LCQ17: Government's requests for Internet service providers to disclose or remove users' information
************************************************************

     Following is a question by the Hon James To and a written reply by the Secretary for Commerce and Economic Development, Mr Gregory So, in the Legislative Council today (October 15):

Question:

     According to the Transparency Report published biannually by Google, an Internet search-engine service provider, the number of requests made by the Government to the company for disclosure of its users' information has increased from 50 in the first half of 2010 to 359 in the first half of 2014, representing an over six-fold increase. It is learned that there are no standardised procedural guidelines for government departments to make requests for information of Internet users, nor are there provisions requiring government departments to obtain a court order before making requests to the service providers concerned for disclosure or removal of users' information. In this connection, will the Government inform this Council:

(1) of the details of the requests made since February 2014 by each government department to various Internet service providers (including Google, Yahoo)/Internet platforms/web sites (collectively referred to as "service providers") for disclosure of their users' information, including (i) names of service providers, (ii) whether the service providers are local or foreign companies, (iii) types of requests made and the number in respect of each type, (iv) reasons for making the requests, (v) whether the requests were made under court orders, (vi) details of the information requested, (vii) whether the service providers had acceded to the requests and (viii) reasons given by the service providers for not acceding to the requests;

(2) of the details of the requests made since February 2014 by each government department to service providers for removal of their users' information, including (i) names of service providers, (ii) whether the service providers are local or foreign companies, (iii) types of requests made and the number in respect of each type, (iv) reasons for making the requests, (v) whether the requests were made under court orders, (vi) details of the information requested for removal, (vii) whether the service providers had acceded to the requests and (viii) reasons given by the service providers for not acceding to the requests;

(3) whether the authorities will consider publishing reports periodically (such as biannually) in respect of the information mentioned in (1) and (2) so as to enhance transparency;

(4) of the discrepancies in the procedural guidelines or contents of the forms used by various government departments for making requests to service providers for disclosure or removal of information of their users; whether the authorities have consulted the Office of the Privacy Commissioner for Personal Data (PCPD) on such guidelines and forms; if they have, of the details; if not, whether they will consider consulting PCPD; whether they will reconsider standardising such guidelines and forms; if they will, whether a timetable has been set; if not, of the reasons for that; and

(5) whether the authorities will consider reviewing the existing legislation with a view to requiring that a government department must obtain a court order before it may make a request to a service provider for disclosure or removal of its users' information, so as to prevent abuse of personal information and to safeguard the privacy of the members of the public?

Reply:

President,

     Regarding the five-part question, the Administration's reply is as follows:

(1) Details of the requests made by government departments to service providers for disclosure of their users' information since February 2014 are listed in Table 1.

(2) Details of the requests made by government departments to service providers for removal of their users' information since February 2014 are listed in Table 2.

(3) and (4) In carrying out their duties, the officers of individual government departments and law enforcement agencies may request for information or co-operation from the relevant persons or organisations (including Internet service providers) in accordance with duty-related laws and established procedures or guidelines, including the Personal Data (Privacy) Ordinance and the relevant code of practice/guidelines, as and when necessary. Since the existing mechanism functions effectively, we do not think it is necessary to establish a separate set of procedures for Internet service providers.

(5) The requests made by the concerned government departments/law enforcement agencies to the relevant persons or organisations are mainly related to crime prevention and detection as well as law enforcement. They will ensure that these requests are made only when necessary for performing duties. Since the existing mechanism functions effectively, we do not think it is necessary to review it.

Ends/Wednesday, October 15, 2014
Issued at HKT 14:03

NNNN