Privacy, Data Protection and Retention
Data Protection Commissioner v. Facebook (Schrems II)
Closed Mixed Outcome
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The Hong Kong Court of Appeal set aside the conviction of the appellant Chu Ting-Ting by the Deputy Magistrate for criminal damage and obtaining illegal access to the web server of the Hong Kong police. According to data provided by the prosecution, a computer with an IP address matching the appellant’s accessed the Hong Kong police website 7,467 times between 00:53 and 01:17 during a Distributed Denial of Service (DDoS) attack. She was subsequently convicted under Section 60(1) of the Crimes Ordinance for using a computer with criminal intent. On appeal of the conviction, the appellant argued that the prosecution had not proven that the computer she had used was the one responsible for the DDoS Attack. The Appellate Court allowed the appeal and held that the appellant’s admission that she used the computer was insufficient evidence to support the finding by the lower court that she was responsible for committing the offence.
In the early morning hours of October 4, 2014, between 00:55 and 1:44, the applicant Chu Ting-Ting, a 22 year old sales associate, was home browsing the webpage of the hacker and social justice organization Anonymous. According to video testimony, the applicant understood that Anonymous supported the pro-democracy student protests which had just taken place, that the website claimed to have the capacity to hack specified websites, and that there was a related button on the site. She claimed she pressed button, but nothing seemed to happen so she continued pressing it.
On that same morning between 00:53 and 01:17, the Hong Kong police website experienced a Distributed Denial of Service (DDoS) attack which was traced to the IP address of Chu Ting Ting’s computer.
Pursuant to that event, the appellant was charged under Section 60(1) of the Crimes Ordinance with criminal damage and obtaining access to a computer with criminal intent. The Respondent in the case is the Hong Kong Special Administrative Region (HSKAR).
The Prosecution alleged that the appellant damaged property belonging to the web server of the Hong Kong police department, without lawful excuse, intending to damage the property or being reckless as to whether or not the property would be damaged. The appellant pleaded not guilty to both charges. The Magistrate held that the circumstances of the case fell within Section 59(1)(A)(a) of the Crimes Ordinance, i.e. ‘to cause a computer to function other than as it has been established to function by or on behalf of its owner’ is ‘misuse of a computer’ that constitutes ‘to destroy or damage any property’ and convicted the appellant.’ The appellant was accordingly convicted of criminal damage by the Deputy Magistrate.
The appellant moved to overturn the conviction on two grounds: that the prosecution did not prove that the computer was the one which had caused the DDoS attack and that there was insufficient evidence to prove that the appellant had the requisite mens rea of guilty intent.
On appeal, the Hong Kong Court of Appeal set aside the conviction of the appellant on the grounds that a connection between the computer and the DDoS attack had not been established. Further, the Court held that the admission from the defendant to having used the computer was insufficient evidence to support a finding that she had committed the offence or of dishonest intent.
J. Hon Wong delivered the ruling of the appellate court.
The Appellate Court observed that, for a successful conviction, the Prosecution must prove beyond a reasonable doubt that:
The Court affirmed the ruling of the Magistrate that the police website had been criminally damaged within the meaning of section 59(1A)(a): “to cause a computer to function other than as it has been established to function by or on behalf of its owner”. [para. 19]
First ground of appeal
The Court proceeded to consider the first ground of appeal: whether the Prosecution had proven that the appellant had committed the actus reus, or conduct in question, of the offence. The Court identified a two-fold approach to their assessment:
First, whether the Apple computer was used to cause the police website to be attacked; and
Second, whether the appellant was the person who was operating the computer that resulted in the attacks during the material time. [para. 24]
On the first test, the Magistrate had previously held that the data records produced by the Prosecution, explained by the expert witness, were sufficient to prove that the computer had caused the Police website to be attacked. [para. 26] However, Mr Leung contested evidence provided by the expert witness PW4 and argued that the remaining prosecutorial evidence was insufficient to prove that the computer in question caused the attacks, or that the appellant was the individual to have committed the actus reus of the alleged offence. [para. 35]
After reviewing the legal issues surrounding the role of expert witnesses, the Court stated that expert evidence serves a dual purpose of providing opinions for matters which are supported by evidence and impugning credibility of the adduced evidence. [para. 41]
The Court then considered whether the magistrate erred in relying to such a large extent on PW3’s expert opinions in consideration of the criticisms set out by the appellant.
The criticisms based on PW3’s testimony in the original trial were:
In summary, Mr Leung submitted that it was unreasonable for the magistrate to exclude the part of PW3’s evidence that was beneficial for the defence case. In response, the prosecution submitted that, while PW3 accepted during questioning that alternative explanations do exist, there was no evidence to support these alternatives. Furthermore, the appellant had not provided any evidence in court during the original trial to support the suggestions raised by the defence. Citing R v Chong Kin Cheong, the prosecution submitted that it was not the responsibility of the court to consider all possible defences of which there was evidence. The Court agreed with this position as a matter of law. [para. 47]
Finally, the Court considered whether there was sufficient evidence that the appellant was the person responsible for the damage. This had been determined by PW3 on the basis of 4 matters:
Mr Leung pointed out deficiencies in each of these 4 matters.
The Court first considered the fourth matter: whether the browsing records of the webpage ‘http://pastehtml.com/view/ckok6t524.html’ were stored in the Apple computer used for the DDoS attack. Mr Leung criticized the testimony of PW3, as he had not explained the source of the time of the attack 00:53 in his witness statement, later relied on by the magistrate. The Court agreed that the magistrate had not analyzed the time of attack. Moreover, there was no nexus between the browsing at 01:39 hours and the attack of the police website because the attack ended at 01:19 hours. On this point, the Court supported Mr Leung’s submission that the Court was handicapped to make a decision without the necessary evidence.
Considering that adverse findings were made by the magistrate on the basis of inadequate evidence given by PW3, the appellate Court held that it cannot be safely concluded that the Apple computer was used to attack the police website. [para. 59] The Court also held that, as matter 4 was unsafe to rely on, the previous 3 matters were insufficient to be relied upon to come to the same conclusion.
The Court further acknowledged that, while examination of the records might illuminate these issues, it would be inappropriate to scrutinise the voluminous computer data in this case in order to draw inferences. [para. 61]
Based on this analysis, the Court agreed that there was insufficient evidence that the computer in question was used to attack the police website. Furthermore, even though the appellant had made certain admissions to the police regarding her use of the computer, these admissions were insufficient to support the finding that the appellant was the individual responsible for the offence. [para. 64]
As such, the magistrate’s ruling that the appellant had launched the attacks could also not be upheld. Therefore, the first ground of appeal was upheld.
Second ground of appeal
The Court was required to consider whether the appellant had the requisite mens rea to commit the offence of intent or recklessness. As it could not be proven that the appellant had committed the relevant actus reus of criminal damage, the Court determined that there was no need to decide whether she had the mens rea. [para. 75]
However, the Court noted that there was an insufficiently thorough analysis conducted by the magistrate before concluding that the appellant was reckless as to the consequence an act was cause.
The Court referred to Sim Kam Wah v. HKSAR to define the general standard of recklessness. In this case the Court of Final Appeal determined that a person acts recklessly with respect to:
b) a result when he is aware of a risk that it will occur; and
Addressing the first aspect of the standard, risk, the Court observed that it is dependent on the “nature and circumstances of individual cases”. [para. 83] In this case, the risk was of the relevant property being damaged. For damage to a computer, the statutory definition of damage is broader than it is generally understood. Applying this broad definition of damage, the risk would refer to the impact on a computer to function otherwise than originally designed. [para. 83] Therefore, a finder of fact must conduct a thorough analysis to determine whether the act was reckless. In making this observation the Court relied on Smith and Hogan’s Criminal Law, which stated that not all risk-taking amounts to recklessness. [para. 89]
Even if the appellant’s knowledge of the risk were established, to determine whether she was reckless, considering that her action was “only pressing a button and that there was no particular evidence showing what kind of button it was, the Court should also scrutinise what did the appellant see on the webpage and consider carefully whether she was acting unreasonably before coming to a conclusion”. [para. 91] However, the magistrate had not made any finding on this matter.
Therefore, the Appellate Court determined that the magistrate’s finding was unsafe. The appeal was allowed and the conviction set aside.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The appellate Court’s decision does not specifically expand or contract freedom of expression. It only reinstates that in order to determine criminal damage and illegal access of a computer, the evidence should clearly establish that there was requisite mens rea and actus reus. In the present case, it was not adequately established by prosecution evidence that the criminal act can be attributed to the appellant or her computer was used for the DDoS attack. Thus, there was no actus reus.
Further, the Court relied on a broader interpretation of damage in cases of damage caused to a computer. Court observed that a computer can be misused in myriad ways thus the finder of fact should conduct a thorough analysis before charging the accused of recklessness.
In the present case, the requirement of recklessness would be whether the reckless act caused the computer to function otherwise than the way it was designed. Since the magistrate’s findings and the prosecution evidence did not establish the recklessness criteria adequately the appellate court set aside the order of the magistrate convicting the appellants.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Destroying or Damaging Property
Criminal Damage to Property, Interpretation
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.