Hong Kong: Covid 19 and Privacy by Anne Cheung

Since the spread of the coronavirus in January 2020, whenever one enters a shop, restaurant, or salon in Hong Kong, body temperature will be taken. If one enters a clinic or hospital, in addition to body temperature, one’s travel data for the past 14 days will also be asked. The disclosure of health data has become a daily norm in Hong Kong. Seemingly, all these measures of prevention and control are justified. Yet, looming in the shadow of the pandemic is also the threat to privacy. In the name of public health and safety arising from Covid-19 pandemic, the Hong Kong Government (HKG) has rolled out measures of social distancing, contact tracing and voluntary universal testing in which health data and location data are being collected. Government measures have been viewed with suspicion by many citizens, largely due to the deteriorating relationship and the growing mistrust between the authorities (Beijing and HKG) and many Hong Kong citizens. This blog post will highlight the major measures that HKG has taken in its fight against the pandemic, and explore the privacy implications behind.

General

In Hong Kong, public health emergency is governed under the Prevention and Control of Disease Ordinance (PCDO, Cap 599) and the regulations made under it. Although personal data privacy is protected primarily under the Personal Data Privacy Ordinance (PDPO, Cap 486 ), s. 59 provides grounds of exemption from the use limitation requirement of personal data (Data Protection Principle (DPP) 3 use of data) to safeguard the health of data subjects. In particular, under section 59(2) of the PDPO, personal data relating to the identity orlocation of the data subjectmay be disclosed to a third party without the consent of the data subject for the need to protect public health., The then Privacy Commissioner of Hong Kong, notes that privacy right is not absolute but subject to restrictions. In the time of pandemic, the critical concerns are excessive data collection, use of data for purposes other than health reasons, and sharing of data to unknown third parties. The Privacy Commissioner’s Office has expressed on several occasions that various measures of the HKG have complied with the PDPO. We will see from the below discussion that the PDPO has addressed certain data privacy concerns, but only to a limited extent.

Distribution of Masks and Collection of Data

In May 2020, the HKG decided to distribute re-usable masks, CuMask+, to its citizens for free based on an online registration system. Each registration could include up to six people and applicants were required to provide their identity card numbers, dates of birth, local mobile numbers of all registrants and local delivery address. It is reported that about 1.38 million citizens have registered for the CuMask+. Concerns have been raised over information security and privacy as the government had failed to state the purpose of data collection and whether the information would be transferred to any third party. On the registration website, it is stated that personal data collected may be disclosed to “relevant government bureaus/departments/organisations.” In relation to this, the Government explained that personal data collected would not be retained beyond the time required for the purposes for which the data is used (complying with DPP 2) and that the system has passed independent privacy impact assessment, but public fear is not entirely allayed. It remains unclear which “government bureaus/departments/organisations” are considered “relevant”, and in particular, whether the police or the newly set-up National Security agencies are included as the potential recipients of the collected personal data.

Quarantine Monitoring and Contact Tracing

Since March 2020, all travelers arriving in Hong Kong are required to undergo compulsory quarantine for 14 days under s.3 of the Compulsory Quarantine of Persons Arriving at Hong Kong from Foreign Places Regulation (Cap. 599E). During this period, they have to wear mandatory wristbands that is linked to an app, StayHomeSafe, to reveal their location. In addition to phone number, the wristband wearer is identifiable. The HKG assures the public that it uses geo-fencing technology rather than GPS location tracking, and that data is stored on HKG’s private cloud. However, the information about the app states that it may use one’s location even when it is not open, and the Personal Information Collection Statement states that personal data provided will be used by the Department of Health and “may be disclosed to other governmental departments or relevant parties.” Again, it is unclear what other departments or relevant parties are included. Moreover, the retention period has not been specified. Arguably, the PDPO is not violated as DPP2(2) only requires all practicable steps to be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose for which the data is or is to be used.

Universal Community Testing

On 1 September 2020, the HKG launched its voluntary, free and one-off Universal Community Testing Programme for the entire population of more than 7.5 million citizens in Hong Kong. Specimens of combined nasal and throat swabs of participants will be collected for laboratory testing with the aim to identify asymptomatic Covid 19 carriers. Although the test is voluntary, the Chief Executive (the CE) in Hong Kong has stressed that it is civic responsibility for citizens to participate. When local epidemiologists questioned the effectiveness of the Programme without stay-at-home order, the CE condemned such as smearing the efforts of the government. The angry attitude of the CE prompts only more suspicion from the public about the Programme, in particular as the participating laboratories are from the mainland China without any tender process. The HKG reassures the public that personal data collected will not be sent out of Hong Kong, only the serial numbers but not the identities of specimen owners will be known by testing agencies, and specimens will be destroyed after completion of the programme. For those who are tested positive, they will be admitted to public hospital for treatment, and quarantine will be arranged for close contacts while medical surveillance will be arranged for other contacts. As of 3 September, more than 10% of the population have registered for the Programme.

The Future: Health Code for Travel and Daily Living?

Another measure soon to be launched by the HKG is the health code system, under which people who are tested negative would be allowed to cross the border to visit China’s Guangdong Province and Macau without being quarantined for 14 days. Similar health code system is already in place in Guangdong and Macau. The HKG explains that only basic personal information and nucleic acid test results will be collected from applicants for the purpose of applying for the system, implying that test results will be transferred to the other two jurisdictions. Fear has been raised that this will be likened to the health code system in the mainland, which is generated based on citizen’s state of health, travel history and contact with patients. In addition, when pro-establishment legislators suggested that the health code system should be extended to daily usage to exempt citizens from social distancing requirement (such as allowing them to dine in at restaurants or go to shopping malls), alarm bells were set ringing that the so-called digital health passport is an electronic handcuff in disguise. The fear is that one’s behavourial data, lifestyle information, and social contact details will be disclosed to the authorities. The CE has dismissed the legislators’ suggestion as “unfeasible.” In relation to the HKG’s health code system, at this stage, it is yet to be confirmed the exact type of personal data collected and shared to the authorities, inside and outside Hong Kong.

Concluding Remarks

It is tempting to reduce the HKG’s measures against Covid-19 as a necessary trade-off between public health and privacy. Yet when the HKG has failed to explain why massive amount of data is collected, how the data is being used, and whom the third parties are involved, one cannot help but question whether the PDPO has been complied with. Besides, the PDPO was enacted more than 20 years ago and it seeks to protect only personal data but not other forms of data privacy intrusion, and it is simply inadequate to meet up to the challenges in the age of big data. The issues of data-matching, data re-identification and use of pseudonymous data have not been adequately examined in the present debate in Hong Kong.

Anne S.Y. Cheung is a law professor and a co-director of the Law and Technology Centre at the University of Hong Kong. She received her legal education at the University of Hong Kong (LLB), the University of Toronto (JD), University of London (LLM) and Stanford University (JSD). She has taught Media Law, and Law and Society. Her research interests include freedom of expression and privacy, focusing on the challenges brought by the internet and technology. Her recent projects are on cyberbullying, and China’s social credit system. She has been a member of the Academic Advisory Council of the Humboldt Institute for Internet &Society, Berlin, Germany. She is on the editorial board of the Journal of Media Law, International Journal of Law in Context and Media & Arts Law Review. She was a former committee member of Hong Kong Press Council.