Hong Kong privacy chief blasts U.S. policy

The region's privacy commissioner for personal data since 1995, Lau spearheaded the creation of his office after long stints in the private sector managing information technology for international firms such as CitiBank and Electronic Data Systems, as well as for Hong Kong's government.

In the wake of China's repossession of Hong Kong, Lau is one of the most compelling figures on the front lines of the global policy debate over how to best protect personal privacy in the digital age--a time when it's easier than ever to harness, share, and exploit the most sensitive details about everyday people.

"There is no stronger irony than the fact that Hong Kong is offering stronger privacy protections in this area than the United States," said Marc Rotenberg, chair of the Computers, Freedom, and Privacy conference here. "Given [Lau's] background in the private sector, he still has no problem talking about the need for privacy protections."

China philosophy on personal freedom in cyberspace has been reflected in its efforts to regulate speech on the Internet, moves that have drawn opposition from dissidents and garnered international attention. But Lau's independent agency remains in business because Hong Kong has been designated a special administration region, or, as he puts it, "one country with two systems."

With Lau at the helm, Hong Kong has aggressively implemented its Personal Data Privacy Ordinance, based on Organization for Economic Cooperation and Development (OECD) guidelines passed almost 20 years ago that require individuals, public entities, and private companies to disclose their information-collection practices.

The rules state that consumers must be allowed to opt out of disclosing private data, have access to their records, and be able to correct any errors, and that companies can't collect data for one stated reason and then use it for another.

Unlike the drill under the self-regulatory programs being pushed by the Clinton administration, violating Hong Kong's data privacy law is a crime. Some offenders are warned first before being sanctioned, however.

The United States' Internet industry undoubtedly dwarfs Hong Kong's approximately 7,000 sites. But Lau contends that compliance with digital privacy laws is neither too expensive nor too stifling to businesses and that voluntary industry guidelines are comparable to letting "Dracula look after the blood bank."

Lau's 30-person staff's workload seems to support what many global privacy advocates have been saying--that people need an authority to turn to if they feel their privacy has been abused. Last year, the office received about 400 complaints--almost double the number from 1997. Moreover, the office received 22,861 inquiries about the ordinance in 1998, up from 9,356 the year before.

Still, when it comes to enforcing privacy practices on the Net, pressure is mounting. Last year Lau's staff conducted a random sample study based on 531 Hong Kong-based Web sites but found that only 6 percent were in compliance with the law--therefore, the office is ramping up its public campaign. A follow-up sweep is planned for this summer.

During a break from the ninth annual CFP, Lau talked with CNET News.com about what the United States and others are doing wrong when it comes to data protection, the pitfalls of self-regulation, and protecting privacy under Chinese reign.

CNET News.com: Speaking from your experience in the private sector, is it hard to adequately disclose data collection practices and give consumers access to their files?
Lau: I was the first one to bring this issue of privacy and data protection to the Hong Kong government back in the early '80s when the OECD guidelines came out. I have a very mixed background, public and private sector. All of the private sector has this view--it's prevalent--that whatever resources you have in hand they will use it, and personal data is an important resource now. "As long as I have it, it's mine," they say, "and I will use it to advance my business." But it's not expensive to provide consumers access to that data. This is an inset mentality. Overall, the issue of privacy and data collection represents a business cultural shift, and those take a long time. [In] 20 years, if I'm still sitting here, I will still be doing education about this.

What type of privacy complaints do you receive?
The law went into effect in late 1996. Complaints are rising because people are more aware about their rights. Most of them have to do with the "change of use" of data without permission. When you collect data, you need to specify the purpose. When you change the use of it, you have to get permission. People also complain [when a company gives]out their data to someone else. For example, if a wife wants to find out her husband's credit card receipts, you must have adequate protection to avoid unauthorized use.

My jurisdiction is personal data privacy, and it's a very narrow perspective. But privacy can be looked at with three components: personal data privacy, bugging or interception of communication, and surveillance. The laws in Hong Kong are inadequate at the moment regarding interception and surveillance.

How are you pushing compliance with the rules?
These are criminal offenses. For example, when you collect data, if you don't have a purpose statement or don't observe the rules, the first time around you can change. The second time around it could become a criminal offense if I send a notice to correct it and you don't. If a data user receives an access request, they must respond in 40 days. If they don't, they have contravened the provision.

What holes do you see in the White House's approach to protecting computerized personal data? That is, promoting voluntary practices by the industry?
We have generic legislation that covers the general principles of protecting data. This country takes more of a sectorial approach, with different laws for states and federal, targeting different sectors such as video privacy or the protection of children. There could be a level of mistrust. There is self-interest involved. The good guy will be part of your industry membership, but the bad guys aren't ethical, they won't join your membership. So how can you regulate your industry if not all are your members?

There is no redress mechanism. What do people do? I feel that a law, plus a code of practice for a profession, is needed. In terms of having complaints addressed, you need an objective and neutral party with no vested interest. Some of these seals, like Truste or [Better Business Bureau] Online, they are boosting up redress mechanisms, but still the worst [punishment] is if a company can be kicked out of the program. It seems to me that these companies only act when they are embarrassed into doing something.

Is Hong Kong's privacy policy influencing China--or will it end up being the other way around?
We are now part of China, but we are in a special administrative region. We have a high degree of autonomy except for foreign affairs and defense. We have increased interaction with China, but China doesn't want this kind of law. I do come to the government ministry and speak on data protection, [but] it's more or less planting a seed. Still, China [could be influenced] because of the European Union privacy directive, which says you must have certain principles, or it will affect the transfer of data between your country and theirs.

So if this issue affects trade, China might change its tune?
I have to emphasize that privacy has to be addresses not only because it's a basic human right, but for economical reasons, trade reasons. I'm sure the foreign trade ministry there is aware of this issue, because they have continuous trade discussions around the globe. I believe they will eventually do it for three reasons: 1) the protection of privacy is actually in the Chinese Constitution; 2) because the EU directive is a trade issue that warrants serious consideration to have regulatory responses to match the EU requirements; and 3) because of the Internet and e-commerce. This is a trust and confidence issue.

Does Hong Kong's privacy law apply to the collection of information from the Chinese government?
My jurisdiction is only Hong Kong.

The European Union and United States have been locked in talks for more than a year over how U.S. companies can comply with the EU standard. Do you think the EU will bend its rules? And what effect could such a move have globally?
Like Simon Davies [of the London School of Economics] said yesterday, it's not a matter of negotiation. The EU's directive is a law. It's not a matter of who is winning or not winning. I'm concerned, though. We are quite small, and our lifeblood is trade. Both sides have to be very careful, because it could be transformed into a trade barrier--people could turn this into a kind of bargaining chip.

Hong Kong's philosophies are steeped in trade, which is obviously one reason you don't want privacy to be a bargaining chip. But do you also think people have a basic right to communicate anonymously?
I do believe that. But like any right, the right of an individual to privacy is not absolute. For example, our law has exemptions--detection and prevention of crime. Privacy advocates don't believe me, but we believe personal rights have to be balanced with collective rights.

Have you read the book 1984? Do you see similarities between the book and current society?
I think because of technology's sophistication, and [because] it enables you do things more efficiently, it's a benefit to humanity, to our daily life. But at the same time it can be used in a negative manner. At the end of the day I believe in the human spirit. Justice always prevails. People speak out, and shout, and use their knowledge, and will fight any repressive regime that doesn't recognize the rights of individuals. In the long run those regimes would have to be transformed.