Course title and course code: Privacy and Data Protection LLAW6046

Student Number: 3035863346

Word count (if applicable): 3408 words

Page 1 of 12
 Course code: LLAW6046
Student number: 3035863346

2
 Course code: LLAW6046
Student number: 3035863346
1. Background

On 30 January 2020, World Health Organization (“WHO”) 1 declared the outbreak of worldwide
unprecedented Coronavirus disease 2019 (“COVID-19”) as a Public Health Emergency of
International Concern (“PHEIC”). As of 28 October 2022, 626 million confirmed cases and 6.5
million death cases from COVID-19 were reported around the world. 2 Global Economies and
normal life cycles of people have been vulnerable and disrupted drastically. On 8 January 2020, the
HKSAR Government (“the Government”) commenced control measures to prevent further the
pandemic inroad by including the COVID-19 as the statutorily notifiable infectious diseases into the
ordinance3 and amended its subsidiary legislations.4

COVID-19 pivoted in January 2022 that the local outbreak was triggered by several remarkable
instances. Some aircrew from Cathay Pacific Airline violated the quarantine requirements specified
by the Government,5 and further contagion of the virus at Moon Palace restaurant,6 which created a
novel challenge for the Government to trace the contagion. More proactive tracking of the
individuals by means of unorthodox control measures was required, which involved more collection
and use of personal data.7

Section 8 of Prevention and Control of Disease Ordinance Cap 599 was granted by the Government
authority to hamper, tackle or alleviate the impact from the public health emergency situations if it
materializes.8 The Chief Executive in Council applied this section to approve eight public health
emergency regulations under Cap 5999.

2. Paradox of privacy and public health interest

From a public interest perspective, anything that affects the well-being, rights, health, or finances of
the public at large falls into the scope of concern e.g., Covid-19. The Government implemented
restrictions with contact tracing as one of the key mechanisms for health condition tracking and
reporting as prevention and detection of the virus transmission. 10 Contact tracing is effectively used
1
WHO, COVID-19 Public Health Emergency of International Concern (“PHEIC”) Global research and innovation forum, 12
February 2020
2
WHO, Coronavirus (COVID-19) Dashboard
3
Schedule 1 of Cap 599 Prevention of Control Diseases Ordinance, “Severe respiratory disease associated with a novel infectious
agent” was added into the schedule
4
Cap 599A
5
Government of HKSAR, press release “LCQ13: Quarantine arrangements for air crew”, 19 January 2022
6
Government of HKSAR, press release “CHP provides update on cases related to Moon Palace”, 1 January 2022
7
The government of HKSAR release, “Stepping up testing and continuation of targeted group testing scheme”, Government adopted
a series of preventive and control measures decisively to achieve the objective of "early identification, early isolation and early
treatment"
8
Cap 599
9
The government of HKSAR, press release “The Government amends regulations under Prevention and Control of Disease
Ordinance”, 29 March 2022, the expiry date of amended regulations were extended to 31 March 2023
10
RongzhangHao,YewuZhang,ZhidongCao,JingLi,QingXu,LinglingYe,XudongGuo,TaoZheng,HongbinSong, Control strategies and
3
 Course code: LLAW6046
Student number: 3035863346
by the Health Department to identify and alert the public who have been exposed to someone
infected with COVID-19.11 The Office of the Government Chief Information Officer (“IGCIO”) had
launched the LeaveHomeSafe COVID-19 exposure notification mobile app (“LeaveHomeSafe”) to
the public in November 2020, which is featured by voluntary participation and recording visits at
users' discretion.12 On 6 December 2021, the extended requirement was implemented 13 for people to
scan the QR code from LeaveHomeSafe to demonstrate the eligibility to enter the catering and
scheduled premises14. LeaveHomeSafe assesses, tracks, and collects data including name, identity
number, visit records with real time recording parameters, COVID-19 vaccination records and
registration information for testing centers (including name, gender, date of birth, residential
address) etc.15 These data refer to any form of data that relates to the individual attributes and can be
practically assessed or processed, to identify the individuals in question.16

Legal concerns and contention have been raised with acceleration on the importance of data
protection, resulting in conflicts between personal privacy and public health, regarding the
provision of the personal data collected. Most notable concerns are drawn on the potential violation
of privacy and human rights, about excessive personal data collection and the possibility of misuse
of personal data for other unknown purposes, such as location tracking. Since the launch of
LeaveHomeSafe, 49 complaints have been received and logged by the Office of the Privacy
Commissioner for Personal Data (“PCPD”), which relates to the handling of the registered data of
customers or visitors.17

In summary, the privacy concerns in the age of big data lie in (1) personal data collection and
location tracking and (2) sharing of health data with health authorities, institutions, or law
enforcement agencies. This demonstrated the conflict in public interest and privacy laid under the
Hysan case18, which is decided by the Court of the Final Appeal on whether the constitutional right
of privacy was infringed.

3. Fundamental right to privacy

their effects on the COVID-19 pandemic in 2020 in representative countries

11
California Department of Public Health, What is contact tracing?
https://www.cdph.ca.gov/Programs/CID/DCDC/Pages/COVID-19-Contact-Tracing.aspx , 5 May 2022
12
The Government of HKSAR, Press Release, Launch of "LeaveHomeSafe" COVID-19 exposure notification mobile app (with
photos), Nov 2020
13
Cap 599F, under Prevention and Control of Disease (Requirements and Directions) (Business and Premises) Regulation
(RCoDRDBP)
14
The Government of HKSAR Press Release, Government announces "LeaveHomeSafe" mobile application arrangements in Cap.
599F premises and adjustment to catering business modes of operation
15
LeaveHomeSafe, Privacy Policy Statement, www.leavehomesafe.gov.hk
16
PCPD, PDPO
17
PCPD, Media Statement, Privacy Commissioner Received Nearly 50 Complaint Cases about the Handling of Registration Data of
Visitors, 24 November 2021
18
Hysan Development Co Ltd and Others v Town Planning Board (FACV 21/2015)
4
 Course code: LLAW6046
Student number: 3035863346
In HKSAR, the Basic Law (“BL”) and Hong Kong Bill of rights Ordinance (“HKBORO”) 19 Cap
383 guarantees the fundamental right of HK citizens. In BL Article 28, residents' freedom is
inviolable. The International Covenant on Civil and Political Rights (“ICCPR”) Article. 17 was
implemented through the BL,20 along with the HKBORO Article.14, no one shall be subject to
arbitrary or unlawful interference with their privacy.21

The Constitution of India grants all persons the right to their privacy in life. 22 The Supreme Court
recognized the privacy right is a basic right under the Constitution. 23 India has ratified the same
interpretation as ICCPR. Justice D.Y. Chandrachud, the Judge of Supreme Court made a prominent
viewpoint of a three-pronged test for privacy right, (a) valid law established by due procedure must
be present that justifies a contravention of privacy; (b) a genuine intrusion of privacy must exist. A
legitimate purpose must be there that falls within the ambit of reasonableness. This is important for
the prevention of arbitrary State action; (c) the method of infringement adopted by the Legislature
must be proportional to the objects and needs sought to be fulfilled by the regulation.24

In Singapore, there are no judicial provisions dedicated to rights to privacy. The Personal Data
Protection Act 2012 (“PDPA”) is in place to govern the collection, use and disclosure of the
personal data by organization in reasonable circumstances25. The obligations under the PDPA do
not apply to the public sector, separate rules under the Government Instruction Manual 8 and the
Public Sector (Governance) Act would apply.26 COVID-19 (Temporary Measures) Act 2020 was
established to take precedence over the PDPA obligations27.

In the United Kingdom (“UK”), the European Union (“EU”) General Data Protection regulation
(“GDPR”)28 applies, along with the Data Protection Act 2018, which controls how the personal data
are used by the Government, authorities, and corporation. Data protection principles are set in place
for the personal data user with strict requirements.29 The English Law does not provide a
comprehensive cause of action for privacy interference30. However, Article 8 of the European
Convention of Human Rights is an international treaty incorporated into UK law and provides the
right to personal privacy. The Article 8 is a qualified right, representing that if this is contravened,

19
Article 14
20
Article 39
21
Article 14, HKBORO
22
Article 21 and IN THE SUPREME COURT OF INDIA CIVIL ORIGINAL JURISDICTION WRIT PETITION (CIVIL) NO 494
OF 2012
23
Justice K.S. Puttaswamy (Retd.) v Union of India [Writ Petition No 494/2012]
24
The privacy judgement(s): explorations and expositions, P. PUNEETH
25
PDPA Section 3
26
DLA Piper, Data Protection Law of the world, https://www.dlapiperdataprotection.com/index.html?t=law&c=SG
27
Singapore Management University, Law and COVID-19
28
Regulation (EU) 2016/679
29
Gov.UK, Data Protection Act
30
Wainwright v Home Office [2003] UKHL 53
5
 Course code: LLAW6046
Student number: 3035863346
the interference might be justified in a specified circumstance.

Article 12 of the Universal Declaration of Human Rights, a milestone document of the United
Nations states: “No one shall be subjected to arbitrary intervention with his privacy, family, home
or correspondence, or to attack upon his reputation and honor. Everyone has the right to the
protection of the law against such interference.”31

D. Balancing the privacy rights and health risk

Under Gavison’s comment, privacy means a limitation of others to an individual. 32 Individual’s

secrecy, anonymity, and solitude would be intervened when the person is accessible by others.
Individual’s right to life has been outlined under (a) HKBORO Article 2 of Part II and (b) Article 6
of the ICCPR which states every human being has the inherent right to life. Yuval Shany from the
Human Rights Committee of the UN (“HRCUN”) commented on the Article 6 of ICCPR that the
right to life is “the prerequisite for the enjoyment of all other human rights”, “supreme right”, “no
derogation is permitted even in the situations of armed conflict and other public emergencies which
threatens the life of the nation.”33 These interpretations refer to the private preceding the other
contradictory interests. The right to life comprises the individual data subjects which ultimately
mean the conglomerates of the citizens in the society, who might be the COVID-19 confirmed or
potential cases. Bartnicki case34 demonstrated that free speech interests outweigh individual privacy
concerns.

In contrast, Section 5 of HKBORO has stated the ordinances are restricted or derogated under the
situations of exigencies and public emergencies which threaten the life of the nation. Hence the
right to privacy is not absolute by any means, given that protecting an individual’s privacy must not
unduly violate other legitimate interests. Such exception is valid especially under emergency
situations like pandemic life-threatening situation. 35 Privacy Commissioner commented articles in
the PDPO allow authorities to work around some of the restrictions on handling personal data for
public health interest.36 Jacobson case37 has demonstrated the authorities’ power to balance the right
given from the regulation to protect the public health from the individual right. It is illogical for the
public to claim privacy for their public activities such as governance, policy making, and politics

31
United Nations, Universal Declaration of Human Rights (UDHR), https://www.un.org/en/about-us/universal-declaration-of-
human-rights
32
Gavison, Ruth E., Privacy and the Limits of Law (May 16, 2012). The Yale Law Journal, Vol. 89, No. 3 (Jan., 1980), pp. 421-471
33
The Universal Declaration of Human Rights, press release, ‘UN Human Rights Committee publishes new general comment on the
‘right to life’, 1 November 2018 & General comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political
Rights, on the right to life, 30 Nov 2018
https://tbinternet.ohchr.org/Treaties/CCPR/Shared%20Documents/1_Global/CCPR_C_GC_36_8785_E.pdf
34
Bartnicki v. Vopper :: 532 U.S. 514 (2001)
35
Cap 486 Section 63C
36
The Standard, App tracker function 'non-issue' for privacy, 11 Feb 2022
37
Jacobson v Massachusetts, 197 U.S. 11 (1905)
6
 Course code: LLAW6046
Student number: 3035863346
etc.

The data user (i.e., The Government) of LeaveHomeSafe is bound by the Personal Data (Privacy)
Ordinance (Cap.486) (“PDPO”)38 which is enforced by the PCPD39 along with the control the
collection, handling, and use of the personal data. It applies to both private and public sectors. The
data user must comply with the data protection principles (“DPP”) pursuant to PDPO, to ensure the
personal data are complied with the ordinance. There are exceptions to the general rules under
privacy law. PDPO Section 59 protects the community health by exempting the use of personal data
relating to physical or mental health e.g., infection from virus, from the provision of DPP3. The
application of such principal to use the data might impact the safeguarding the exigencies of the
health of the concerned data subjects and ultimately the nation. Ng Shek Wai case40 demonstrated
the purposes should be under the reasonable expectations of the data subject.

On the LeaveHomeSafe, PCPD and the Government had clarified to the public on the doubt of the
below aspects on the infringement of personal data.

a) The OGCIO stated the visit records collected in LeaveHomeSafe, which by itself in isolation
are not considered as personal data. They are encrypted and stored in users’ mobile phones
locally and temporarily instead of Government systems for 31 days for anti-epidemic
purposes and the data will then be deleted automatically. 41 The personal data would not be
transferred to the Government’s system or premises operators for retention.42 Hence the non-
retrievability function means the visit records itself in LeaveHomeSafe do not constitute
personal data, as it is able to meet the criteria of retrievability. In contract, the visit records
of a confirmed patient required to upload to the government’s private database under Cap
599D as data sharing to authority43, would be protected under PDPO. As such the records
would be retrieved, processed via the encrypted means by authorized persons for
epidemiological investigation, including contact tracing.44

38
PCPD, EU General Data Protection Regulation (GDPR), “When the PDPO was drafted, reference was made to the relevant
requirements under the OECD Privacy Guidelines 1980 and the EU Directive. Given that the GDPR constitutes significant
developments of data protection law from the EU Directive, the new regulatory framework includes a number of requirements that
are not found under the PDPO.”
39
The Hong Kong Federation of Young Group Youth Research Center, Research Paper “Balancing Privacy Protection and Big Data
Development”, 17 May 2021
40
Ng Shek Wai v Medical Council of Hong Kong [2015] 2 HKLRD 121
41
LeaveHomeSafe, Privacy Impact Assessment for LeaveHomeSafe Mobile App and related Support System (v3.0) for OGCIO
42
LeaveHomeSafe, Privacy Policy Statement, & PCPD, "Vaccine Pass - Striking a Reasonable Balance Between Protecting Privacy
and Public Health" Privacy Commissioner's article contribution at Hong Kong Lawyer, March 2022
43
Cap 599D, Such rules empower authorised officers to require any person to provide or disclose information that is relevant to
identification and tracing of persons who may be at risk of contracting the disease, such as travel history, places they have visited or
people they have come into contact with, etc. in relation to the prevention and control of the spread of diseases. A person commits a
criminal offence if he / she fails to comply with the requirement to provide information, or gives to an authorized officer any false or
misleading information. The maximum penalty for such offence is a fine of $10,000 and imprisonment for six months.
44
PCPD, "Vaccine Pass - Striking a Reasonable Balance Between Protecting Privacy and Public Health" -- Privacy Commissioner's
article contribution at Hong Kong Lawyer (March 2022)
7
 Course code: LLAW6046
Student number: 3035863346
b) According to the Government, LeaveHomeSafe does not use positioning services or any
other data on the users’ mobile phones and the data is encrypted and stored only in users’
mobile phones.45 LeaveHomeSafe only utilizes the geo-fencing technology around the
dwelling place of a person rather than GPS location tracking.46

PCPD considers “LeaveHomeSafe” comply with the Privacy Law requirement. 47 From my
perspective, it appears PCPD jumped to conclusion too quickly after making the assessments and
comments on the two key points above. PCPD also commented that the personal data collected in
the app would not be transferred to other authorities or agencies. The transparency is still not clear
to the public as PCPD is not sufficiently independent and in a conflict of interest standing from the
Government perspective. 48

Poland-based company Security7A has conducted an independent security audit of LeaveHomeSafe

in May 2022.49 There has been no artefact to prove intentional tracking to the individuals, however
LeaveHomeSafe allows external attackers to intercept the app’s data collection process via Android
operating system and access to the user’s personal data. This means LeaveHomeSafe did not
actually comply with DPP 4 that the data user needs to ensure the security during collection,
processing, and use of the personal data. Separately, facial recognition libraries were detected by
the same audit which was a market-available module in the market-shelf built by the developer.
OGCIO has subsequently clarified with the developer and asked to remove such hidden functions.50

Global Privacy Assembly (GPA) Executive Committee commented that the universal data
protection principles in all our laws shall enable the use of data in the public interest and still
provide the protections the public expects.51

The other justifications are also taking a similar approach in terms of balancing the conflicts in the
public interest and data privacy. In the UK, the Information Commissioner's Office requires the
contact tracing solutions to be developed in accordance with the principles of data protection by
design and default. Recording the location in which contact has taken place, or collection of
additional data that may support other functions, e.g. Epidemiological research is considered
beyond the basic functionality needed for contact tracing, notwithstanding the value additional
functionality may offer medical professionals in combating COVID-19. The ICO considers that a

45
LeaveHomeSafe app, Personal Information Collection Statement
46
HK Legislative Council, Panel on Information Technology and Broadcasting Meeting on 12 July 2021, Background brief on the
application of information technology to combat COVID-19
47
PCPD, Media Statement, “LeaveHomeSafe” Mobile App in Compliance with the Requirements of the Privacy Law”, 19 February
2021
48
PCPD, Media Statement, Privacy Commissioner Received Nearly 50 Complaint Cases about the Handling of Registration Data of
Visitors, 24 November 2021
49
7ASecurity, Pentest Report LeaveHomeSafe, July 2022
50
HKSAR Press Releases, “OGCIO statement”, 3 May 2022
51
GPA Media Statement, Statement by the GPA Executive Committee on the Coronavirus (COVID-19) pandemic
8
 Course code: LLAW6046
Student number: 3035863346
Data Protection Impact Assessment is required for contact tracing solutions prior to
implementation, given that the processing is likely to result in a high risk to the rights and freedoms
of individuals.52 Data protection laws govern the collection, processing and use of personal data
under public health emergencies e.g. contract tracing applications under the application of the
principle of transparency, fairness and proportionality.53

E. Conundrum

Privacy is a fundamental right but it is not unyieldingly absolute. It may be subjected to other
competing rights or interests, such as public health under pandemic situations. As such, it is
justifiable for government authorities to collect, use, and process additional personal data to protect
the community from exigencies of health. However, there should be proper balance of the interests
for all stakeholders between the individual’s privacy and public health interest.

The extent of the use of personal data in LeaveHomeSafe to address the public health interest
should be adopted with proportionality analysis, 54 which was stated in Leung Kwok Hung case. 55 In
Mok Charles v Tam Wai Ho, the below approach was formulated: “The proportionality analysis,
which is a well-known test in our courts, consists of the following analysis that the restriction or
limitation must:

(a) pursue a legitimate aim.

(b) rationally connected to that legitimate aim.
(c) be no more than is necessary to accomplish that legitimate aim.”

The government authorities act as the data user of the LeaveHomeSafe needs to take all practicable
and reasonable ways to ensure the protection of the public’s personal data privacy:

(a) can fewer personal data be collected and used in contact tracing measure?
(b) any other ways without collecting the personal data to achieve the legitimate purpose of
protecting public health?
(c) benefits of achieving the legitimate purposes not disproportionate to the encroachment of the
personal data privacy fundamental right, i.e. not imposing an unacceptable harsh burden on the
affected individuals?

In a nutshell, the LeaveHomeSafe data user must adhere to the principles of necessity and
proportionality and must not unduly derogate in protecting personal data. Only minimum,
necessary, non-excessive personal data should be collected, and the purpose of their collection

52
ICO, COVID-19 Contact tracing: data protection expectations on app development, May 2020
53
ICO, Blog: Combatting COVID-19 through data: some considerations for privacy, 17 April 2020
54
Hysan Development Co Ltd and Others v Town Planning Board (FACV 21/2015)
55
Leung Kwok Hung v HKSAR (2005) 8 HKCFAR 229
9
 Course code: LLAW6046
Student number: 3035863346
should be directly related to their original purpose e.g. ascertaining the confirmed cases of data
subjects and alerting the close contacts. The personal data shall only be used for such specified
purposes and shall not be used for any other purposes unless prescribed consent from the data
subject is obtained. Eventually, least privacy intrusive measures should be selected and adopted.

A more practical implication for such temporary contact tracing measures involving personal data
adopted during the pandemic should not extend to the post-COVID-19 period.56

56
Andrea Renda, COVID-19 and privacy: a European dilemma, Digital Policy, Regulation and Governance
ISSN: 2398-5038, Article publication at 28 Feb 2022

10
 Course code: LLAW6046
Student number: 3035863346

BIBLIOGRAPHY

Cases
1. Hysan Development Co Ltd and Others v Town Planning Board (FACV 21/2015)
2. Ng Shek Wai v Medical Council of Hong Kong [2015] 2 HKLRD 121
3. Justice K.S. Puttaswamy (Retd.) v Union of India [Writ Petition No 494/2012]
4. I v Finland [2008] ECHR 20511/03 (17 July 2008) European Court of Human Right

Government Reports, Guidance Notes & Press Releases

1. United Nations, Universal Declaration of Human Rights milestone document
2. LeaveHomeSafe, Privacy Impact Assessment for LeaveHomeSafe Mobile App and related
Support System (v3.0) for OGCIO

Journal Articles & Books

1. Personal Data (Privacy) Law in Hong Kong A Practical Guide on Compliance (Second Edition)
Edited by Stephen Kai-yi WONG, Guobin ZHU, jointly published with The Office of the Privacy
Commissioner for Personal Data [ISBN 978-962-937-594-2]
2. Gavison, Ruth E., Privacy and the Limits of Law (May 16, 2012). The Yale Law Journal, Vol.
89, No. 3 (Jan., 1980), pp. 421-471
3. Andrea Renda, COVID-19 and privacy: a European dilemma, Digital Policy, Regulation and
Governance, ISSN: 2398-5038, Article publication at 28 Feb 2022
4. The Hong Kong Federation of Young Group Youth Research Center, Research Paper “Balancing
Privacy Protection and Big Data Development”, 17 May 2021
5. Human Rights Law Review, 2014, 14, 441–458 doi: 10.1093/hrlr/ngu014 Advance Access
Publication Date: 7 July 2014 Article, “How the Right to Privacy Became a Human Right” Oliver
Diggelmann and Maria Nicole Cleis
6. Gurrea-Martínez, Aurelio and Findlay, Mark James and Goh, Yihan and Ti, Edward and Gao,
Henry S. and Tang, Hang Wu and Yip, Man and Soh, Jerrold and Liu, Nicholas and Hsieh, Pasha L.
and Chen, Christopher Chao-hung and Koh, Pearlie Ming Choo and Zhang, Wei and Remolina,
Nydia and Chik, Warren Bartholomew Kam Wai and De Visser, Maartje and Ong, Benjamin
Joshua and Chan, Gary Kok Yew and Tan, Eugene Kheng Boon and Ong, Ee-Ing and Tan, Seow
Hon and Low, Kee Yang and Quek Anderson, Dorcas and Ho, Lau Kwan and Siyuan, Chen and
Alexander, Nadja Marie, Law and COVID-19 (September 4, 2020). Singapore Management
University School of Law 2020
7. Global Privacy Assembly, COVID-19 Taskforce: Compendium of Best Practices in Response to
COVID-19, October 2020

Other references
11
 Course code: LLAW6046
Student number: 3035863346
1. HKSAR Government Media Statements
2. PCPD Media Statements

12