A group of researchers have said that Hong Kong should introduce legislation or amendments to the current surveillance law, issue guidance to law enforcement agencies, and improve routine disclosure to increase transparency. The government makes, on average, 4,470 data requests to tech companies every year, yet University of Hong Kong researchers say the government is lagging behind with global trends in transparency.
The Interception of Communications and Surveillance Ordinance (ICSO), enacted in 2006, only regulates telecommunications and postal interception, and other real-time surveillance. In 2016, the government refused add access to user data and stored communications – including social media and instant messaging – to the ordinance to enhance the scope of regulations.
There is no detailed guidance or code of practice for user data requests, and no court warrant is required when asking companies for information.
However, similar surveillance laws in other jurisdictions, such as South Korea, Taiwan, Australia, the UK and the US, do regulate access to stored communications, metadata and personal information. No warrant is required in many cases, but detailed guidance to law enforcement agencies is often required.
Researchers at the Hong Kong Transparency Report project at the Journalism and Media Studies Centre of The University of Hong Kong said the ICSO did not set out “legal procedures” as required by Article 30 of the Basic Law on inspection of communication.
“In the digital age, the Hong Kong government should introduce legislation or amendments to fulfil its obligation for protecting citizens’ privacy,” the researchers said.
Following that, guidelines or a code of practice should be issued.
“The experiences of other jurisdictions show that, even though warrants may not be required in some circumstances, detailed guidance to law enforcement agencies is the norm,” they said.
The researchers also said that Hong Kong was lagging behind foreign jurisdictions in regularly disclosing information about surveillance, including statistics and explanations of the mechanism in clear language.
The ICSO did have a mechanism for a commissioner – usually a judge – to make an annual report, but the report does not include details of communication surveillance in cyberspace owing to the outdated Ordinance.
The researchers said the statistics could be disclosed without a statutory requirement, as the government had already been regularly disclosing figures regarding the Code on Access to Information on an official website since 2015.
Meanwhile, the number of user data requests in 2017 saw little change when compared to 2016. However, the number of content removal requests spiked in 2017 after a drop in 2016. The figures were revealed only after lawmakers made annual requests.
The number of user data requests stood at 3,541 in 2017 – a slight drop of 52 from the past year. 99 per cent of the requests were from three departments: the Hong Kong Police Force (90 per cent), the Customs and Excise Department (nine per cent) and the Office of the Communications Authority (0.5 per cent). The purposes were overwhelmingly related to crime prevention and detection.
Eight ICT companies regularly released transparency reports on user data requests from the Hong Kong government from 2013 onwards. But their data only accounted for 42 per cent of all such requests from the government, meaning the rest of the requests were made to unknown companies.
The number of content removal requests stood at 336 last year, increasing from 194 in 2016 and 334 in 2015.
There were five major types for content removal requests between 2016 and 2017:
- Illegal sale of medicine, 44 per cent, from : Department of Health’s Drug Office and Chinese Medicine Division;
- Infringing activities, 32 per cent, from Customs and Excise Department and Family Health Service;
- Crime prevention & detection, 22 per cent, from Hong Kong Police Force;
- Illegal advertisement, two per cent, from Housing Department;
- Indecent content, one request from Office of Communications Authority.
The police have never revealed the compliance rate, but companies complied with almost all requests from other departments.