Xiaoning et al v. Yahoo! Inc, et al

Filing 72

*** FILED IN ERROR. PLEASE DISREGARD. *** Declaration of Alfred Po Tak Tsoi in Support of 71 MOTION to Dismiss for Lack of Jurisdiction Motion to Dismiss for Lack of Personal Jurisdiction; Memorandum of Points Authorities in Support Thereof filed byYahaoo! Holdings (Hong Kong), Ltd.. (Attachments: # 1 Exhibit A-H# 2 Exhibit I)(Related document(s) 71 ) (Petrocelli, Daniel) (Filed on 8/27/2007) Modified on 8/27/2007 (feriab, COURT STAFF).

Download PDF
Xiaoning et al v. Yahoo! Inc, et al Doc. 72 Att. 2 Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 1 of 51 EXHIBIT I Dockets.Justia.com Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 2 of 51 Report Published under Sectïon 48{2} of the Personal Data ^Prïvacy} ßrdïnance (Cap. 4Só) ^^^ ^^ ^^^'~ ^ ^l.^) ^^^^^^^4S ^ ^ )^45^2)^^ ^^^ Report Number: R07-3619 Date issued: 14 March 2Oä7 ^ ^ ^ = R07-3619 ^ ø ^ 2007 ^ 3 ^ 14 ^ ^ ^ } `_ ^ ^ ^ ^ ! ^^ ^i^ i^^^ïe^ a^ ^^e Pr ^^c^^ Com ^tissíoner f^^ ^^^^^^^1 ^^^a, ^o^^ ^Couc^ L.s +^ ^ ^-^!^ ^ Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 3 of 51 The Disclosure af Email Subscriber's Personal Data by Email Service Provider to PRC Law Enfarcem^ent Agency Case number : 20U^^3^19 This report in respect of an investigation carried out by me pursuant to section 38 of the Personal Data (P^ vacy) Ordinance, Cap 486 (the "Ordinance") ágáinst Yáho^? long Kong Limited is published in the exercise ^f the power conferred on me by Part VII of the Ordinance. Section 48{2j of the Ordinánce provides that "the Cornmissi^er may, after completing an investigation and íf he is f the opinion that it is in the pudic interest to do so, p^^blish a reprt (a) setting out (i) (ii) the result of the investigation, any recommendations arísi^g from the investigation that the C rr^missióner tl^ink.^ fït t^ make relating to the promotion of cómpliance with tl^e provisions of this Drdin^nce, ira particular the data protection principles, ^y the class f data usérs to tivhich the relevant date user belongs; and (iii) such ether comments arising f^m the in^^estigati n as he thinks fit to snake; ^r^d ^ (^) in s^ch manner as he thirks f t. ,, Roderick B. WOO Prívacv Commissioner i'or Personal Data Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 4 of 51 Table ©f Contents CHAPTER ONE .......^ ..................................^.........-·-·-·---.......................1 Introduction ..........................................................................................1 Preamble ........... . ...............................................................................1 The Incident ...................................................................................... l Press Release Issued by YHHK .........................................................3 Issues ^f Personal Data Privacy Coneern .......................................... á CHAPTER TWO .......................... ^.....,....,.....,........,..............................4 Prelími^ary Enquiries.......^ ...................................................................4 Preliminary Enquiries Raised with YHHK ........................................ 4 Concerns Raised by Members ^f the Legísiative Council .................. S Further Information from YHHK ...................................................... 5 CHAPTER THREE .....^ .............^...............,.....,.........,............ ...............7 The Complaínt ........................................................................_...:.........7 CHAPTER FOUR .................................................................................. 5 Operation ^f Yahoo! China and Corporate Structure of YHHK ............. $ Operation of Yahoo! China .......................^.._..................................... 8 Corporate Structure ofYH ^ K ......................................................... i0 CHAPTER FIVE .................................................................................. ^ Legal Requirements ..................·-------.................................................. i 1 CHAPTER SIX ...........................^....................,...................----............15 Investigation and Evidence Gathering ................... .............................. The Business Structure .................................................................... i 5 Disclosure of User I^formatian to the PRC Authorities .................:. i^ Testimony and Declaration of the Senior Vice President and General Counsel of Yahoo! I^c .................·--··--^^-·-----............................,....... i8 Na Access to Yahoo! China's User Accounts by YHHK .................. 20 No Further Submissions from Mr: X's Authorized Representative... 21 Verif^cati^^ from Public Records ....................................................21 CHAPTER SEVEN .............................................................................. 22 PRC Laws Applicati^n .......................................................................22 Issues Relatí^g to PRC Laws ........................^......... ,......----·--..........22 Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 5 of 51 Fírst Issue: Article 45 and the Obligation to Comply .......................22 Other Consequences on Failure to Supply Information to SSB........23 Seca^d lssue: Non-disclosure of the Requested Data to the Commíssíoner ................................................................................. 24 CIíAPTER .EIGHT .............................................................................. 28 The Commíssíoner's Fíndíngs ............................................................ 28 Focus of Investigation ..^..^ .................................... ........................... 28 ^7nd^sputed Facts .............................................................................28 Whether IP Address ís "Personal Data" wítí the Definition of the Ordinance .....................^....^............................................................29 Whether Personal Data were Disclosed by YHHK ta SSB? ............. 31 Whether YHHK isa "Data User" in relation to the Infor^natíon Disclosed to SSB ..-------..^ ................................................................ 33 Whether the Ordinance has Extra-territorial Application to the Act Complained Of ................................................................................35 If the Ordinance had 3urisdictia^ over the Act Complained of, had YHHK Contravened DPP^? ........................................................,... 37 E^empt^an ín Section 58 ..................^.....,.............................:..........39 Conclusion ................................. ..................................................... 41 CHAPTER NINE ..........^ ...............................^^....^..............^................. 42 Comments Arising from the Investigation ........................ Scope ofApplicatíon aft^^e Ordinance .....................·--.---................42 Extraterritorial Application of the Ordinance ..............· .................... The Definition of "Crïme" .............................................................. 45 Consideration by Policy Bureau ......................... .............................4^ GLOSSARY ANÑEXURES Annex A Changsha Intermediate Peoples Court of Hunan Province Criminal V^rdícfi dated 27 April 20QS Anny B - "Scope ^f' `personal data' under the Persaval Data (Privacy) Ordinance ( Cap. 486) and related issues", paper issued ley the Legal Services Dívisí^^n of the Legislatïve Council Secretariat Amex C - Testímow of the tenior Vice President aid General Counsel, Yahoot lnc. before the Subcommittees on Africa, Global .1-#uma^ tights and International ^p^ratíons, and Asia and the Pací^ie dated ^S February 200 Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 6 of 51 CHAPTER ONE Introduc^íon Preamble This Report pertains t^ an investigation carved out by the 1.1 Privacy Commissioner for Personal Data ( the "C^mmíssi^ner") pursuant to section 38 of the Personal Data ^Privac^) Ordinance, Chapter 486 (the "Ordinance "} in respect of an allegation that Yahoos Hong Kong Limited (formerly known as Yah^^^ Holdings ( -Io ^ g Kong) Limited) ("YHHK") had díscl^sed an email user's personal data to the PRC authorities, thereby infringing the provisions of the Ordizaance. The Incident In October 2005, it was widely reported by local newspapers that 1.2 a journalist (hereinafter referred to as "Mr. X") residing in the PRC, was convicted by the Changsha Intermediate People's Court (" Pe©píe's Court") ^f the crime of illegally providing state secrets ^o foreign entities outside PRC in vi^latioza of Article 111 of the Criminal Law of the PRC' and was sentenced to 10 years' imprisonment. According to the news reparts, YHHK had disclosed the personal 1.3 data of Mr. X, who was an ezaaail user of "yahoo.eom.c^", to the PRC authorities and as a result Mr. X was a^ested. 1.4 ^In the verdict (the "Verdict ") delivered by the Pe^p1e's Court on 27 April 2005 ', it stated that Mr. X had on 20 April 2004 at approximately 11:32 p.rr^ . leaked infarmati^n " to an ^verseas^ hostile element, taking advantage ©f the,fact that he Evas working ave^^time alone ín his affrce to connect to the Internet thra^^gh his^hone line and ^^sed his personal email Artícle l I 1 of^the C"r ^^ii tal Law pr© l des that: "Wd ^ ^ eve - steals, huus nr ^ nla lfitlly s^pplies ^7 te secíets ^ · 1ra1e1fi,^ece f 22^ a^2 nga^^, or^^a^_atzu ^ a^ itdi^ícåu^l nulside the te ^°ritory gf Ciri22a s12ú11 l>e s ^ lef cett t f^`.^ d-lerr^ ^ ^µ r·isor ^ ae ^ t ^f n^ lless lha ^ve years ^ ut ^ ol more tha ^ I(1 yea^^s'; ^f tle cre ^ ^rr ^ sta c·es are sµ ecially .^erinus, lc^ ,rhall ^e sente ^ ced tn fì^ '^I-lcr-r ^ í a µ rìsc r ^ 3 t of aat less tl7^^ 1O µ e r ^c r lifé ^^^pr ^s r a ef t; if the circ ^ tt^ staraees ^ a ^ ^ m^ i u^ ; 1 e s02^11 1c: serte^ced to fxed-ter·n ^ im,^^°lsn ^ ment c^f rtr^t r^a^^t tha^ five year-s, crir ^ i ^ al clcterttros, µ ^ 6lic st^rr-eillau^e or de^ ^ r^ vati ^ f^^^h^t^cúl rtdlts''"_ 5 ^e A nex ^ f this Report Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 7 of 51 account (huoyan-1989@^ahoo. eom. cn) to send his notes (on the summ^ty of the main contents of atop-secret document issued ^y the General Office of the Centr l Committee of the Communist Party of China (CPC) and the General Office of the State Council entitled `Á Notice Regarding C^^rrent Stabilizing Work" (CPC General Office Document No. l1 X2004])]. also used the alias "19894 " as the ^^ame of the provider... " He The Verdict reported the evidence gathered to prove the 1.5 commission of the offence which included the following: "Account holder in, formati©n fi^r^ ished ^y Yahoo! Holdings (Hong Kong) Ltd., at which confirms that for IP address on April 2p, 2004, the 218.7.$,201 11:32:17 p. m. coi°responding user information was s follows: user telephone number: 0731-437362 located at the Contentpor^ry Business News office in Hunan; address: 2F, Building 88, Jianxiang New Villg^, K^if^^ District, Changsha." The email account from which the materials classified as state 1.6 secrets were sent to foreign entities was "huayan-1989@yahoo.eom.cn" (the "Email Account"}. From the Verdict, ít was therefore clear that YHHK had disclosed 1.7 certain email user information to the PRC authorities but as to the extent of the data disclosed to tl^^e PRC authorities by YHHK in the course of the ínvestïgation, the Verdict was not conclusive. According to the Verdict, the People's Court had also considered other pieces of evídence including such evídence as written statements given by Mr. X confessing that "he inténtionally and illegally provided state secrets to foreign entitïes". The above incident (the "Incident") attracted public attention 1.8 and aroused personal data privacy concern, in particular ín relation to the purported disclosure of the email users' ïnfor^nat^on by the email service provider to an law enforcement agency outside Nong Kong, as to whether such act violated the provisions of the Ordinance. The cancern was accentuated by the fact that in the course of their provision of services, email service provïders would have collected and held n^ assíve personal data and any itr^proper handling ol` the email users' personal data ^^^ould Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 8 of 51 have dire consequences on the personal data privacy of the data subjects. Press Release Issued by YHHK 1.9 On 18 October 2005, in response to the public concern, YHHK It stated that : " Yahool Hong issued a press release which expressly refuted its involvement in the disclosure of the relevant user information . and our ØrivacV polio Kong adheres to all applicable local laws and regulations in Hong Kong The Chinese authorities have. never contacted Yahoo! Hong Yahoo' Tlang K^^^^g to request any of its user ínfarmati^n. independently ^f one another one ^nather." Kong and Yahoo ! China are managed and operated separately Ønd As such, Yahoo? Hong Kong and Yahool China have never exchanged ar revealed respeçtíve user informatíón to Issues of Personal Data Privacy C^^cern 1.1.0 The Incident raises the following issues under the Ordinance: 1.10.1 Whether "personal data" within the meaning ^f the Ordinance were disclosed by YHHK to the PRC authorities, 1,10.2 Whether such act of disclosure by YHHK is caught by the jurisdiction of the Ordinance, having; particular regard to the circumstances under which the personal data of Mr. X, if any, were collected and disclosed by YHHK; and 1.10.3 l f the act or practice ís caught by the Ordinance, -as to whether there was a eantra^ention of Data Protection Principle ("DPP") 3 in respect of the disclosure of the data by YHHK to the PRC authorities; and if so, would there be any exemption provision of the Ordinance available to YHHK? Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 9 of 51 c^Ap^^^ Iwo Preli^^^nary ^nquíres Preliminary Enquiries Raised with YHHK On 21 October 2005, the Cammíssíaner took the initiative to approach Y^IHK t^ gather further ínformatíon for the purpose ^f ascertaining whether there was any evidence of contravention of the 2.1 Ordinance. On 29 October 2005, YHHK provided a written response to the 2,2 Commissí^nér and averred that 2.2.1 YHHK was not ínvalved in any agents thereof; any disclosure of ínformatíon relating to Mr. X to the PRC authorities or 2.2.2 The disclosure was related to a PRC user in the PRC holding a ". en " e^r^ail account registered at the websíte of Yahoo! China (" Yahvé ! China"); 2.2.3 The disclosure was made by Yahoo' China; 2.2.4 The websítes of Yahoo? Hong Kong {"Yahvv? Hang Kv^g ") and Yahool China were managed and operated independently from one anther; Yahoo! Hong Kong and Yahoo! China did not exchange user account information; and 2.2.5 2.2.b YHHK would only respond t^ the Hong Kong law enforcement authorities upon a valid ^^nd formal written request pursuant to Hong King law and in case of an order fir email content disclosure, YHHK would not release any ínfonr^atíon to law enforcement agencies except on receipt ^f a search warrant issued by a court Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 10 of 51 of law in Hong Kong. Cancerns Raised by ^Ylembers o tl^e Legislative Council On 1 November 2005, a special meeting was held in the 2.3 Legislative Council by the Panel on Information Technology and The Broadcasting (the "Panel") to discuss about the Incident. Co^nmissí^ner was invited ta attend this panel meeting. During the meeting, the Commissioner addressed issues relating to the definítio^ of "personal data", ^u^sdíction of the Ordinance as well as protection of personal information of email users. 2.4 Concerns were raised by members of the Panel as to the def ninon ©f "personal data" and in particular whether it covers Internet Protocol address (" IP address") as well as the lawfulness of the disclosure of user information by an Internet Service Provider ("ISP"). The Legal service Division ^f the Legislative Council Secretariat was asked to research and prepare paper on the scope of coverage of "personal data" particularly i^ view of the widespread use of electronic media for eommunicatí©n. F^^rtl^er Infarmat^on from YHHK 2.5 On 19 November 2005 and ß December 2405 and ^n response to YHHK provided further information the Commiss^c^ner's encluíríes, relevant to the Incident ^^ follows: 2.5.1 The data which the Incident was concerned were collected by Yahoo! China in PRC, which was awned by YHHK at the material tune; 2.5.2 The data in question appeared to be in respect of a user of Yahoo! China located in PRC; 2.5.3 The name under which the user registered with Yahoo! China was not Mr. X; Yahoo! China did not knew that the user was in fact Mr. X; Sec. t.-C' F'a^^er \o. ^^^? 1105-O ^ at ^n ^ ex B af tl is ^ e^ csrt Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 11 of 51 2.5.4 The data in question was disclosed by Yahoo! China in PRC to the PRC áuthorities in accordance with PRC Laws; 2.5.5 None of the actions germane to the Incident (data collection, storage and disclosure) happened in Hong Kong and that noie of the relevant parties (i.e. Yahoo! China, Mr. X and the PRC authorities) were Hong Kong parties; 2.5.6 Even if the Ordinance governed conduct that occurred wholly outside Hong Kong but within PRC, Y -íI-iK considered that the exemption under sectión 58(2j of the Ordinance would be applicable for the release of the relevant data; 2.5.7 Yahoo! China was wholly awned by YHHK prig to the change of ownership to Alibaba.com Corporation {"Alíbaba ") on 24 October 2005; 2.5.8 Yaho©! China was operated by a PRC entity called Peking University Founder Group ("PUFG") through Beijing Yahoo? Consulting and Service Company Limited ("Beijing Yahoos") which was wholly owned by v^HK; 2.5.9 The Internet Contents Provider {"ACP") licence for the Yoh©©! China website was issued by the PRC government and held by PUFG; 2.5.10 Records relating to the Incident were kept by Yahoo! China which had subsequently been sold to Alibaba; According to the Verdict, the user name of the Email .Account was "huoyan_1989" and not Mr. X; and 2.5.11 2.5.12 Y1-IHK had no control over the collection a^dfor disclosure of Yahoo[ China 's users data. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 12 of 51 C^^APTER THREE The Complaïnt 3.1 On 30 March 2006, a complaint was received by the Commissioner from Mr. X's authorized representative ín Hong Kong. It was alleged that YHHK had disclosed to the PRC authorities Mr. X's personal data relating to the Email Account without his consent, thereby breaching the requirements ^f the Ordinance. Na supporting evidence was attached to Mr. X"s complaint. 3.2 Despite repeated requests, na further information or evidence was produced by Mr. X or his authorized representative to the Commissioner for c^ns^derati^n. 3.3 The manly piece of evidence that Mr. X's authorized representative relied upon was the contents of the Verdict which confirmed that YNHK had supplied certain email user inf^rmati^n t^ the PRC authorities which led to the eventual arrest and conviction of Mr. X. Based ^ the facts and evidence obtained by him in the course of 3.4 his preliminary inquiries made about the Incident, the Co^^^missioner décided t^ carry gut an investigation pursuant to section 38 of the Ordinance on ^ May 2006. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 13 of 51 CHAPT^R FQUR ^perat^on of Yahoo ! Chína and Corporate Structure of YHHK The Commissioner Vinds it important to first ermine the 4.1 operations of Yahoo? Hong Kong and Yahoo! China as well as the corporate structure of YHHK iz^ order to assess the role played by and the legal obligations of YHHK ín thi ïncídent. Operatí n f Yahu l Chí ^ a YHHK confirmed that the relevant disclosure was made by 4.2 Yahoos Chína on 22 April 2004. The operation of Yahoo! China at the material tí^^^e is illustrated by the following chart: Yahoo! China's Operat^or^al Sir^^cture (Aprí1200^^ Yah ^ a! ^nc Wholly awned Oper ti© ^ A^reement 1'ah ^ n! Ht' 1^' ^ hc^ u! C'hína ^4^ e^^ síte Cnrpnr te Leg 1 ICP Líence Beïjïn^ Yaho ^ t ^ ^12tCty P ïSIïIL'S1 Per it Tech ^ í l Ser^íces Agree^^ e ^ t PUFG Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 14 of 51 It can be seen ^ro^n the above chart that Yahoo? Hong Kang and 4.3 Yahoo! China though bath owned by YHHK., the mode of operatun was different. YHHK had through its wholly ow^aed PRC corporate entity, namely, Beijing Yahoo? operated Yahon? China in accordance wí^h the Wholly Foreign-Owned Enterprise Law in PRC. finder the C^rt^^c^te ^f Appÿov^l fog E^tabli^hmení of'Enterpríses with I^ve^tment of Taiwan, Hong Kong, MØCCao Ønd Over^e^s Chinese in the People's IZepul^lic ^^f Chrna issued by the Beijing Municipal Government on 2ß April 2002, YHHK was stated fio be the investor of Beijing Yahoa? with registered capital solely contributed by Y IHK. Beíji^g Yahoo? was holder of a Corporate Legal Cntity Business Permit describing its enterprise type as "Wholly Foreign-Owned Enterprise (Hong Kong)", Under the articles of association of Beijing Yahoo!, YHHK had the right to appoint and replace each member of the board ^f directors of Beijing Yahoo?, including the chaír^nan. For the pu ^^ose ^f having an 1CP líccnce for the operation of 4.4 Yahoo! China in PRC, YHHK entered uto an Operation Agreement ("Operatí © n Agreement ") with PUFG on I9 February 2003 to utilize its ICP licence. Beijing Yahool provided PUFG with technical services to facilitate the operation of the Yahoo? China website under a Technical Services Agreement dated 19 February 2003 ("Technical Services Agreement"}. The Commissioner ^bta^ned from YHHK the business permits, 4.5 corporate documents, the Operatun Agreement and Technical Services Agreement relating to the operation of Yahoo? China. There ís no contrary evidence before the Commissioner to doubt the authenticity ^f these documents. In substance and prior to 24 October 2005, Yahoo? China was 4.6 wholly owned by YHHK and operated through PUFG and Beijing Yahoo?. Since 24 October 2005, Alíbaba became the owner and operator 4.7 of Yahoo? China. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 15 of 51 Corporate Structure of YHHK YHHK is a Hong K^^g cnmpar^y incorporated under the Laws af 4.8 Hong Kong and is the owner and operator of Yahoo[ Hong Kang. The ulti^aate parent of YHHK is Yahaa! Inc. which is a United 4.9 States ("US") company based in California. Yahoo! Inc. beneficially and ultimately owns the entire issued share capital írß YHHK. YHHK a^ d Yahoo! Inc. are shareholders which together 4.10 currently hold about 40°/© of the issued shares of Alibaba. YHHK changed its name to Yahoo? Hong Kong Limited ^n 4.11 22 June 2006. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 16 of 51 CHAPTER FIVE Legal Requirements 5.1 The ^ollawing provisions of the Ordinance are relevant to this investigation: 5.1.1 Se^tían 2(1) of the Ordinance provides that: " `Personal data' means any data relating directly ar indirectly ta a living individual; from which it is practicable far the identity of the individual to le directly or indirectly ascertained; and ín a farm in which access to or processing of the data is practicable; " <a^ i1) " `I^^ta user', in relation to peg°sonØl data, means ^ person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; " " `Pt°^etic^ble 'means reasonably practicable; " 5.1.2 DPP 3 in Schedule ] to the Ordinance provides that: "Personal d^t^ shall not, withóut the prescribed consent o f ^ the data subject, 1 e used .for any purpose other than-- (a) (b) the prr pose for which the d^t^ ^rere to be used at the time of'the collection of the data; or a p^^rpose directly s elated to the purpose referred to ín paragraph (ØJ. " 5. ] .3 The term "use" in relation to personal data is defined under section 2{1) of the Ordinance to include Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 17 of 51 "disclosure" or "transfér" of the data. 5.1.4 According to section 2(3) of the Ordinance, "prescri^^ed co^se^t " means "express consent of the person given voluntarily" which has nt^t been withdrawn ^y notice in writing. 5.1.5 5ect^o^^ 39(1)íd ) of the Ordinance provides that: "(1) Notwithstanding the generality of the powers conferred on the Commissioner by this Qrdínance, the Commissioner may refuse to carry out or continue an investigation initiated ^y a complaint íf (d) none of the following conditio^^s is fulfilled in respect ^f the act o^- practice specked in the complaint either (A) the the complainant (o^; íf the complaín^nt ís a relevait pérson, individual ín respect of whom the complainant ís such a person) was resident in Hang Kong; or (B} the relevánt data user was aile to control, ín ar fr'am Hong Kong, the c^^llectian, holding, processing ar use of the personal data concerned, at any time the act ^r practice was done or engaged in, as the case nay he; (ü) the ca^nplaínant (^r, íf the complainant ís a relevant persan, the individual in respect of whom the compláin^nt is such a person) was ín Hong Kang at any time the act ^^r practice ti^^as do^^e o^° engaged in, as Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 18 of 51 the case may be; (iii) in the opinion af the Commíssíc^ner, the act or practice done or engaged in, as the case nay be, may prejudice the enforcement of any right, or the exercise of any privilege, acquired or accrued in Hong Kong by the c^mplaána^t (or; if the complainant is a relevant person, the individual in respect of whom the complainant is such ^ person); " 5.1.6 Se^tío^n 58(1) ánd (2) af the Ordinance provides that: "(1) Personal data helcl for the purposes of (^) the prevention or detection of crime; (b) the apprehension, prosecutí^n or detention of offenders; (2) Personal data are exempt from the provisions of data pr^tectio^ principle 3 in any case i n which ^a^ the use of the dates ís far any of the purposes referred to in subsection (1) (and whether or not the data are held ,for any of those purposes); and (h) the application of those provisions i^ relation to such use would be likely to prejudice any of the matters referred to in that subsection, and in any proceedings agáinst -any person far a contravention of any óf those provisions it shall be a defence to show that he had Yeasonable grounds for belíeví^g that failure to s^^ use the data would have hee^ likely to prejudice any of those matters. " 5.1.`7 Section 65(1) and (2) of the Ordinance provides that: `"(1 j kny act doge ^^° practice engaged in by a person in the ca^^r^e of his employment shall be treated Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 19 of 51 for the parposes ^f this Ordinance as done or engaged in by his employer as well as by him, whether or nat ít was done or engaged in with the employer ^ knowledge yr approval. ^2) Any act done or practice engaged in by a person as agent for another person with the authority (iwhether express or implied, and whether precedent or sub,sequent^ of that other person shall be treated for the pug poses of this Ordinance as done ór engaged in ^y that other person as well as by him. " Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 20 of 51 ^^A^TER SIX Investigation and Evidence Gathering Unless otherwise stated, all information contained ín this chapter 6. ] were submitted by YHHK or Yahoo! Inc. to the Commissioner during the investigation of this case. The f©cu^ of investigation was ^c^ find out what personal data, if any, was disclosed by YHHK and the circumstances for such disci sure. The Business Structure YHHK elaborated further on the mode of operahon of Yahoo? ^.2 China. According to Y^IHK, the business of Yao©! Hong Kogg was run by a managen-aent team in Hcing Kong and that of Yahoo[ China was run by a separate management team ín Beíjíng. A11 operatiar^al, management, strategic and business decísí^ns for Yahaa? China were made by Yahóo! China, with direction from Yahoo! Inc. ar its appointed international operatións management team. 6.3 YHHK's board af directors discharged all its statutory functions, None of the activities for example, an the approval af the use of common seal and approval of audited accounts in relation ta YHHK only. carried out or resolutions passed by the board of directors of YHHK was related ta the day-toWday management operations of Yahoo! China. Insofar as matters relating ta disclosure of personal. data af ^.4 Yahool email users are concerned, they were handled primarily by the 1ega1 teams af the respective websites. The legal team of Yahoo? China ("Yahoo! China Legal Team ") reported directly to the legal team of Yahoo! Inc. ^.5 With this line of authority and accountability, although Yahoo! China was 1ega11y awned by YHHK, from an operational perspective, it was managed and controlled vertically and ultimately by the maz^agemetat of Yahoo ^ Inc. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 21 of 51 As such, YfI1dK did not exercise control over the affairs of ^.^ Yahoo! Chí^a. Such control was ín fact exercised wholly by Yahoos Inc. Discl © sure of Uses I ^ f©rmati ta the PRC Authorítes YHHK was asked by the Commissioner to give details ^n the 6.7 circumstances under which the disclosure of the user information relating to the Email Account was made and as to the legal advice , íf army, sought relating to the disclosure. Yahoo! Inc., responding an behalf of YNI-IK, gave sequence of 6.8 events leading to the disclosure of user information relatí^g ^© the Email Account as follows: 6.8.1 Before 22 April 2004, Yahna! Ghí^a received az^ email fram the State Security Bureau ("SSB") of the PRG demanding for the user information relating to the Email Account. In response, Yahna! China requested for a formal data disclosure order from SSB. x.82 On 22 April 2004, SSB hand-delivered a data disclosure order (the "Order ") issued by the SSB pursuant to Article 4S of the PRC Criminal Procedure Law ("Article 45"}. The Order bore an official chop from the Beijing Branch ^f SSB and was in respect of criminal investigation into "illegal disclosure of state secrets Duet seas ". 6.8.3 The, Yahoo! China Legal Team examined the validity and legality of the Order and confirmed that Yahna! China was legally obliged to comply with the Order. The customer care team of Yahoo! China {"Yah^ol Chí^^a Customer Care Team "} retrieved the required information from the users' database of Yaho^^ China, which was located on servers in the PRC. x.8.4 ^.B.S The Yahoo! China Legal Team confirmed that the Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 22 of 51 information retrieved corresponded to the information requested by the Order and approved the disclosure, 6.8.6 The Y^HK's company chap (the "YHHK Chup") was applied by the Yahoo! China Legal Team ín their Beijing office on the documents which contained the information requested by and disclosed to SSB. 6.8.7 ^n or about 22 April 2004, Yahoo! China disclosed the relevant information relating to the Email Account to ss^. After 22 April 2004, there were subsequent commu^icatíons between SSB and Yahoo! China regarding further information relating ^^ the 1Jmail Aceou^t. Yahoo! China Custámer Care Team provided SSB with further information in accordance with the Order. 6.8.8 6.8.9 6.9 Yahoo! lnc. confirmed that Yahool China had provided to SSB Yahoo! Enc. further stated However, there ís no "(i) ^fser registrati^^r^ i^^formatia^, (ü^ IP log-in i^^formation aid (iii) cé^°taín email cnntents " (the "^fc^rmatío^^ "). that users of email service are generally asked to provide information such as name, gender, birthday, etc. for registration. not register with real information. 6.10 Article 45 provides that: "The People s Co^^rt, the People's The guarantee that the information so provided ís genuine as many users do Procuratorates and the p^^blic security orgá^s shall have the a^^thorüy to collect or obtain evidence.from the units aid individuals concerned. units Evidence i nvolving State secrets shall be kept confidential. he belongs tv, rt^ust he investigated under law ". and individuals concerned shall Øravide truthful evidénce. Anyone that falsifies, c^^^ceals ^r destroys evidence , regardless of which side ^f a ease 6.11 Yahoo! China was not made aware of the exact nature or details of the ínvestígation ley SSB, but the Order from SSB stated that it was in Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 23 of 51 respect of a criminal. investigation rota "illegal disclosure of state secrets overseers . 6.I2 Yah^ol China was not made aware as to whether SSB knew the identity of the user cif the Email Account at the time of making the request for user information. 6.13 When asked by the Commissioner as ta whether any legal advice was obtained prior ta the disclosure pf the Information t^ the SSB, Yahoo! Inc. claimed that legal advice ^n Article 45 was received from their PRC in-house counsel as follows. 6.13.1 Public security organs had the authority to collect or obtain evidence from the units or individuals concerned; Evidence involving state secrets had to be kept confidential; Any party that falsified, concealed or destroyed evidence, regardless of which side of a case such party belong to, had to be investigated under law; Refusal to provide legally required evidence might be deemed obstructipn of a government function and might subject the person to no mare than 3 years' imprisonment , detention , public surveilíarce or a fine under Article 277 of the PRC Criminal Law ("Article 277"); and 6.13.5 SSB's request for the lnformation was required under PRC laws, hence the disclosure of the Information was not a vol^^ntary act. 6.13.2 6.13.3 6.13.4 Testím^ny and Declaratí^n af the Sení^r Více President and General Counsel of Yah^^! inc. ("Mr. Y") x.14 In support of YHNK's claim that disclosure ^f the Information Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 24 of 51 was in compliance with the PRC laws, a testimony given by Mr. Y on behalf of Yahoo! Inc. to the US Congress o^ l5 February 2006 in relation to the facts surrounding Mr. X's case was provided to the Commissioner far consideration, 6.1 S I^ the testimony, Mr. Y testified that: "When Yahoo! China in Beijing yvas required to provide information about the user; who we later leárned livas ^Mr Xj, we had n^ information about the nature of the investigation. Indeed, we were unaware of the particular facts In many cases, surra^tnding the case until the news story emerged. ... Yahoo! does not know the real identity of indivídu^ls far whom governments request information, ^s very often our users subscribe to our services without using their real ^^mes. ... operate, we must comply. ... imprisonment. Chinese la^^. " ^. l ^ At the request af the Commissioner, Mr. Y also made a written ... When we receive a demand from law enforcement authorised under the law of the country ín which we Failure to comply in China could have subjected .Yahoo.' China and its employees to criminal charges, including In this case, the Chinese government órdered Yahoo! China tv provide user information, and Yahool China complied with declaration an 23 August 2006 at Santa Clara, Califar^ia, US, in support of the submissions made by Yahoo! Inc. ta the Commissioner. I-Ie declared that: "... Based ort my understanding af what constitutes personal data' under the Hong Kong Personal Data (Privacy Ordinance, na per:^onal data was provided by (Mr: X] in the course of his registration ^^°ith Yahoo! Ch^^a. As a standard corporate procedure, law e ^farcement In order requests a^-e dealt with at the local subsídia^y level and Yahoal Inc. is not informed ^f the specif^^ details of law e ^farcement activas. ... ta provide proper checks and balances and tv ensure í^tegríty in the discharge of legal_functíans, the Legal Department ís independent of the business aper^tions. Lawyers ^^ each cau^t^^i^ are not accountable to Instead, the reporting line end díØ not report t^ the local business team. at the time was as follows: a SeeAnnex C oftiais [teport Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 25 of 51 Manugeme^ t ^^Ya{zo ^ ! Inc üe^ea-^ 1 Courasel, Yahnol G·oup Ge^^et^a! Coa^nsel, Yahoo! International Gener·^! C^u^sel, Yahoo.'.4sia Pacific Gene°al Counsel, Y^ha^! Clv^a General Co^^sel, }áho^ l H^^g Ka^g Only the Legal Department of Y^hoa1 China could review the law enforcement order in relation to the (Mr. X] case, implement the required proced^^re and authorize the disclosure of Yah^ol China's user data to the Beijing Branch of the State Securáty Bureaz^ and the use of the ^YHHKS] chop án the disclosure documents, and, bised on corporate policy and practice, as explained above, the Legal Dep^xrtment of Yahoo! China was not controlled by CYHHK]. " Na Access to Yahoa', China's User Accaunts by YHHK b.17 The Commíssíaner asked for direct confirmation from YHHK on the responses given by Yahool 1ne. YHHK submitted that it did not have control over the collection, holdi^ag, processing or use of personal data of Yahoo! China's úsers and therefore Y ^ HK did not have and had never had access to the records of the :Email Account. x.18 To illustrate that YHHK was unable to access to user's ^f Yahoo? China's accounts, YHHK showed the informatían Commissioner the operation of its internal account management system far which attempt to access Yahoo; China's users' account information would be denied with a pop up message that "vo^^ do trot have permission to open oset°:... ". Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 26 of 51 No Further Submissions fram 1VIr. X's Authar ^zed Representative 6.1.9 Despite our repeated requests for information on Mr. X's user's registration i^formatíon in respect of the Email Account and the Information disclosed t^ SSB, Mr. X's authorized representative did not supply ta the Commissí^^er any further information. Verí^licatíon from Public Records 6.20 According to company search conducted in Hang Kong on Y%IIIK, of the 1,000 issued share capital of YI-IHK, Yahoo ! Ir^c. is holding 10 issued shares and Yah^^I International Subsidiary Holdings Inc. is holding 990 shares. 6.21 Yahoo! Inc, confirmed that all the issued shares of Yahoo! Internatí^nal Subsidiary Holdings Inc. were at the material time, and are still, ^w^ed by Yahoo ! Inc. Hence , Yah^^ ! In c. ultimately wholly awns YHHK and thus is in a position to respond on behalf of YHHK in relation to this complaint. A copy of the share certificate issued by Yahoo! 1^ternatia^aal Subsidiary Holdings Inc. t^ Yahool Inc. was produced to the Com^r^issioner as supporting evidence. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 27 of 51 CHAPTER SEVEN PRC Laws Application Issues Relatïng to PRG Laws In the course of investigation, there are two issues relating to the 7.1 application of PRC laws that the Commissioner has to resolve. The first issue concerns whether Yahoo! China was legally obliged to release the Information to SSB pursuant to Article 45. The second issue relates to the refi^sal ^f YIIIIK to disclose certain infnrmatíon to the Commissioner during the course of i^vestígatíon. On bath issues and for the purpose of assessing the weight and 7.2 relevancy of the submissions from YHHK, the Commissioner sought independent legal advice from two PRC law experts (the "PRC law experts"). Pírst Issue : Article 45 and the Oblígatí^n to Comply The first issue that cancerns the Commissioner is whether Yahoo? ^.3 China was legally obliged to disclose the Information to SSB. Issues such as the lawfulness of the Order given by SSB, the duty to comply and consequences ofnon--compliance are relevant for consideration. 7.4 The PRC law experts were consulted on the scope of application According to the PRC law experts. of Article 45 to the present case. since YANK operated businesses in the PRC, it should comply with the PRC laws, including the PRC's Criminal Procedure Law in respect of the businesses operated in the PRC. procedures for its issuance. tr^zthfui evidence. 7.5 As it is clear from the Verdict that c^rrespondíng user The official issuance of the Order duly signed or chopped #^y SSB is treated as having complied wìth the legal Any person or unit has legal duty to provide ^nfarmation was prnvided by YHHK and submitted by the prosecution for consideratinn by the People's Court , the Commissioner has no reason or Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 28 of 51 contrary infarmation to doubt the existence or authenticity of the Order issued by SSB upon YHHK for the purpose of the investigation car ^ ed out by SSB. The PRC law experts also referred the Cam^r^issianer to the provision of Article 18 of the State Security Law {"Article 1$")^ which obliges citizens and organizations ta furnish to the state security. organ relevant ínfarmation relating to investigation carried out by ít. 7.7 As for the consequences for non-complía^ce with the disclosure 7.6 order, Article 277 provides that "... whoever íntentíonally abstracts offrcers of a State security organ or a pudic security organ from maíntaí^ing State security í^ accordance with law and causes serious ca^seq^rences, though without resort to violence or threat, shall ^ e p^tníshed ... "and wí11 be "... sentenced to fried-term ímpríso^me^t of not more than three years, criminal detentío^, or pu ^ líc surveillance or be fined ". 7 .8 Although different views ^ on statutory interpretation were expressed by the PRC law experts as to whether refusal to provide the requested infarmation ta SSB arr^ounted to "obstruction " under Article 277, the Commissioner finds that, having taken legal advice, Yahoo! China and YHHK did in the circumstances af the case have genuine penal apprehension an possible violation af Article 45 or Article 277 if it refused to comply with the Order. Other Consequences on Failure to Supply I^^^rmatí^n t^ SSB 7.9 Apart from the criminal sanction that would attach on failure to supply to SSB the lnformation , the PRC law experts were further of the opi^ian that by virtue af the business nature undertaken by YHHK in the PRC, it was also obliged to co^r^ply with ether relevant laws, r^^1es and S Article #8 pro^ìc{cs that, "^^=l^er^ a State sec^^^°r.ty organ rr^^estdgates grad farads ouf a^^v c^a°c^^rr^s·taaac^^s er^dar^^tie^·i^^,^ State sec^rrity ^^rad g^the^.v pel^teu' eu^dea^ce, ^i^^e^s and ^rga^^iaatic^ras curcer·^^ e^r ^{^all faithfully f^r^^ish it with ^el^v^^aat i^for^atr. ora and m^t^ riot reJì^se t^ do so ". One school ofi thought opines that Article 277 applies to penalty ^mpused on a^FFence of ìnieeference witJ^ public order and does not cuver the act of refusal to pr^wide evidence upon request. ^^nother school of thought however ^í^ws that r^f^^sal ta provide evidence upon request f^^l^lls il^e req^úreir^ents of paragraph 4 of Article 277 as being; an act of "non violent" obstruction. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 29 of 51 regulations, one of which being the Regulation o^ Telecommunications of the PRC (the "Regulation on Telecom"). The Regulation on Telecom prohibits organization or individual 7.10 fram producing, publishing or transmitting information which has contents detrimental to state security, state secrecy, etc.' The breach of which may in serious cases lead t^ the revocation ^f the teleeommunicatio^s business licence by the Ministry of Information Industry8. The Regulation ^n Telecom also imposes a duty ^n the business operator to terminate the transmission af such information immediately and repart to relevant authorities. 7.11 Further, YHHK's business activities in the PRC also require it to comply with the Regulation nn the Internet Information Service of the PRC which contains provision requiring Internet email service provider to actively cooperate with the relevant state organs ín making i^vestigation^o The failure to comply with the requirement may render the entity to be subject t^ administrative sanctions, including admonition and fine' ^. Having considered the submissions made by YHHK and also 7.12 advice obtained from the PRC law experts on the application of the PRC laws a^d regulati^^s and the duty ta comply, the Commissioner is satisfied that the Information disclosed by YHHK to SSB pursuant to the Order was a legal obligatin imposed upon YHHK, the refusal t^ comply might result in both criminal a^d administrative sanetïo^s. Second Issue: Commissioner During the course of his investigation, the Commissioner asked 7.13 YHHK to produce (i) the account user's ïnformation in respect of the Article ^7 ofthe Regolati©^ on Tcle^o^nunications. Article 78 ofthe Regulation on Teleeo^nmu^^catio^s. Article 62 ofthe ftegulatior^ on Tele^a^n^^tunications. Article 18 of the Measures for the Adminìstratìan of I^te^net Email Services provi^^s, "^^^ ^^ater^et en^^xiÍ service ^t-o^^^det; ^r- a telecni^^^^^en^cati^f^ service ^^rr^v^der that ^^wides access s^e^-v^^;es to I^te^-net en^^il set-vices shall actively c^^pe^-ate with the t-clevai^t skate o^^ra^ a^^d the h^te^-^et^'^^^^11 Re^e^hr^e^tAceef^tc^^^ce Gér^ter ìtß r^^aÏ^-i^g ^r veçti^=a tio ^ s". Article 25 at^ the Measures for the Adminìst^atìon of Internet Email Services provides tie sanctions which include ad^non^tion by tie Minititry of Information Industry a^^d fine ©^ op to ID,oOtI Yuan, ín addition. Noy-disclosure of the Requested Data to the Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 30 of 51 Email Account, (ii) the cnrresponden^ce with SSB, (ííi) the Order, and- (ív) the Information (collectively the "Requested Data"). Ian response to the Commissioner's request, YHfIK claimed that 7.1.4 it did not have actual knowledge of ar access to most of the information or document requested by the Commissioner. It was unable to prnvíde the Commissioner with copies of documents related to the disclosure as ít had been advised by their PRC in^house counsel that those documents might be c^nsídered as state secrets under Article 2 of the PRC State Secrets Law ("Article 2") since they related directly t^ a criminal investigation in the PRC. Article 2 provides that "state secrets shill be matters that ñave a 7.1 ^ vital be^ríng on state secur íty aid national interests and, ^s speei^ed ^y legal procedure, ar-e entrusted to a limited num^e^ of people for a given period of time ", A relatively wide definition has been given to what co^stítutes "state secrets" and ít includes the "secrets concerning activities for safeg^^ardi^g the state security and the investígatíon of c^imínal offence ". The question as to whether any^nf^rmatíon can be classified as "state secrets" is a matter to be determined by the state secret-guarding departnent12. 7.16 Upon demand for further details by the Commissioner, YHHK confirmed that the legal advice obtained from their PRC ín-house counsel was that: 7.16.1 Information required by relevant government agencies f^ r the i nvestigation of criminal offences was considered to be a state secret; and 7.15.2 In the event of any ambiguity on whether or not a specific item was a state secret, the disclosing entity is required to treat the item as a state secret. In considering whether t^ invoke his powers under the Ordinance 7.17 to compel production ^f ttie Requested Data, the Commissioner sought advice fram the PRC law experts on the application of the relevant '` Artícle i 1 of tly PRL: Stat S crets Law Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 31 of 51 provisions of the State Secrets Law as ground of refusal relied upon by YHIII^. The PRC law experts shared the view that where the evidence or infarn^ation far the trial of leakage of state secrets load been so confirmed by the court, the conclusion of the trial did oat affect the nature of these evidence or information to re^^ain state secrets and these evidence ar information shall continue t© be protected ender the State Secrets Law. The Cnmmíssíoner noticed that there are differences in opinions given by the PRC law experts on the finer details ín respect ^f whether all evidence and information furnished to SSB for investigation of a came (whether they be actually used or nit) could rightly fall within the definïtion of "state secrets". .The PRC law experts however shared the consensus that any breach of the State Secrets Law is an offence carrying with ït serious penal consequences'. 7.19 In the cïrcumstances, the Commissioner considers the following factors needed to be looked at: 7.19.1 The Information supplied by Yahoo! China to SSB might have been or could have been used for investigation of the crime in question; The broad scope ^f definition gi et to "state secrets" anal the powers vested in the relevant .PRC authorities to so classify the data; The trial of Mr. X's case was oat conducted in public and na transcript of the trial ïs available. The Verdict setting a^^t what it describes as undisputed facts ís the only evidence that the Cómmissioner can safely rely; 7.19.4 There was no evidence to suggest that the Requested Data were not classified as state secrets; and 7.18 7.19.2 7.19.3 ^' See, fogy- inst^^nce, the criminal section laid down i^^ Article 11 ^ ot^the PRC's Crìmi^al Law fot- s^^^pply^ng state secrets to or^aniz^ition or indivzdua^ outsí^e the te^rìtory of China. Verson c^nvìctcd shall be se^te.nc^d to t^ xed term iXprisonnent of not less thin 5 years b^^t not ^^^ore than 10 ye^^rs. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 32 of 51 7.19.5 Breach of State Secrets Law is a serious offénce ín PRC. 7.2Q Havi^^g ^o^sidered the above factors, the Commissí^ner accepts that YHHK ' s concerns for breach of the State Secrets Law are genuine and reasonable . The Commissioner therefore did not exercise power to compel YHHK for production of the Requested Data, Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 33 of 51 C^APT^R ^^G^iT Tire Co^x^^missioner's Findings Facas af Investigation 8.1 The relevant legal íssu^s that concern the Commissioner ín this investigation are: 8.1.1 Persoval data : whether the lnformatíon disclosed to TSB amounts to "personal data" as defined by the Ordinance. Data user : whether YHHK is a data user for the purposes of the Ordinance. Extra- territorial j urísdictíov : whether the Ordinance applies to an act of disclosure of personal data which was done entirely outside Hong Kong. DPP3: whether the alleged disclosure of user information pursuant to the Order from SSB is within the original or directly related purpose of collection. Exemptí^n i^ sectian 58: whether the disclosure of personal data to a foreign law enforcement agency for investigation of a f^^reign crime could be exempted under section 58 of the Ordinance. 8.1.2 8.1.3 8.1.4 8.1.5 Undisputed Facts 8.2 The following faets are not ín dispute ; 8.2.1 The Email Accou^^t (beí^^g a ".crt" account) was registered ín tl^e PRC via Yahoo! China; The Email Account was subscribed by a PRC user; 8,2.2 Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 34 of 51 8,2.3 The Information was disclosed in the PRC by Yahoo? China pursuant to the Order issued by SSB; YHHK was at the material time the legal owner of Yahoo! China in the PRC, and Yahoo! Inc. awned YHHK. $.2.4 8.2.5 Whether IP Address ís "Personas Data" within the Definition of the Qrdínance In order to constitute "personal data" under the Ordinance, the data must satisfy the three criteria laid dawn in the Ordinance, namely, that (a) it relates directly ar indirectly to a living individual; (b) from which it is practicable far the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access ta or processing of the data is practicable. The word "practicable" is further defined under section 2(1) as "reasonably practicable". 8.4 According to the Verdict, the email user information furnished by Y.H. HK to SSB was: "Acco^^nt holder information f^rrníshed ^y Yahoo! Holdings (Hung Kong) Ltd., 21 ^4.7^. N. 201 at which confirms that far IP address on April 20, 2D04, the 11:32:17 p, m. 8.3 co^^respor^díng user í^^formation Kvas as follows : user telephone num^e^- : (173.1-437^3^2 located at the Contemporary Business News office fn Hunan; address : 2F, Building 8&, .Iíanxíang New ^Ilage, .Kaffir District, Changsha.,' 8.5 Qestiar^ arises as to whether the information metío^ed in the Verdict, without more, amounted to "personal data" and in particular, whether such information fulfills paragraphs (a) and (b) of the definition. Since ^o prescribed test on what amounts to "indirect" identification is provided under the Ordinance, the term itself tends to be conceptual. 8.6 In interpreting the law, the Cornmíssíoner takes a purposive approach in statutory interpretatia^^ in order to "lest ensure the attainment Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 35 of 51 of the v^ject of the Ordinance ^ccv^ ding tv its true intent, meaning and spirit"'a and to guard against any " ^^s^rrd"result from arising15 In the Commissioner's view, under the first limb ^f the definition, data which relate "directly" to an individual are data which speak of ar otherwise yield information about the í^^dividual directly. Data which relate "indirectly" to an individual are data from which information concerning the índ^vidual has to be inferred or indirectly inferred from the data when read ìn conjunction with other data. As for the second limb of direct or indirect identification, if identification can be ascertained solely from the data in question {including information inferred from the data), the ascertainment is "direct". If identification can be ascertained only if recourse is made to other data readily obtainable by the data user, identification is "indirect". It is a question to be decided by the facts of the case. What is not readily obtainable by the data user is unlikely to fall within the benchmark of reasanable practicability. Since the user information ín the present case includes an IP address, the Commissioner has to consider whether an IP address perse is "personal data" under the 4rdinanee. Basically, an IP address is a specific machine address assigned by the ISP ta the user's computer and is therefore unique to a specific computer. Whenever a transaction requesting or sending data occurs on the Internet, this unique address accompanies the data. The information is about an inanimate computer, not an individual. An IP address alone can neither reveal the exact location of the computer concerned nor the identity of the computer user. Applying the two limbs ^f the defnition ^f "personal data", an 1P address itself does nat contain information that "relates" to an individual nor is the registered user's information readily obtainable, for example, through infor^natíon available in the public domain. The a 8.7 8.8 8.9 8.10 8.11 See section y af ^^^ Interpretation and Gec^erai C^lauscs Qrdi^atac^e, C^t^^.:^, Laws of Hong Kong. The principle of "^^ies^n^^^ti^^^ a^=aìr st ahsu ^zl^ tt-" ^ n tae g^ d ^ rule of stattory interpretation, sc^ k3e^aion's Stat^^to^-^^I^^e^p^^erari^^^, third editian, ^3utterworths. Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 36 of 51 Commissioner therefore takes the view that an IP address per se does not meet the definition ^f "personal data". $.12 The C^mmissíoner has verif ed and sought advice from Senior Counsel who fully agreed that an IP address álone ís not " personal data" but that "personal data" can include an 1P address when combined with, for example , identifying particulars of an individual. Whether or nat ít ís part of any personal data i^ a particular case depends on the facts of the case and the two limbs of the definition of "personal data" illustrated above. $.13 Incidentally, the paper issued by the Legal Service Division of Ordinance (C^p. 48^) and related the Legislative Council Secretariat', titled "Scope of `personal dala' ^^^^der the Personyl Data (Privacy issues " also expressed a similar view that a restrictive approach ís generally adopted by the courts in relation ta whether IP addresses constitute "personal data". "personal data". Applying the above reasoning, the "IP address "mentioned in the Verdict does not per se constitute 8.11 As for the corresponding user information mentioned in the Verdict, i.e. "user telephone ^um^er: 0731 -437362, the Contemporary B^^siness 1Ve^ts ^^ce ín Hu^a^, address : 2F, &uildáng 88, Jí^n.^ia^g New Village, Kaifu District, Changsha ", no sai'e co^clusíon can be drawn that the corresponding user i nformation ex facie belongs to a living i ndividual as opposed t^ a corporate ar uziíncorporate body or relates to a real as apposed to ^ fictitious individual.. ln the circumstances, the Commissioner finds insufficient evidence to support that the two limbs of the definition of "personal data" are met. Whether Personal Data were Díscl^sed by YHHK t^ SSB" 8.15 It was unclear from the Verdict what exactly was "the account Yahoo ! Inc. confirmed to the i.e. (i) user registration holdér inforn^atíon " furnished by YHHK. Commissioner that only the Information , provided to SSB. ^^ informatíot^ , (ü) IP log- í^ i^^formation ^^d (iii} certain email content were No contrary evidence or allegations came to sight See LC Paper ^It^_ LS21105-06 at annex B ©f this Report Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 37 of 51 during the course of in^estigatíon for the Commissioner t^ cast doubt on the admission made by Yahoo'. Inc. or to draw any inference that persaval data other than the Information were disclosed t^ SSB. $.16 Having regard to:8. I b. l The views expressed ^n paragraphs $.10 to $.14 above {i.e. that IP address alone-does not constitute "personal data" and no ex facie evidence from the Verdict that an individual with real identity was the registered account holder of the Email Account); $. l ^.2 The fact that the email address of J^u^^^^^^^^-1 ^<^'^^^^c^d^^^v.c^^^^^^.^^^ itself does not disclose the identity of Mr. X; $.16.3 YHHK had categorically denied that the subsc^laer to the Email Account was registered under the name of Ntr. X and they had no knowledge that the user was in faet Mr. X; and $.16.^ There is no other concrete evidence to refute the claims made by YHHK in paragraph $. l ^.3 above, the Commissíoner finds it unsafe and unsatisfactory to conclude that Ntr. X's personal data were çontained in the Information which had been disclosed by YHHK to SSB. $.17 On the bans of the above, the Commissioner can conclude his findings here. However, in view of the public covice^-ns raised about the Incident, as an academic exercise, the Commissioner shah attempt to answer the following hypothetical questions on the assumption (which has not been proved) that "personal data" of Mr. X were disclosed by YHHK: 8.1 ^. l Whether YHHK isa "data user" ín relation to the information disclosed to SSB? Whether the Ordinance has extra-territorial application 8.17.2 Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 38 of 51 to the act complained of? 8.17.3 If the Ordinance has jurisdiction aver the act complained of, had YHHK contravened DPP? Whether Y^IHK isa "Data User" fn r^latían t^ the Inf©rmatl ^ n Dís^l^sed t^ SSB Is YH1K a "data user" who should be held responsible for the 8.18 disclosure under the Ordinance? A "data user" ís defined under the Ordinance to mean one who "either alone or jointly í^ common with other persons, controls tl^e ^ollectíon, holdíng, processing or use of the data ". What constitutes "control." is not defined under the Ordinance. In the Commissioner's view, control can either mean the physical act of collection, holdíng, processing or using of the personal data or it can mean the ability of determining the pu^aose for which and the manner in which the data are to be collected, held, processed or ined. $.19 A1thc^ugh strictly speaking, the actual physical act of collection and disclosure of the personal data in question might nit be committed by YHHK but by Yahoo! China ín the PRC, Y^IIK was accountable to the act done under section 65(1) and (2) of the Ordinance no matter whether it was done by its employees (i.e. staff employed fir providing service to Yahoo! China) or its agents {i.e. Beijing Yahoo? as its foreign investment vehicle operating Yahoo? China). This ís reinforced by the undisputed fact that the YHHK Chop was appended onto the documents disclosing the Information. Insofär as outside parties are concerned, the purported authority of YHHK was therefore deemed given. 8.20 As for the ability to determine the purpose for which and the manner ín which the data are to be collected, held, processed or used, the Commissioner fïnds the following facts of the case t^ be relevant for consideration: 5.20. ^ Yahoo! China was a website, not a legal entity, nor was it something separate from YH IK which awned tle website_ Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 39 of 51 $.20.2 Control is evidenced by the Privacy Policy Statement ("PPS"}" and Terms of Service ("TOS")'^ of Yahoo! China pursuant to which personal data were supplied or collected by or on behalf of YHHK from users, partic^^larly when users logged-ín online to register an email account; 8.20.3 It was with YHHK that the users entered inta contractual relationship by subsc^ bing to the PPS and TOS when. opening their email accounts with Yahoo+ China; and The documents disclosing the Information with the YHHK Chop appended thereto showed that YHHK had the abïlity to control the disclosure of personal data. 8.20.4 8.21 YH^IK argued that since the handling of email accent user information was managed by Yahoos China under the ultimate control of Yah ^^ ! Inc., YHHK did not have "control" over the collection., holding, processing or use of the user information. 8.22 The Commissioner does not find YHHK's argument convincing. It ís because at the material time when the Information was disclosed, YHHK owned 100% of the shareholding of Beijing Yahoo! that operated Yahoo' China. The divísío^ af labour and works of the Yaho©? group af companies (including those of the reporting lies of the legal teams within the Yahoo? group) are no mare than internal and inter-companies Such arrangement does not affect ar overshadow the fact that YHHK remained a legal entity that should be held responsible far all acts (including the act or practice of personal data management) and businesses carried out by YE^HK in PRC. management arrangement. ^ "Yah ^ o -' ^^:ses infa ° nati ^ n fór the fllvi^g pye ^ er l ptrp^sc^s: to ^°. ^t ^ ^ ^ae. the aáve ·tist ^= a7 r1 co ^ te ^ t yo ^ .°ee, filf1f y^r^ 'ec^ ^ aests fut^ proft°ts ^^ f sevice.r, improve nur ser·v^ices, co ttact ^o ^ . conduct ^ °esearch, ancl p °^ ^ ide a^o^ ^ a c us rpu·fi^g for irtter^nl zd extet-rf clients... " "Inf' -n atio ^ S1 a ° í ^g c4^ Dis^elos ^ ·e: Yrhoc! i^^.' not rent, s 11> o- slaaíe per-s ^^ al ^ ^ ^ ì fa°t^ ation aho ^ t o ^ vith c th ^ ° pe ^^p]e r s^^øffl ^ ted cnpanies t?ceµ t t pí vide pte d^ tcts or servìe:s ^ o ^ ' v req ^ es7ec ^; t-^le ^ ^^ h ^^^>e y t r j^er^^ iss ^ ^, ^ - ^ ^ Øer the follr^ v ^ ag cìrc·.^astatces:-. .. fYtz resp ^ ndto s^bp^c^r^as, ^óu·t r ie^s, ^3 ^-1 ^Yølp ·acess,... ^ Case 4:07-cv-02151-CW Document 72-3 Filed 08/27/2007 Page 40 of 51 I-Iavíng said that, it is still logical to í^fe^ that the test of control 8.23 should be read subject to a proviso, namely, that the infringing act ar practice must itself (namely, the act of disclosure of the Information to SSB) be capable of the subject of control í^ or from Hong Kong by the data user. In determining whether there was ín any particular case any effective control or the ability ta exercise control ín or from Ho ^ g Kang by the data user, reference must be made not just to the position under Hong Kang law, but also to any applicable foreign law. YHHK submitted that the disclosure of the Information to SSB 8.24 was in compliance with Article 45. YHHK was obliged to comply ín light of the criminal sa^ctíon attached to non-compliance. Having assessed the situation by taking into account the advice 8.25 given. by the PRC law experts on the applicability af the PRC law (i.e. Article 45 and other laws and the Regulation on Telecom), the obligatlon af YHHK to comply with such law (i.e. being the legal person responsible for acts and businesses carried out in PRC) and the circumstances under which the Information was requested (i.e, through the Order), the Commissioner firms the view that the disclosure ©f Information ín the círcu^nstances of the case was nit a voluntary act initiated by YHHK but was compelled under the force of PRC law. Such being the case, the control, if any, was vitiated by the operatim of PRC law. The subject matter of the complaint (i.e. the disclosure of the Information to SSB) therefore íe11 outside the control of YHHK. As YHHK had no control over the data disclosure, YHHK ís not, 8.26 for the purpose ol'this .investigation "data user" as defred under section 2(1) of the Ordinance. It logically follows that the Ordinance has no applícatíon t^ the act o

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?