Personal data: Do you know your identified persons from your identifiable persons?

The definition of personal data may be changed under current proposals to update privacy laws in Hong Kong. The current definition of personal data is directed to data of an identified living individual. This may be changed to that is relates to an identified or identifiable person. What’s the difference? Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews.

In Hong Kong, personal data is data relating to an individual from which his identity can be ascertained. The data must relate to an actual person before it is considered personal data. Stricter regimes sweep more into the meaning of personal data. Under GDPR, for instance, personal data means information relating to an identified or identifiable person. Then, an identifiable natural person is given additional meaning by listing various identifiers such as name, identification number, location data, an online identifier and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. GDPR starts from the nature of the data, and so long as it can be relatable to a person, it will be personal data. It is a fine nuance. In substance, this proposed change will bring location data and online identifiers under the remit of personal data regulation in Hong Kong.

Let’s look at online identifiers such as IP addresses and cookies.

Presently, an IP address alone is not personal data. It does not have biological significance relating to an individual, nor does it have an individual as its focus. An IP address is a specific machine address assigned by an internet service provider to a user’s computer. It is information about an inanimate computer, not a living individual. It cannot alone reveal the exact location of a computer or the identity of its user.

Cookies can be considered in a similar fashion. They are records of browsing histories of anonymous computer users. It is a term for a packet of data that a computer receives, then sends back without changing or altering it. When you visit a website, the website sends the cookie to your computer. Your computer stores it in a file located inside your web browser.

Different cookies perform different tasks. A first party cookie is placed by the website operator directly, and is often needed to track the function and performance of the website. For instance, these cookies help keep track of items in an online shopping cart, or recognise a return visitor and his password to enter a secure part of the site.

Session cookies are used only when a person is actively navigating a website; once you leave the site, the session cookie disappears.  Tracking cookies may be used to create long-term records of multiple visits to the same site. Authentication cookies track whether a user is logged on, and if so, under what name.

Cookies can cause issues from a cybersecurity and privacy perspective. Supercookies and zombie cookies contain viruses and malware. Third-party cross-site tracking cookies are a serious privacy concern. These cookies make it easier for third parties to observe all online behaviour of the user – even though the user may not know and has not consented to that suveillance.

We live in a world of surveillance capitalism. Particularly in the adtech world, online tracking is used to construct digital avatars of persons. These digital avatars pull together different strands of online data to reveal an uncannily complete catalogue of preferences, habits, characteristics and behaviours. This may not identify the specific person by name or social security number, but it is reasonably practicable for an actual person to be identifiable from it.

GDPR makes it clear that the regulation covers IP addresses, cookie identifiers, and other identifiers such as RFID tags. As long as the online identifier can single out an individual, it is personal data. This has moved the whole data protection regime in the EU to a regime in which online identifiers are under the scope of GDPR. This means specific, opt-in, freely given, and unambiguous consent from users before online identifiers such as cookies are placed on a data subject’s device, and sufficient information and options to give transparent, understandable information for data subjects to consider.

Adtech is already under close scrutiny in the EU. The Information Commissioner’s Office in the UK released a report in June 2019 outlining serious privacy concerns about the real-time bidding process that underpins personalised digital advertising. This is the first step in what is likely to result in enforcement actions in the months to come. A recent Norwegian study – unequivocally called “Out of Control” – highlighted that mobile applications such as Tinder, Grindr, Clue or OKCupid are collecting user data through mobile apps, and sharing sensitive personal data to third parties without the user’s consent. Other social media platforms in the US have received record fines and are under increased scrutiny. So it is no surprise the Privacy Commissioner in Hong Kong has advocated change in laws in Hong Kong.

This simple proposed change in Hong Kong – from identified to indentifiable – is a sign that location trackers and online identifiers will soon be under the regulator purview of the Privacy Commissioner in Hong Kong. Data users will need to make sure their personal information collection statements and privacy policies are upgraded to include clear information about collection, use, transfer, retention and security of online identifiers and other new classes of regulated personal data.

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.