The installation of CCTV cameras is a highly emotive and controversial issue in many countries. Hong Kong’s data privacy law does not contain any specific provisions regarding the use of CCTV, although the Privacy Commissioner (PC) has issued guidance on CCTV surveillance and the use of drones. According to this guidance, whether the use of CCTV systems covering a semi-public or public area is regulated by the Personal Data Privacy Ordinance (PDPO) will depend on whether the purpose of the installation is to collect or compile information about identified persons. A recent appeal against a decision of the PC on the use of CCTVs (Appeal No.7/2019) is an illustration of the current position in Hong Kong.
The Appellant complained against the Incorporated Owners of her building (IO) for installing two CCTVs in the public corridor of each floor. One of the CCTVs was located in the proximity of her flat.
The Appellant claimed that:
The PC decision
Relying on the Eastweek Publisher Ltd & Another v Privacy Commissioner of Personal Data  2 HKLRD 83 case, the PC took the view that the installation of CCTVs should not be regarded as collection of the Appellant’s personal data. There would only be collection of personal data when the IO had to review the CCTV footage for the purpose of identifying a person and collecting evidence for suspected crimes or security matters. Such collection would relate to the IO’s managerial work and was unlikely amount to unlawful or unfair collection.
Further, the PC held that there was no prima facie evidence of contravention of PDPO. Notice of the installation had been given to the data subjects pursuant to resolution at owners’ meeting, the retention period of CCTV footage was not unreasonable and only authorised persons could access the footage with a password.
The Administrative Appeals Board (AAB) decision
The AAB found that the images captured should be regarded as personal data since it was practicable for the identities of the persons whose images are captured to be directly or indirectly ascertained. However, the AAB was conscious that it was bound by the Eastweek principles that for an act to constitute collection of personal data, the data user must be compiling information about an identified person or about a person whom the data user intends to or seeks to identify. It was held in Eastweek, that a magazine photographer’s act of taking a photograph of the complainant on the streets was not an act of personal data collection, since the photograph was taken for the purpose of making unflattering comments on the complainant’s fashion style in the magazine and the complainant’s identity was irrelevant to the photographer or the magazine.
Accordingly, since the IO’s intention was for security purposes and not to compile information of the Appellant or any identified persons, the AAB held that there was no “collection” of personal data by the IO. The key is to look at the purpose of the installation of the CCTV.
Concerns about the Eastweek case
In an epilogue to the decision, the AAB raised concerns that the interpretation of “collection of personal data” in the Eastweek case was too narrowly construed and outdated. Although Eastweek is still binding for the time being, the AAB recommended the PC consider amending the PDPO to change this interpretation and add specific provisions to regulate the use of CCTVs and related recording, storage and access systems in accordance with the Data Protection Principles under the PDPO.
With CCTV surveillance becoming more controversial, especially with recent cases in Hong Kong involving car cameras in taxis capturing images of celebrities and ordinary people, the law in this area is under scrutiny.
Watch this space!