While the Personal Data Ordinance was enacted to protect privacy, the ICSO was implemented to regulate the interception of communications and covert surveillance conducted by law enforcement agencies (LEAs), such as the police and customs. The Secretariat, Commissioner on Interception of Communications and Surveillance (SCIOCS) is an independent oversight authority, appointed by the Chief Executive on the recommendation of the Chief Justice.
Under the ordinance, LEAs are required to apply to a panel judge for authorisation to carry out any covert surveillance in cases where there is a higher level of intrusion, for instance when an officer enters a private premises and installs a covert surveillance device. In other cases, LEAs must apply to an authorising officer in their department for the issue of an executive authorisation beforehand.
Although acts of interception and surveillance require authorisation, Lokman Tsui, an assistant professor at the School of Journalism and Communication in the Chinese University of Hong Kong (CUHK), says the authorising bodies are often just a rubber stamp. According to the SCIOCS annual report to the Chief Executive in 2015, a total of 1,481 authorisations (including fresh and renewed authorisations) were issued. Only two applications for interceptions were refused. “The office basically approved all requests,” says Tsui.
Michael Mo Kwan-tai, a campaigner (digital communication) at Amnesty International of Hong Kong, says oversight of the ordinance is too weak and can lead to misuse. “There are guidelines, but in practice, how much they comply, you know, is another question,” he says. Mo adds violations of the ordinance constitute civil rather than criminal offences and the penalties have no deterrent effect while the SCIOCS lacks the authority to take follow-up action.
“SCIOCS is a commission but not a department, it is very hard for us to expect them to have such huge capacity like a department to carry out investigations,” says Mo.
CUHK’s Lokman Tsui points out another glaring shortcoming of the ICSO, which is that it does not cover data requests from LEAs to telecommunication companies and internet service providers (ISPs). The ordinance only regulates wiretapping, and the interception and surveillance of communications made through postal mail and the telephone. As it does not cover online communication, citizens have no protection in regard to interception and surveillance on the internet.
In this digital age, people are always using their smartphones to surf the internet, and telecommunication companies have access to users’ personal data such as their browser history, their IP address and geographical locations. Law enforcement agencies are not required to get court warrants before requesting that telecommunication companies hand over their users’ personal data, and it is up to the companies to decide whether to do so.
According to statistics released by the Innovation and Technology Bureau, the police filed 3,448 requests to ISPs for user information in 2016. This is the highest number of requests among all government departments and the main reason given for the requests was crime prevention and detection.
Information on how the government requests user data can also be found in the Hong Kong Transparency Report, published annually by the Journalism and Media Centre at the University of Hong Kong. The report tracks government requests to information communication technology (ICT) companies for their users’ data and for removal of online content, as well as how overseas ICT companies respond to such requests. The 2016 report shows a declining number of data requests to ICTs, from 6,008 in 2013 to 4,637 in 2015. However, the government has sent more requests to social media companies, especially to Facebook which has seen a more than two-fold increase in 2015 compared to 2014.
The report found that overseas ICT companies rejected 40 per cent of the data requests from the Hong Kong government, which accounted for 44 per cent of the total data requests. Benjamin Zhou Suibin, the Hong Kong Transparency Report Project Manager, says LEAs are not legally obliged to provide a court warrant when requesting users’ data. It is wholly up to the company to decide whether to comply. Zhou says overseas companies will release transparency reports annually to disclose how they responded to government requests, but local ISPs do not. He thinks smaller local companies usually just hand over users’ data because they do not have teams of lawyers to evaluate the requests.