, and therefore could not be handed over by HKBN to Cinepoly absent
the consent of the 22 subscribers (which obviously they would not provide) or
a court order.

Poon Dep J granted the relief, finding that the necessary elements were met.
The applicant was able to establish that serious tortious or wrongful activities
had been occurring (heavy copyright infringement), the applicant had a bona
fide belief that the alleged wrongdoers were infringing its rights, and that
HKBN was facilitating this infringement. 37 In deciding to exercise the Court’s
discretion to make the order, Poon Dep J noted that section 58 of the PDPO
provides an exemption to DPP3 (the use limitation principle that would
otherwise prevent an ISP from handing over personal information without
consent) where the new use of the data is for the prevention or detection of
crime or unlawful or seriously improper conduct, if it can be shown that
applying DPP3 in such circumstances would prejudice the ability to remedy
that conduct. Poon Dep J concluded that such prejudice would in fact occur if

35 [2006] 1 HKLRD 255 (‘Cinepoly’).
36 Such relief, if granted, can compel an innocent third party who has facilitated the
perpetration or continuation of wrongdoing by the alleged wrongdoer to comply
with a request from an applicant to disclose information that will assist the applicant
in their case against the alleged wrongdoer: See Norwich Pharmacal Co & Ors v
Commissioners of Customs and Excise [1974] AC 133; A Co v C Co [2002] 3 HKLRD 111.
37 Cinepoly [2006] 1 HKLRD 255, [18]–[19], [24]–[33]. Later the same year, Chan Dep J
applied an identical approach and came to the same conclusion in another action for
Norwich Pharmacal relief by a group of 10 plaintiff music companies against four ISPs
regarding 49 individual subscribers suspected of copyright infringement: Cinepoly v
Hong Kong Broadband Network [2006] HKCU 1500.

EAP 9
Journal of Law, Information and Science Vol 25 2017

the Norwich Pharmacal order were not granted, and therefore ordered HKBN to
provide Cinepoly with the subscriber information.38

However, at no point did Poon Dep J argue or conclude that the IP addresses
themselves were personal data within the meaning of the PDPO. Rather, the IP
addresses were simply the mechanism by which the personal data (name, ID
card number, billing address, etc) of the subscribers could be obtained. In dicta,
however, Poon Dep J nonetheless acknowledged that the use of IP addresses
was connected to individual privacy:

Some online copyright infringers may well think that they will never be caught
because of the cloak of anonymity created by the P2P programs. They are wrong.
And from now on, they should think twice. … The court can and will, upon a
successful application, pull back the cloak and expose their true identity. 39

However, Poon Dep J also went on to argue that for the Court to order a
connection of their IP addresses to their subscribers’ identity would not be ‘an
intrusion into their privacy, [because the] protection of privacy is never and
cannot be used as a shield to enable them to commit civil wrongs with
impunity’.40 This evinces some muddled thinking. On the one hand, Poon Dep
J appears to accept that IP addresses can be used to eliminate the anonymity of
internet users in Hong Kong if an ISP connects them to a particular user, a
decision that necessarily reduces the privacy of the individual whose identity
is disclosed. This makes sense. However, Poon Dep J then goes on to argue that
this is not an intrusion of privacy because privacy cannot be a shield to commit
wrongdoing.

Respectfully, this is an illogical approach to the very fair ‘balancing’ question
of when privacy ought to be justifiably limited in order to protect other rights.
A more sensible approach would be to simply acknowledge that privacy is not
an absolute right, and there are circumstances in which it is legitimate for the
state to order an intrusion into that privacy; search warrants and court orders
are examples where individual privacy loses out to other interests. Indeed, this
is explicitly provided for by the PDPO. The issuance of a search warrant does
not, however, imply that there is no relevant privacy interest; rather it means
that, on balance, a judicial officer has deemed it necessary and justifiable to
pierce that interest.

Now, it is fair to argue that the Court did not feel the need to treat IP addresses
as ‘personal data’ in Cinepoly because it was not necessary on the facts of the
case. Recall that the applicants already possessed the IP address information and

38 Cinepoly [2006] 1 HKLRD 255, [41]–[57].
39 Ibid [78].
40 Ibid.

EAP 10
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

sought to use it to obtain other personal data. But this seems inconsistent with
the recognition by the Court that the IP addresses were ultimately the key to
unlocking the online activities of the alleged copyright infringers. Inclusion of
IP addresses within the category of ‘personal data’ would not have altered a
result based on section 58.

The second significant case in the Hong Kong courts touching on this issue
related to the conviction of a mainland-based journalist in 2006 by the Changsa
Intermediate People’s Court for transferring state secrets to foreign entities. He
had used a Yahoo! email account to send notes on secret files from his office
computer and his conviction was obtained in part thanks to the disclosure of
related personal data by Yahoo! Holdings (Hong Kong) Ltd (‘YHHK’) to the
relevant authorities in China. 41 This data included user registration details
associated with the email account in question, associated IP addresses, login
metadata and certain email content. The appellant lodged a complaint with the
Office of the Privacy Commissioner for Personal Data (‘PCPD’) arguing that
this was a breach of DPP3. The PCPD concluded in its Report that IP addresses
were not personal data within the meaning of the law, because they are
‘information about an inanimate computer, not an individual. … [A]n IP
address cannot alone reveal the exact location of the computer concerned or the
identity of the computer user’.42

The PCPD also determined that YHHK was not a ‘data user’ within the
meaning of the law, since although it was the legal owner of the Beijing
subsidiary and thus may have had control of the information generally, 43 it had
no control over the disclosure of the information in question because it was
compelled to disclose it under the Criminal Procedure Law of the People's Republic
of China.44 Furthermore, there was no contravention of DPP3 in the PCPD’s
view thanks to terms of service and privacy policies that stated that YHHK
might share certain information in response to court orders and legal
processes.45 As a result, the Commissioner concluded, the disclosure was a ‘use’

41 Though the applicant was based in the mainland and used a Yahoo! account
registered through a Beijing-based Yahoo! subsidiary, YHHK was the legal entity
that owned that subsidiary and was therefore responsible for it.
42 Roderick B Woo, ‘The Disclosure of Email Subscriber’s Personal Data by Email
Service Provider to PRC Law Enforcement Agency’ (Report No R07-3619, Office of
the Privacy Commissioner for Personal Data, Hong Kong, 14 March 2007) [8.10]
<https://www.pcpd.org.hk/english/enforcement/commissioners_findings/inves
tigation_reports/files/Yahoo_e.pdf>.
43 Ibid [8.22].
44 National People’s Congress, 1 July 1979; Ibid [8.25]–[8.26].
45 Woo, above n 42, [8.38]–[8.40].

EAP 11
Journal of Law, Information and Science Vol 25 2017

for a purpose consistent with the original purpose of collection and therefore
there was no violation of DPP3.46

Unsatisfied with this outcome, the appellant brought the case, Shi Tao v PCPD,47
before the Administrative Appeals Board (‘AAB’) as was his right under the
PDPO. He argued, inter alia, that the correct approach to the question of
whether IP addresses constituted personal data was not about whether they
themselves were data per se, but whether they were when combined with other
relevant data.48 The PCPD argued in response that personal data itself had to
have ‘biological significance’ in relation to the individual.

The AAB split the difference between these two positions, concluding that ‘IP
information … even when coupled with other information disclosed, does not
constitute personal data within the meaning of the PDPO’.49 On this particular
set of facts, the AAB concluded, there was no evidence that the user
information related to the IP address revealed the applicant’s identity (that
information was an anonymous Yahoo! email address, the business address
where the computer sending the email was located, and the time and date the
message was sent).50 They therefore concluded that none of the information (not
just the IP addresses) transmitted by YHHK to the state authorities in China
was ‘personal data’ within the meaning of the PDPO.

Though not necessary given their conclusion that there was no ‘personal data’
at issue, the AAB went on to consider whether DPP3 had been breached, in case
they were wrong on their conclusion about the nature of the data. They
disagreed with the PCPD’s Report in part, finding that YHHK was a data user
within the meaning of the PDPO, because it had control over the information
in question as a matter of course. The fact that it was compelled by a
government entity to transfer the information did not strip the company of that
status generally.51

The AAB agreed with the PCPD, however, that the appellant had given his
consent to the transfer of his information in the contemplated circumstances
thanks to the terms of service and privacy policy associated with his email
account. It disagreed with the PCPD that conceptually the transfer was
therefore a use ‘consistent with’ the purpose of the original collection. Instead,

46 Ibid [8.41].
47 Shi Tao v Privacy Commissioner for Personal Data [2008] 1 HKC 287 (‘Shi Tao’).
48 Ibid [54].
49 Ibid [62].
50 Ibid [63]–[67].
51 Ibid [71].

EAP 12
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

it was better understood simply as consent to that particular purpose:
compliance with a legal process.52 Reliance on consent to the terms of service
rather than the section 58 exemption was necessary, concluded the AAB, since
the requested transfer was an out-of-jurisdiction legal process.

Returning to the critical question of the nature of IP addresses, the AAB in Shi
Tao appeared to reject the treatment of IP addresses in Cinepoly. The AAB
suggested that because the user information sought by the applicants in
Cinepoly was ‘reliably personal’ (names, ID card numbers, and addresses), then
in that context IP addresses would constitute personal data when coupled with
that information. However, the AAB’s application of this principle to the facts
before it in Shi Tao seems unsatisfying. As noted, the AAB found that the IP
address information transferred by YHHK could not identify an individual
without being coupled with more information, and thus did not satisfy the
definition of personal data under the PDPO. Yet the identity of the appellant
was relatively easily determined once the Security Bureau had the locational
information associated with that IP address, since it was trivial for them to
determine who had access to the computer in question at the relevant time.
There seems little justification for holding that the existence of an additional
step (even one out of the hands of the data user) that must occur before the
‘biographical’ level of personal data is revealed somehow strips away the
ability of IP address data to be ‘personal data’. Regrettably, the PCPD has not
indicated any disagreement with the conclusion of the AAB in Shi Tao, citing it
in 2010 in its own document explaining the proper interpretation of the PDPO.53

In any event, what we are left with is that the legal status of IP addresses as
‘personal’ data within the meaning of the PDPO is unclear. The jurisprudence
provides us with only two somewhat conflicting court decisions, neither of
which is from an appellate level court.

It was with this legal background that the Access My Info: Hong Kong
(‘AMI:HK’) project was launched in 2016 in the hopes of better understanding
generally how data users in the telecommunications sector interpret their
obligations regarding a data subject’s access to ‘personal data’ under the PDPO,
and specifically whether they consider IP addresses to fall within that concept.

4 An attempt to bring clarity – the AMI:HK project

DPP6 contains a series of ‘access rights’, allowing data subjects to ascertain if a
data user holds their personal data, a right to access it within a reasonable time,

52 Ibid [95].
53 Office of the Privacy Commissioner for Personal Data, above n 31.

EAP 13
Journal of Law, Information and Science Vol 25 2017

at a reasonable cost, in a reasonable manner and in an intelligible form, and to
correct the data if it is inaccurate.54 Sections 18–21 of the PDPO provide further
detail on the operation of this principle (including exemptions, timeframes,
circumstances under which requests for access may legitimately be refused,
etc), and the PCPD has published a set of (non-binding) ‘best practice’
procedural guidelines for data users subject to an access request. 55 However,
the general way in which the right is framed still leaves great scope for how
DPP6 is interpreted in practice. This, combined with the aforementioned
uncertainty surrounding the status of IP addresses under Hong Kong law, is a
driving force behind the AMI:HK project.

The project provides an easy-to-use web portal allowing Hong Kong residents
to submit data access requests in either English or Chinese to eight different
mobile phone and internet service providers. It is written in simple language,
with an easy to use interface, requiring a minimal number of steps. AMI:HK
does not act as agent of the data subject, but rather assists them in generating a
request that they can then submit via email, or print and submit through the
post. At the time of writing, the site had been used to generate 1603 requests.

AMI:HK does not log any user data on the server side; the process is handled
on the client side. Participants can request call logs, geolocation data, IP address
logs, subscriber info, etc, but cannot make a blanket request for ‘all personal
data’, since under both the PDPO56 and the relevant Guidance Note data users
can reject requests that are ‘too general’.57

Though the PDPO requires that data access requests be made using a
prescribed form,58 the automated nature of AMI:HK means this form is not
used. However, the relevant Guidance Note ‘strongly advises’ data users
against denying access requests for such technical reasons; 59 the PCPD also
indicated in discussion with project members that they expect recipients of
access requests to comply with any request that adheres to the spirit of the
form, even if the form itself is not used.

54 PDPO (Hong Kong), cap 486, sch 1(6).
55 Privacy Commissioner for Personal Data, Hong Kong, Guidance Note: Proper
Handling of Data Access Request and Charging of Data Access Request Fee by Data Users
(June 2016) <https://www.pcpd.org.hk/english/publications/files/DAR_e.pdf>.
56 PDPO (Hong Kong), cap 486, s 20(3)(b).
57 Privacy Commissioner for Personal Data, Hong Kong, above n 55.
58 PDPO (Hong Kong), cap 486, s 20(3).
59 Ibid.

EAP 14
IP Addresses as Personal Data Under Hong Kong’s Privacy Law

Early responses to access requests made through AMI:HK suggest there is no
standardisation amongst telecommunications service providers regarding:

• fees for processing data access requests

• the classification of ‘personal data’

• how to deal with data access requests

• retention periods.

The results also reveal that though providers are aware of and adhere to the
PDPO’s guidelines regarding response timelines, the overall process remains
extremely lengthy. Most significantly for our purposes, up to the time of
writing not a single telecommunications provider presented with a data access
request through AMI:HK has provided the IP addresses assigned to the
subscriber as part of its response.

While a subsequent paper will provide a full analysis of the results of the
project once completed and provide a detailed set of policy recommendations
in response, these preliminary results reveal a certain amount of inconsistency
amongst Hong Kong’s telecommunications providers regarding their
approach to the procedural requirements of DPP6. However, there is no reason
to suppose at this stage that any of the eight telecommunications organisations
subject to requests through AMI:HK view IP addresses as personal data within
the meaning of the PDPO. If this proves accurate as the project continues and
IP addresses are not viewed as personal data, then this suggests a need for the
PCPD to address a clear gap in Hong Kong’s privacy framework, given the
importance of IP addresses to the personal privacy of Hong Kong’s residents.

Conclusion

We are rapidly entering a world of the ‘internet of things’, in which we wear
fitness trackers that store our sensitive health information in the cloud, drive
internet-enabled cars that maintain logs of our driving habits and destinations,
and fill our houses with ‘smart’ devices equipped with cameras and
microphones. Together, they can paint an incredibly detailed portrait of our
daily lives. They are also subject to the same kind of legal requests identified
herein. As this project continues to evolve, it may therefore expand beyond
internet and telecommunications service providers to include content
providers and internet-enabled hardware manufacturers of all kinds. Given the
current results, however, it is reasonable to assume that such an expanded
project would reveal essentially the same as we have uncovered so far. The
governing law is the same and there is little reason to assume that content

EAP 15
Journal of Law, Information and Science Vol 25 2017

providers voluntarily adopt more stringent privacy protections than ISPs and
telecommunications providers. What is required, then, is to give proper
recognition to IP addresses as a critical piece of the personal data of Hong
Kongers. This means reform that goes beyond issuance of a Guidance Note by
the PCPD; the protection must become a clear and enforceable part of the PDPO
itself. The GDPR offers a model for how this could be done and, in our view,
the Hong Kong government would be wise to give serious consideration to
similar changes. The PDPO has undergone only one significant amendment
since its introduction (a series of reforms in 2012 related primarily to direct
marketing), and it is critical that Hong Kong not be saddled with an outdated
data protection regime as the rest of the world moves forward.

EAP 16