《Disney +》 迪士尼、Marvel、彼思、星球大戰…  「SQUARE ENIX MASTERLINE」第2彈!蒂娜&魔導裝甲&莫古利決定發售!   《Pokémon GO》訓練家限定!贈送3個月份的免費YouTube Premium資格   換上自己喜歡的設計!「PAC-MAN 99」免費更新內容持續發佈中!   最強英雄登場!「龍族拼圖」×「一拳超人」聯乘決定!   在現實世界一起去狩獵吧!USJ首個魔物獵人VR遊戲設施「Monster Hunter World:Iceborne XR WALK」明年春季登場!   hololive的元宇宙虛擬世界!沙盒類遊戲「Holo Earth」最新情報公開!   《零 ~濡鴉之巫女~》重製版登場!官網、PV&初回特典情報公開!   利用電競創造身障者也能活躍的工作環境!專為身障者打造無障礙電競環境的「ePARA」! 

Should IP addresses constitute personal data?

商業
The IT sector is among the sectors most directly affected by this ordinance The government’s consultation paper for the review of the Personal Data (Privacy) Ordinance (PDPO) is long overdue. The ordinance was passed in 1996, before the Internet became popular—let alone Web 2.0 and social media—and is thus far behind public awareness and expectation. The public naturally wants “maximum protection,” but as the consultation document rightfully states: “balance is needed between safeguarding personal data privacy and facilitating continued development of information and communications technology,” and the ordinance “should remain flexible and relevant” in spite of technological change”—that is, it should maintain technological neutrality. Sensitive data Nonetheless, the IT sector is among the sectors most directly affected by this ordinance. An example: the proposal in the consultation document that biometric information be classified as “sensitive personal data”—a new introduction to the ordinance that would call for a higher degree of protection by the data users, and hence heavier punishment in case of data-leakage. The government’s rationale is that such biometric data are inalterable, thus damage caused to data-owners would be severe and permanent. However, why single out biometric data to be made “sensitive,” while in other jurisdictions such as Australia and the UK, sensitive personal data includes criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, health information, and sexual orientation? In fact, ever since the Privacy Commissoner's Office issued a directive earlier this year, repudiating the use of fingerprint technology in schools for attendance keeping, the effects have already been chilling for local companies providing such solutions. While the PCO guidelines maintains that biometric solutions are acceptable as long as it is not mandatory, or that such high level of secure access control is justified for its purpose, nonetheless many biometric solution providers have simply seen their business dry up since this summer. Another main concern for the IT sector is the proposal to regulate data processors—such as application developers, Internet service or web hosting providers, which provide outsourced services to the actual data users that hold the personal data of the subjects. Previously, data processors were not regulated by the ordinance. With the advent of cloud computing, this is a void to be addressed. All users affected Should data processors be regulated directly by the ordinance, or indirectly—meaning the data user must “ensure that its data processors provide security protection to personal data at a level comparable to itself,” as required by the ordinance? Data subjects would have redress against data users, who would in turn have redress under contractual law with the data processor. There are many other areas in the consultation that will affect all businesses handling any type of personal data, including its customers and employees. For instance, should there be mandatory disclosure to data subjects in case of a breach? Also, the document proposes further empowering the Privacy Commissioner by making it an offense in cases of unauthorized obtaining, disclosure and sale of personal data—or repeated contravention of a data protection principle—and allowing the Commissioner to impose monetary penalty on serious contravention of data protection principles. However, the document also reveals some recommendations made by the Commissioner but not taken up by the government—the IT sector should consider whether IP addresses constitute personal data. While IP addresses by themselves won’t identify users, there are circumstances where combined with other data, IP addresses will be critical in identifying their users. It is unfortunate that the government has chosen not to even consult this important issue, which would produce better guidelines for the industry going forward. The Personal Data (Privacy) Ordinance consultation document is at http://www.cmab.gov.hk/doc/issues/PDPO_Consultation_Document_en.pdf and the deadline for responses is November 30, 2009. Published on Computerworld Hong Kong November 2009 Issue
TechNow 當代科技

隨機商業新聞

Disney Plus