代写代考 GDPR 2016 (effective 25 May 2018) (*RR). See also PRC’s Personal Informatio

Legal Protection of Digital Property
PhD(Computer Science) LLM(Intellectual Property) Department of Computer Science

Refusal to Comply with Data Correction Request: s.24

Copyright By PowCoder代写 加微信 powcoder

• adatausershallrefusecomplianceif
– not supplied with information as to the identity of the requestor and its relationship with the data subject
• adatausermayrefusecomplianceif
– request not written in Chinese or English;
– not satisfied that the data are inaccurate;

– not supplied with information reasonably required to ascertain in what way the data are inaccurate;
– not satisfied that the correction is accurate; OR
– compliance prohibited because another data user controls the use of the data, and if so, must inform data subject of the name and address of the other data user: s.25(1)(b); (NB. Must comply as far as
no contravention of prohibition: s.24(4).)

NB. Data users must comply with the 6 DPPs. Failure to do so may be the subject of a complaint resulting in investigation by the Privacy Commissioner for Personal Data. (*RR: Real data privacy cases relating to personal data in employment)

Privacy Commissioner
• mostimportantpowers
– power to inspect personal data systems: s.36
– duty to carry out investigation upon receiving complaint or upon reasonable belief: s.38
– discretion to refuse or terminate an investigation on certain grounds: s.39
» complainant has had actual knowledge for  2 years prior to the complaint;

» complaint made anonymously;
» complainant cannot be identified;
NB. Appeal against Commissioner’s refusal or termination lies to the Administrative Appeals Board.
» power to issue enforcement notice at end of investigation: s.50
» power to specify classes of data users required to file data user returns: s.14
NB. Data user returns kept in a register open to public: ss.15, 16.

Offence: “Doxxing” • existingsanction:
– s.64(1): a person commits an offence if the person discloses any personal data of
a data subject which was obtained from
a data user without the data user’s consent, with an intent –
(a) to obtain gain in money or other property, whether for the benefit of the person or another person; or
(b) to cause loss in money or other property to the data subject.
NB. Max penalty = $1M + 5 yrs: s.64(3).

• newsummaryoffencefrom8/10/2021:
– s.64(3A): a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or
(b) being reckless as to whether any specified harm would be, or would likely be, caused to
the data subject or any family member of the data subject.
NB. Max penalty = fine at level 6 + 2 yrs: s.64(3B).

• new2ndtierindictableoffencefrom 8/10/2021:
– s.64(3C): a person commits an offence if
(a) the person discloses any personal data of a data subject without the relevant consent of the data subject –
(i) with an intent to cause any specified harm to the data subject or any family member of the data subject; or
(ii) being reckless as to whether any specified
harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
(b) the disclosure causes any specified harm to the data subject or any family member of the data subject.

NB. Max penalty = $1M + 5 yrs: s.64(3D).
– s.64(6):
» “relevant consent” means consent of a relevant person or consent of the data subject;
» “specified harm” means
(a) harassment, molestation, pestering, threat or intimidation to the person;
(b) bodily harm or psychological harm to the person;
(c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or
(d) damage to the property of the person.

• defencetodoxxingoffence:
– s.64(4): it is a defence to a charge under s.64(1), (3A) or (3C) if
» the person reasonably believed disclosure was necessary for preventing or detecting crime;
» disclosure required or authorised by law or order of a court;
» the person reasonably believed that disclosure was made with consent (ie. for offence under s.64(1) – data user’s consent; for offence under s.64(3A) or (3C) – the relevant consent of the data subject); or

» the person
 disclosed solely for a lawful news activity under s.61(3) or a directly related activity; and
 had reasonable grounds to believe that publishing or broadcasting of the personal data was in the public interest.
– S.64(5): a defence under s.64(4) is established if there is sufficient evidence to raise an issue with respect to a matter required for the defence, and the contrary is not proved by prosecution beyond reasonable doubt.

NB. Commissioner’s investigation and prosecution powers in doxxing cases:
– s.66D (may require materials and assistance from any person),
– s.66G (may search premises and seize any material therein suspected of containing incriminating evidence),
– s.66H (may stop, search and arrest any person reasonably suspected of having committed an offence relating to doxxing).

Extra-territorial Doxxing
• targetsatsubjectdisclosureanywherein the world as defined in s.66K
– disclosure (whether or not in HK) of personal data where the data subject is a HK resident or present in HK; and
– disclosure is without relevant consent and
» (i) with intent to cause any specified harm to the data subject or their family member; or
» (ii) being reckless as to whether such specified harm would be caused.

• s.66M:Commissionermayservea cessation notice directing any legal person (whether HK or non-HK person) to take cessation action in respect of the doxxing content (remove, cease or restrict access: s.66L)
• s.66O:contraventionofcessationnotice is an offence (but note defence under s.66O(2))

Other Offences
• datausercontraveninganenforcement notice: s.50A
• datauser,withoutreasonableexcuse, contravenes any requirement under PD(P)O is liable to a fine: s.64A(1)
NB. S.64A(1) does not apply to a DPP contravention, or specified offences defined elsewhere in PD(P)(O): s.64A(2).

• anyonesupplyingfalseormisleading information in relation to a data access or data correction request for the purpose of having the data user comply with the request: ss.18(5), 22(4)
• anyoneobstructing,hinderingorfailing to comply with the Commissioner’s requirements or knowingly making a false statement to the Commissioner in the course of the latter’s exercise of powers: s.50B

Compensation: s.66
• adatasubjectwhosuffersdamageby reason of a contravention of a requirement of the Ordinance by a data user is entitled to compensation from the data user
• damageincludesinjurytofeelings: s.66(2)

• datauser’sdefence
– had taken reasonable care to avoid contravention; or
– where contravention relates to inaccurate data, the data accurately record data received or obtained by the data user from the data subject or a 3rd party
NB. Vicarious liability applies to civil proceedings for data privacy violation: ss.65(1), (4).

NB. But employer has a defence if he had taken all practicable steps to prevent the employee from doing that act: s.65(3).
NB. Commissioner may offer assistance to aggrieved persons in obtaining information (s.66A), and in proceedings under s.66 (s.66B).

Exemptions: Part VIII
• dataheldforpersonal,domesticor recreational purposes exempt from ALL DPPs: s.52
• datarelevanttostaffplanningexempt from DPP6: s.53
• datathatarethesubjectofa”relevant process” exempt from DPP6 until the completion of that process: s.55

– “relevant process” = any process for determining the suitability or qualifications of data subject for employment, promotion, removal from office, awarding of contracts, scholarships, honours etc and where appeal may be made against such determination
NB. Mere review of course grades without considering whether to give or continue to provide an award, scholarship, honour or benefit to the student is NOT a relevant process: Privacy Commissioner’s Report R08-10578 (*RR of lecture 5).

• personalreferencegivenbyan individual other than in the ordinary course of his occupation and relevant to a job application exempt from DPP6 unless
– the referee has informed data user in writing that he has no objection to the reference being seen by the applicant; OR
– until the applicant has been informed in writing the result of his application: s.56
Q: Meaning of the phrase in italics?

• dataheldbytheGovernmentfor safeguarding security, defence or international relations exempt from DPP6 and DPP3 where their application would prejudice the data purposes: s.57

• lawenforcement:s.58(*RR:Privacy Commissioner’s Case No. 2010C06)
– data held for law enforcement purposes (including detecting crimes, remedying unlawful or seriously improper conduct, preventing significant financial loss arising from imprudent business practices) is
» exempt from DPP6 where its application would likely
 prejudice the law enforcement purpose; or
 directly or indirectly identify the person who is the
source of the data
– data used for law enforcement purposes » exempt from DPP3 where…

• health:s.59
 use of data is for a law enforcement purpose; and  application of DPP3 would likely prejudice the
– data relating to the physical or mental health of data subject exempt from DPP6 and DPP3 and
– data relating to the identity or location of data subject exempt from DPP3
where their application would likely cause serious harm to the physical or mental health of any individual

• dataheldbynewsorganisationor journalist solely for news activity exempt from DPP6 until the data are published or broadcast: s.61(1)
• disclosureofdatatoanewsorganisation or journalist by a person who reasonably believes that its publication or broadcasting is in the public interest exempt from DPP3: s.61(2)

• personaldatausedsolelyforstatisticsor research purposes without identifying the data subjects in the results is exempt from DPP3: s.62
E1: X, a lecturer, has written a reference letter to bank Y on behalf of Z, his PhD student. Z asks Y for a copy of the letter. Can Y refuse?

E2: W, a close friend of V, talks about V’s criminal acts in an interview with police officer T. V asks T for a copy of the interview record. Can T refuse?
E3: As in E2. T is a newspaper publisher. V asks T for a copy of the interview record. Must T comply?

E4: R suddenly becomes unconscious in his office. R’s boss immediately calls S, R’s doctor, to fax him R’s medical history. S does so. Any breach of DPP?
NB. For the latest int’l developments in privacy law, see EU GDPR 2016 (effective 25 May 2018) (*RR). See also PRC’s Personal Information Protection Law (个人信息保护法) with effect from 1 November 2021.

Recommended Reading
• RealDataPrivacyCasesRelatingto Personal Data in Employment
• PrivacyCommissioner’sCaseNo. 2010C06
• EUGDPR2016(effective25May2018) 30

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com