A report by the Commissioner, Roderick Woo, has found that an IP address does not always count as personal data, and that ownership of a company does not always denote control of all of its data. Those two crucial findings have made it impossible for him to say that Yahoo! broke the law, he said.
Yahoo! was investigated over the case of Shi Tao, a journalist who was jailed for 10 years in China for sending information abroad. Hong Kong lawmaker Albert Ho made a complaint to the Commissioner that Shi was jailed on the basis of identifying information supplied by Yahoo!.
Disclosing a subscriber's personal data to Chinese authorities would break the Hong Kong Personal Data (Privacy) Ordinance.
The Commissioner found that Yahoo! Hong Kong did not give information that could be classed as 'personal data' to the Chinese authorities. But Yahoo! was not completely exonerated. Woo said that Yahoo!'s Chinese operation was the company involved, and that it fell outside of his jurisdiction and the scope of his investigation.
Yahoo! did supply identifying information. The verdict in the Chinese case references "account holder information furnished by Yahoo! Holdings (Hong Kong) Ltd, which confirms that for IP address 18.104.22.168 at 11:32:17pm on April 20, 2004, the corresponding user information was as follows…"
What the Hong Kong Commissioner could not say, though, was that the handing over of information relating to the IP address counted as personal information under the Hong Kong law.
Woo had to make his judgment without information which he requested from Yahoo!. Yahoo! refused to hand over information from its Chinese operation, claiming that as information relating to a criminal offence, the information was classed in China as a state secret. He said that the consequences of breaking the Chinese state secrets law were so serious that he would not compel Yahoo! to produce the requested data.
The Commissioner said that on its own, an IP address does not constitute personal data. "Basically, an IP address is a specific machine address assigned by the ISP to the user's computer and is therefore unique to a specific computer," he said. "The information is about an inanimate computer, not an individual. The Commissioner therefore takes the view that an IP address per se does not meet the definition of 'personal data'."
He did say, though, that an IP address could make up part of personal data, and that if a party had other information, the IP address could be identifying information. "Whether or not it is part of any personal data in a particular case depends on the facts of the case," he said.
"In the circumstances, the Commissioner finds insufficient evidence to support that the two limbs of the definition of 'personal data' are met," he said.
Yahoo! has said that it was required to supply information under Chinese law, but the company has met with international criticism for supplying information which may have led to the identification of Shi, named in the Commissioner's report only as Mr X.
"I wouldn't go so far as to say this was an exoneration for Yahoo!. The important thing is that the Commissioner couldn't form a view as to whether or not the information was personal data," said Dr Chris Pounder, a privacy specialist at Pinsent Masons, the law firm behind OUT-LAW. "He got no concrete evidence to dispute Yahoo!'s position."
Yahoo! Hong Kong, which owned Yahoo! China, argued that it did not control the email account user information involved. "The Commissioner does not find Yahoo! Hong Kong's argument convincing," said Woo's report.
The Commissioner did rule, though, that Yahoo! handed over the information on pain of criminal penalty in China, and that therefore the handing over of information was not in its control. "As Yahoo! Hong Kong had no control over the data disclosure, it is not, for the purpose of this investigation 'data user' as defined under section 2(1) of the Ordinance," said Woo. "It logically follows that the Ordinance has no application to the act of disclosure of the Information in China."