With Protesters Under Threat, Hong Kong Must Increase Transparency on Personal Data Requests · Global Voices
Jennifer Zhang

Hong Kong police have made at least four high-profile arrests of online forum users who posted messages encouraging people to take to the streets. Photo from inmediahk.net, used with permission.
The original version of this article was published in the opinion section of South China Morning Post. Jennifer is a Global Voices author and a researcher at Hong Kong Transparency Report, a project of the Journalism and Media Studies Centre at the University of Hong Kong.
During the months-long Occupy Central movement in Hong Kong, police made at least four high-profile arrests of online forum users who posted messages encouraging people to take to the streets or even attack the police. These arrests have not only raised the issue of freedom of speech, but also highlighted the opaque practices under which the city's law enforcement agencies and online service providers handle Internet user data.
Joe Lam, chief executive of the popular local forum HKGolden, told foreign media that police had demanded that he provide them with the IP addresses and messages associated with the account of one of its users, and he was obliged to comply. This user was subsequently arrested by the police and charged with “access to computer with criminal or dishonest intent.”
Another Hong Kong online forum, HKEPC, announced on its webpage that it had received requests from the Technology Crime Division of the Hong Kong police department to assist in investigating messages posted on its forum. The announcement read: “As the police's investigation is under way, HKEPC cannot disclose relevant details.”
It is common practice for the police to ask online service providers such as HKGolden Forum and Internet service providers such as PCCW to hand over their users’ contact information to detect and prevent technology crimes. But there are no adequate laws or regulations governing official requests for user data from service providers, except the broadly defined exemption section in the Personal Data (Privacy) Ordinance.
On at least two occasions, the Hong Kong government has refused to disclose its guidelines and relevant monitoring mechanisms for user data requests, claiming the existing mechanism functions effectively and that a public review is thus unnecessary. Therefore, a court order is the only way one can check the legitimacy of police requests and prevent them from invading users’ privacy or curbing online speech under the guise of a “criminal investigation”.
However, the truth is that the majority of government requests were issued without court orders. According to the Hong Kong Transparency Report for last year, five government agencies made a total of 5,511 requests for online user data. Out of these five agencies, the Companies Registry, Customs and Excise Department and Office of the Communications Authority all made requests without court orders, and the police only made “partial” disclosure of its requests under court orders, without disclosing the exact figures.
Beyond this, it is also important to ask: Are internet companies obliged to comply with police requests that are issued without court orders? Nick Chan, legal adviser to the Hong Kong Internet Service Providers Association and a partner at Squire Patton Boggs, says that unless there's a court order, Internet service providers won't be punished for not providing data to the police under Hong Kong's current laws. In other words, service providers have no legal obligation to comply with government requests that come without court orders.
Nevertheless, the Hong Kong Transparency Report found that in 2013, service providers granted 70 percent of the government's requests, even though most of them came without court orders. Internet companies in those cases handed over their clients’ data, and users had no idea whether those requests were “necessary” or “proportionate”.
Major internet companies such as Google, Yahoo and Facebook have legal guidelines on how to cope with government data requests. Google requires that requests be “made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law.”
These leading companies also disclose the number of data requests they receive from governments and their compliance rates. They realize that transparency, including voluntary disclosure, holds the key to earning users’ trust in their service.
The Hong Kong Internet Service Providers Association has recognized this messy issue. It is working on a code of practice that provides clear guidelines for service providers and law enforcement agencies to follow regarding user data requests, and to provide immunity to service providers from any civil lawsuits for complying with the requests.
This code is a good move forward, but it is far from enough. To act responsibly on behalf of the more than five million internet users in Hong Kong, local Internet companies should start notifying users of their policies for handling government requests, and actively disclosing statistics of the requests they receive, including the number of requests they accede to.
Similarly, government agencies should reveal their data-requesting procedures as soon as possible, and make sure those requests are issued only with proper judicial reviews.
The original version of this article was published in the opinion section of South China Morning Post. Jennifer is Global Voices’ writer and a researcher at Hong Kong Transparency Report, a project under the Journalism and Media Studies Centre, University of Hong Kong.