Who Decides What Is Personal Data? Testing the Access Principle with Telecommunication Companies and Internet Providers in Hong Kong
Do personal data protection laws allow citizens to access their personal data? We answer this question by testing the data access principle of the Personal Data Privacy Ordinance (PDPO) with telecommunication companies and Internet providers in Hong Kong. In our study, we submitted data access requests to telecommunication companies and Internet providers for a range of information, including subscriber information, call logs, IP addresses, geolocation data, and whether they had shared any of this data with third parties. We argue that the telecommunication companies failed to (1) let users see their personal information in a comprehensive manner, including IP addresses or geolocations; (2) tell users whether they indeed process such information; (3) offer the possibility of correction or deletion; and (4) tell users whether they have shared this data with third parties, including law enforcement.