Cyber-bullying and Personal Data Protection
In this regard, the Office of the Privacy Commissioner for Personal Data, Hong Kong ("Privacy Commissioner") has recently issued two leaflets on this subject; one is "Cyber-bullying – What you need to know" reminding people of the privacy and legal issues in relation to cyber-bullying and the other is "Protecting Online Privacy - Be Smart on Social Networks", giving people practical tips to protect their privacy on social networks.
What is cyber-bullying?
Cyber-bullying generally refers to those actions that make use of communication and information technologies to harm or harass other people in a deliberate manner. The platforms that may be used include emails, text or audiovisual messages sent to web pages and discussion groups. Cyber-bullying usually takes the form of harassment, intimidation, threats, disclosure of genuine identities or rumours and falsehoods intended to damage one’s reputation. Some common examples are sending threatening or harassing messages to the victims by email, posting messages or remarks in a discussion forum to criticize a person or gossip about that person or displaying the photos and home address of the victim to enable others to harass the victim. One of the key characteristics is that the person who commits the cyber-bullying is able to hide his/her real identity and this is also the reason why cyber-bullying can become difficult to stop.
How to prevent cyber-bullying
When a person gives out personal information about oneself through communication and information technology platforms, they run a risk that such personal information may be accessed by people who would use such personal information to engage in cyber-bullying. Therefore, one has to be very careful in deciding whether and to what extent personal information should be disclosed in the circumstances. One good way to prevent cyber-bullying is to avoid being identified by others and not to disclose one’s personal information on social media networks unless you are aware of your rights and the possible consequences of such disclosure.
There are some general guidelines in the use of the social networks to protect from cyber-bullying:
- Understand the privacy settings of social media networks including reading the privacy statement and knowing the features of the relevant websites or platforms including how and to what extent your personal data will be accessed by third parties
- Do not provide excessive personal data and think carefully before posting messages and/or uploading personal data (including photos) onto the platforms
- Avoid opening or replying to messages from strangers or cyber-bullies
- Protect your personal data from being accessed by others (e.g. do not disclose sensitive information like passwords to others; remove accounts on websites which are no longer used)
Legal protection
With the widespread use of social networks, there is an increasing trend of cyber-bullying and the number of complaints and enquiries received by the Privacy Commissioner has sharply increased this year.
Currently, there is no statute law in Hong Kong governing cyber-bullying. If cyber-bullying activities involve criminal offences (e.g. criminal intimidation, blackmail, etc.), they are governed by the relevant legislation (e.g. Crimes Ordinance) and the victim may report the case to the police. If the activities involve civil wrong (e.g. defamation, infringement of intellectual property, etc.), the victim may consider pursuing civil remedies as legal recourse. However, victims may not find civil remedies desirable due to the costs involved in bringing a civil action and the practical problems faced by an unrepresented claimant.
The collection and use of personal data relating to social media networks are also governed by the Personal Data (Privacy) Ordinance ("PDPO"). If it is suspected that the cyber-bullying activities involve a breach of the Personal Data (Privacy) Ordinance and the data protection principles ("DPPs"), the victim may lodge a complaint with the Privacy Commissioner.
For example, DDP1 requires that the collection of personal data by data user should not be excessive and shall be necessary for a lawful purpose directly related to its function and activity of the data user. If a person collects the personal data for an unlawful purpose, it could be a breach of DPP1.
Also, DPP3 provides that personal data shall only be used for the purpose for which it was to be used at the time of the collection of the data or a directly related purpose. If the personal data will be used for a new purpose, the prescribed consent of the data subject is required. Although there is an exemption from the DPPs if the personal data held by an individual is concerned only with the management of his personal, family or household affairs or is held only for recreational purposes, if the personal data is used for other purposes (e.g. for cyber-bullying), the exemption may not be applicable. Even if the personal data is available in the public domain, due regard must be given to the data user’s original purposes of making the personal data available in the public domain. If the relevant websites have any privacy statement and terms and conditions specifying the permitted use of the available data, any use which goes beyond the allowed scope could be a breach of DPP3.
Apart from reporting the matter to the relevant authorities, the victim may also report to the relevant service provider or the social network provider to see in what ways it can help to resolve the problem (e.g. by removing the postings or blocking the cyber-bullies).
Link to article