Hong Kong's personal data privacy law recently has been amended to introduce new provisions to combat doxxing acts which are intrusive to personal data privacy. This marks the first stage of the stream of proposed amendments which are expected to come which are aimed at strengthening Hong Kong's data protection regime.

In an earlier blog post, we discussed the inadequacies of the Personal Data (Privacy) Ordinance ("PDPO") in combatting unauthorised dissemination of personal data using online platforms, and what amendments to the law are expected to come into force with regard to doxxing. The wait finally is over.

The Personal Data (Privacy) (Amendment) Ordinance 2021 (the "Amendment Ordinance") has been published in the Gazette and came into force on 8 October 2021. On the same day, the Office of the Privacy Commissioner for Personal Data ("PCPD") published an Implementation Guideline for the Amendment Ordinance which also has been published in the Gazette.

The Amendment Ordinance targets to combat doxxing acts in the following three main ways:

  1. Criminalise doxxing acts under new offences;
  2. Empower the PCPD to carry out criminal investigations and prosecute some offences including offences related to doxxing; and
  3. Confer upon the PCPD powers to serve "cessation notices".

In this connection, the PCPD has stated that the Amendment Ordinance will not affect normal and lawful business activities in Hong Kong1. The PCPD has stressed that the new law will not affect freedom of speech and free flow of information, both of which are enshrined in the Basic Law of Hong Kong and the Hong Kong Bill of Rights Ordinance.

This blog post breaks down and summarises the key points of these amendments.

The revamped section 64 of the PDPO

As discussed in our earlier blog post, section 64 of the PDPO is the statutory provision which criminalises unauthorised disclosure of personal data.

  1. New two-tiered offences

Previously, section 64(2), being the offence most relevant to doxxing, required the prosecutor to prove that the data concerned was obtained from a data user and was obtained without consent from that data user. This sub-section now has been repealed. New sub-sections (3A) to (3D) have been added to introduce new offences.

Section 64(3A) of the PDPO prohibits the disclosure of any personal data (regardless of where such data has been obtained) without the data subject's consent, in cases where the person disclosing the content has an intent to cause or is reckless as to whether the action would likely cause any specified harm to the data subject or their family member (a "3A Disclosure").

The Amendment Ordinance introduces the new concept of a "specified harm" which covers a range of different possibilities. The PCPD explained that it can be any of the following:

  • Harassment, molestation, pestering, threat or intimidation to the person which may take the form of psychological pressure;
  • Bodily or psychological harm to the person;
  • Harm causing the person reasonably to be concerned for or worried about the person's safety or well-being; or
  • Damage to the property of the person.

Psychological harm is an element which has been brought over from the repealed section 64(2). It needs to be evidenced by a medical or expert report, and therefore is not a low threshold.

An offender guilty of 3A Disclosure can be convicted summarily. They may be liable to a level 6 fine (HK$100,000 at present) and 2 years' imprisonment.

Section 64(3C) takes sub-section (3A) further by criminalising separately a 3A Disclosure which causes actual specified harm to the data subject or their family member (a "3C Disclosure").

3C Disclosure is triable on indictment. The Amendment Ordinance introduces a much higher fine (up to HK$1,000,000) and a longer imprisonment sentence (up to 5 years) for this more serious offence.

B. Availability of statutory defences

Four statutory defences are available with regard to the section 64 offences:

  • The person reasonably believed that the disclosure was necessary for the prevention or detection of crime.
  • The disclosure was required by or authorised under any enactment, rule of law or court order.
  • The person reasonably believed that the disclosure was made with consent.
  • The person disclosed the personal data in question solely for the purpose of lawful journalistic activity and had reasonable grounds to believe that the publishing or broadcasting of such data was in the public interest.

The Amendment Ordinance makes clear that a defence is established as long as there is sufficient evidence to raise an issue with respect to the defence and the contrary is not proved by the prosecution beyond reasonable doubt.

C. Possibly longer time bar for offences triable on indictment

Previously, complaints regarding any offence under the PDPO had to be made before a magistrate within two years from the date of commission of the offence.

Under the Amendment Ordinance, this two-year limitation period now applies only to those offences which are triable only summarily. This gives the Secretary for Justice more investigation time with regard to the more serious crimes such as 3C Disclosures.

A more powerful PCPD to fight doxxing

The Amendment Ordinances adds a new Part 9A to the PDPO which confers upon the PCPD investigations and enforcement powers in relation to section 64 offences and related matters. Part 9A of the PDPO introduces new sections 66C to 66S.

A. New power to prosecute

The new Section 64C provides that the PCPD may prosecute the commission of or the conspiracy to commit the following six offences which relate to doxxing:

  1. Under section 64(1), for disclosure of personal data obtained from a data user without the data user's consent with an intention to obtain gain or cause loss to the data subject.
  2. Under section 64(3A), for a 3A Disclosure.
  3. Under section 66E(1), for failure to comply with any requirement for materials and assistance given under the PCPD's written notice.
  4. Under section 66E(5): for failure to comply with any requirement for materials and assistance given under the PCPD's written notice with the intention to defraud, or for purported compliance with such requirement by providing false or misleading material.
  5. Under section 66I(1): for obstruction of the lawful exercise by authorised personnel of the various powers under section 66G in relation to premises and electronic devices, and under section 66H to stop, search and arrest persons.
  6. Under section 66O(1): for failure to comply with a cessation notice which requires cessation action(s) to be taken in relation to a breach.

Note that if an offence is prosecuted by the PCPD, the offence only can be tried summarily in the Magistrates' Courts.

B. New power to require provision of materials or assistance

In cases where the PCPD is investigating any of the six offences mentioned above which the PCPD now has power to prosecute, or an offence under section 64(3C) in respect of a 3C Disclosure (the seven offences together, the "Doxxing-related Offences"), the PCPD may issue a written notice to any person who may be able to assist in the PCPD's investigation to require the provision of materials or give all assistance that the PCPD reasonably requires for such investigation. The PCPD may require any oral or written question relating to such investigation be answered. 

Failure to comply with such written notice or purported compliance with such notice by giving materially false or misleading statements, both are criminal acts.

A person will be required to answer the PCPD's questions contained in the notice notwithstanding the possibility that the answers may incriminate them.

C. New powers exercisable in relation to premises, electronic devices and suspected offenders

The PCPD, with a warrant issued by a magistrate, now may enter and search premises, and seize materials which potentially contain evidence. If the PCPD reasonably believes that evidence is stored in an electronic device, the PCPD's powers also extend to access, seize, decrypt, search, and reproduce the device.

In particularly urgent cases or under certain specified circumstances, the PCPD or any prescribed officer may access the device concerned without a warrant. The PCPD explains that this power is necessary for the preservation of evidence which easily may be deleted by offenders on their mobile devices within a few swipes of fingers, had the offenders been alerted by the issuance of warrant.

Furthermore, a person authorised by the PCPD may, without warrant and with the use of reasonable force, exercise powers to stop, search and arrest any person which they reasonably suspect to have committed any Doxxing-related Offence.

The PCPD emphasises that all investigation and enforcement powers given to the PCPD reflect similar powers given to the Police either under the Police Force Ordinance or common law. In appropriate circumstances, the PCPD will join forces with the Police to carry out investigation and enforcement measures.

Again, obstruction of the exercise of these powers by authorised persons without having lawful excuse is a criminal act.

Cessation Notices

In the context of a 3A Disclosure or a 3C Disclosure, if:

  1. the relevant data subject is a Hong Kong resident or is present in Hong Kong when the disclosure is made,
  2. there is reasonable ground to believe that there is a written or electronic message which contains such disclosure, and
  3. a Hong Kong person, or a non-Hong Kong internet service provider (in the case of electronic messages), is able to take certain cessation action in relation to the message,

the PCPD now may serve a written notice under section 66M to direct the person or provider to take certain cessation actions.

A "cessation action" in relation to a subject message includes any action to cease or restrict the subject disclosure made by means of that message, for example, removal of the message.

Failure to comply with a cessation notice is a criminal act. If it is a continuing offence (for example, when the subject message continues to be circulating in public), the offender may be liable to a daily fine until the cessation notice is complied with.

Note that a "Hong Kong person" has a wide definition. It means a natural person present in Hong Kong, or a body of persons that is incorporated, established or registered in Hong Kong or has a place of business in Hong Kong. This means that international corporate entities, unincorporated entities such as partnerships and associations which have a place of business in Hong Kong also may fall within this definition. Online content hosting platforms, operators of electronic platforms or search engines which are based outside Hong Kong also may be subject to the PCPD's cessation notices. In this regard, the new section 66M has extra-territorial application.

The amended PDPO provides aggrieved businesses or persons who are affected by the cessation notice some possible ways to respond.

First, aggrieved persons may appeal against the cessation notice to a specified appeal board. Note that the cessation notice still needs to be complied with notwithstanding the lodging of an appeal.

Secondly, the following statutory defences may be invoked:

  1. The existence of reasonable excuse for the person not to comply with the cessation notice.
  2. The nature, difficulty or complexity of the cessation action required of the person.
  3. Unavailability of the technology necessary for compliance with the cessation notice.
  4. Risk of incurring substantial loss to or substantially prejudicing the rights of a third party.

Again, a defence can be established as long as there is sufficient evidence to raise an issue with respect to the defence and the contrary is not proved by the prosecution beyond reasonable doubt.

In the event that none of the above defences assists an aggrieved person, the amended PDPO provides some comfort for persons who are compelled to comply with cessation notices by providing such persons with immunity from civil liability that otherwise would arise solely because of that compliance.

Other amendments worth noting

In addition to what is set out above, the Amendment Ordinance introduced the following provisions which are note-worthy:

  • The Hong Kong Court of First Instance now is given a wide discretion to grant injunctions with regard to section 64 offences upon the PCPD's application, in any terms that the court considers appropriate and against any person or class or persons. This provision is targeted at preventing or stopping large-scale or repeated commission of doxxing acts.
  • The PCPD may investigate Doxxing-related Offences either out of their own initiative or based upon a complaint received. In cases where the investigation is initiated by a complaint, the law provides a right to the complainant to know of the result of the relevant investigation.

Key takeaways

The breadth of the new powers bestowed upon the PCPD and the multitude of Doxxing-related Offences introduced reflect the welcome strengthening of the tools available for preventing combatting doxxing activities. These amendments provide the necessary statutory framework and mandate for increased "policing" by the PCPD.

The new provisions which require co-operation with investigations and compliance with cessation notices issued by the PCPD are of obvious relevance to business entities, especially those which operate or manage online content hosting platforms. Non-Hong Kong based companies also may be required to comply with cessation notices.

Businesses which publish content, whether on the Internet or in offline media, should ensure that the right to withhold and remove unlawful content is included in their user policies or agreements.

The PCPD strongly urges all businesses to comply with cessation notices upon receipt. Businesses which are affected by cessation notices should be aware of the availability of statutory defences and the appeal mechanism, and seek individual legal advice for the specific situations they face.


1 In a webinar "Recent Changes to the Personal Data (Privacy) Ordinance - What Businesses Should Know" organised by the Hong Kong General Chamber of Commerce and presented by the PCPD on 8 November 2021.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.