A report by the Commissioner, Roderick Woo, has found that an IP
address does not always count as personal data, and that ownership
of a company does not always denote control of all of its data.
Those two crucial findings have made it impossible for him to say
that Yahoo! broke the law, he said.
Yahoo! was investigated over the case of Shi Tao, a journalist
who was jailed for 10 years in China for sending information
abroad. Hong Kong lawmaker Albert Ho made a complaint to the
Commissioner that Shi was jailed on the basis of identifying
information supplied by Yahoo!.
Disclosing a subscriber's personal data to Chinese authorities
would break the Hong Kong Personal Data (Privacy) Ordinance.
The Commissioner found that Yahoo! Hong Kong did not give
information that could be classed as 'personal data' to the Chinese
authorities. But Yahoo! was not completely exonerated. Woo said
that Yahoo!'s Chinese operation was the company involved, and that
it fell outside of his jurisdiction and the scope of his
investigation.
Yahoo! did supply identifying information. The verdict in the
Chinese case references "account holder information furnished by
Yahoo! Holdings (Hong Kong) Ltd, which confirms that for IP address
218.76.8.201 at 11:32:17pm on April 20, 2004, the corresponding
user information was as follows…"
What the Hong Kong Commissioner could not say, though, was that
the handing over of information relating to the IP address counted
as personal information under the Hong Kong law.
Woo had to make his judgment without information which he
requested from Yahoo!. Yahoo! refused to hand over information from
its Chinese operation, claiming that as information relating to a
criminal offence, the information was classed in China as a state
secret. He said that the consequences of breaking the Chinese state
secrets law were so serious that he would not compel Yahoo! to
produce the requested data.
The Commissioner said that on its own, an IP address does not
constitute personal data. "Basically, an IP address is a specific
machine address assigned by the ISP to the user's computer and is
therefore unique to a specific computer," he said. "The information
is about an inanimate computer, not an individual. The Commissioner
therefore takes the view that an IP address per se does not meet
the definition of 'personal data'."
He did say, though, that an IP address could make up part of
personal data, and that if a party had other information, the IP
address could be identifying information. "Whether or not it is
part of any personal data in a particular case depends on the facts
of the case," he said.
"In the circumstances, the Commissioner finds insufficient
evidence to support that the two limbs of the definition of
'personal data' are met," he said.
Yahoo! has said that it was required to supply information under
Chinese law, but the company has met with international criticism
for supplying information which may have led to the identification
of Shi, named in the Commissioner's report only as Mr X.
"I wouldn't go so far as to say this was an exoneration for
Yahoo!. The important thing is that the Commissioner couldn't form
a view as to whether or not the information was personal data,"
said Dr Chris Pounder, a privacy specialist at Pinsent Masons, the
law firm behind OUT-LAW. "He got no concrete evidence to dispute
Yahoo!'s position."
Yahoo! Hong Kong, which owned Yahoo! China, argued that it did
not control the email account user information involved. "The
Commissioner does not find Yahoo! Hong Kong's argument convincing,"
said Woo's report.
The Commissioner did rule, though, that Yahoo! handed over the
information on pain of criminal penalty in China, and that
therefore the handing over of information was not in its control.
"As Yahoo! Hong Kong had no control over the data disclosure, it is
not, for the purpose of this investigation 'data user' as defined
under section 2(1) of the Ordinance," said Woo. "It logically
follows that the Ordinance has no application to the act of
disclosure of the Information in China."
