In the wake of rampant doxxing incidents in recent years, the Hong Kong government has made key revisions to the data privacy regime to criminalize the unauthorised disclosure of personal data causing specified harms to an individual and his family, and to enhance the privacy watchdog's investigation and enforcement powers. The amended provisions of the Personal Data (Privacy) Ordinance (“PDPO”) targeting at doxxing activities came into effect on 8 October 2021.

Three main aspects

1. Criminalisation of doxxing behaviour

To curb doxxing activities, the offence under the previous section 64(2) of the PDPO will be replaced by two offences.

The first tier offence is against disclosure of personal information without the victim's (“data subject”) consent where the disclosing party intends or is reckless as to causing any specified harm by that disclosure. If the disclosure results in specified harm, the disclosing party will be liable for a second tier offence, which is a more serious indictable offence punishable with a fine of up to HK$1,000,000 and imprisonment of up to 5 years.

Under both offences, “specified harm” generally consists of four limbs, namely (i) harassment, molestation, pestering, threat or intimidation to the person, (ii) bodily or psychological harm to the person, (iii) harm causing the person reasonably to be concerned for the person's safety or well-being; and (iv) damage to the property of the person.

2. Conferring investigation and prosecution powers to the Commissioner

The Commissioner will be allowed to elect whether to investigate doxxing behaviour and directly prosecute relevant offences at the Magistrates' Courts or to refer more serious cases to the police or Department of Justice.

In order to facilitate investigations and toughen enforcement, the Commissioner will be empowered to require any person to provide relevant information and give assistance. Consequently, it will be an offence for anyone who (i) without reasonable excuse or with intent to defraud, fails to comply with the request, or (ii) during compliance, with the intent to defraud and provides materially false or misleading information. The Commissioner will have the power to stop, search and arrest anyone without a warrant, if it reasonably suspects him of having committed certain offences, and to apply for search and seizure warrants during investigations.

3. Commissioner may issue cessation notices and apply for injunctions

If the data subject is a Hong Kong resident or is present in Hong Kong when an unauthorised disclosure is made, the Commissioner will have authority to issue a cessation notice, regardless of where the disclosure has taken place. Cessation actions can include the removal of doxxing content, limiting access to the content or its disclosing platform, as well as discontinuance of hosting service for that platform. Besides individuals and companies in Hong Kong, overseas service providers with no presence in Hong Kong will also be bound, and a failure to abide by the notice without reasonable excuse is an offence subject to a fine of up to HK$100,000 and imprisonment of up to 2 years.

To tackle repeating doxxing behaviour, the Commissioner will be empowered to make injunction applications to the court to compel compliance.

Remedies for the deficiencies prior to the amendment

Between June 2019 and June 2021, the Office of Commissioner for Personal Data (“PCPD”) received over 5,800 complaints of doxxing. The impact of exposing personal information has worsened by the internet and social media platforms which allow fast and easy sharing and reposting, hampering the PCPD and police's efforts to track down culprits and control the outspread.

On 27 September 2021, a former clerical assistant from the Immigration Department was sentenced to 45-month imprisonment after leaking personal information of 215 people and sharing the same via Telegram for over 11 months. Condemning the behaviour as “a betrayal of moral standards” and “a cyberterrorist act”, the court expressed that the sentence could have been longer and challenged the police's delay in identifying the culprit.

More importantly, the PCPD and police have experienced difficulty enforcing the old section 64 prior to the amendment for a few reasons. First, they could not identify the data user given multiple reposting of the same doxxing content. Next, they were unable to prove that the content was obtained from that specific data user or that the disclosing party failed to obtain the data user's consent. The old section further fails to remedy situations where the data subject is harassed or physically harmed (as opposed to psychologically harmed), or where harm is caused to the data subject's family members, which has been prevalent.

The PCPD's previous requests to remove doxxing content lacked non-compliance consequences, resulting in delayed response and a response rate of only approximately 70% among internet service providers.

Our observations

Some industry experts and critics expressed concerns that the amendments lack clear definition of doxxing, which could be interpreted broadly, whereas the Commissioner repeatedly refuted such claims on the basis that the new offences' essential elements are sufficiently fleshed out in the Amendment Ordinance. The Implementation Guideline recently issued by the PCPD may assist in the interpretation of various offences of concern.

With the new amendments, it is prudent for companies to start reviewing their internal policies for collecting and processing customers' personal information. There should be clear guidelines on how employees should use and handle personal information and the introduction of protocols for responding to cessation notices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.