Effective from October 8, 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (“Amendment Ordinance”) has come into operation as it was published in the Hong Kong Government Gazette that day. The Amendment Ordinance has introduced several initiatives to combat doxxing acts intrusive to personal data privacy. Such initiatives include criminalization of doxxing acts, and granting of statutory powers to the Privacy Commissioner for Personal Data (the “Privacy Commissioner”) to issue cessation notices demanding the cessation or restriction of disclosure of doxxing content and to conduct criminal investigation and institute prosecution for doxxing cases, among other things.
What is Doxxing?
“Doxxing”, stands for “docs” (sometimes spelt “doxing”), is a term used for the cyberbullying technique of gathering the personal data of target person(s) or related person(s) (such as family members, relatives or friends) through online search engines, social platforms, discussion forums, public registers, anonymous reports etc., and disclosing such personal data on the internet, social media or other open platforms (including public places).
Doxxing acts has become rampant in recent years. There have been numerous cases of illicit disclosures including that of patient medical records from hospitals, as well as disclosure of personal data of police and judicial officers and their family members without their consent. Prior to the Amendment Ordinance, the provisions under section 64 of the Ordinance to regulate disclosure of personal data obtained from data user without data user’s consent was inadequate and was not intended to address the doxxing acts committed in recent years. This was because the requirement threshold for the relevant offence was “without the data user’s consent.”
In the instance of patient medical records that were found posted and reposted on internet and social media platforms making it impossible to trace the sources of the doxxing contents and ascertaining the identity of the data user, neither the Privacy Commissioner nor the Hong Kong Police were able to establish whether consent of the data user had been obtained.
Between June 2019 and 2021, the Privacy Commissioner handled over 5,800 doxxing complaint cases that were intrusive to personal data privacy. While the Privacy Commissioner requested online platforms to remove the doxxing contents on numerous accounts, only about 70% of such requests were complied with. To that end, there was an imminent need to amend the existing regime and to criminalize acts of non-consensual disclosure of personal data in order to protect the personal data privacy of the general public.
Doxxing as an offence
Under the Amendment Ordinance, section 64 of the Ordinance was revised to provide new two-tier doxxing offences which criminalize the disclosure of personal data of a data subject without the data subject’s consent with an intent to cause specified harm to the data subject or their family or being reckless to such harm happening. Note that consent is no longer required from that of the data user but that of the data subject. The definition of specified harm is broad and captures (i) harassment, molestation, pestering, threat or intimidation, (ii) bodily harm or psychological harm to a person, (iii) harm causing a person to be concerned for their safety or well-being, or (iv) damage to a person’s property.
A summary offence is committed if a person discloses personal data without the data subject’s consent where that person has the intent to cause a specified harm or being recklessly as to whether a specified harm would be or would likely be caused to the data subject or a family member of the data subject due such disclosure. The penalty for such summary offence is a fine of HK$100,000 and up to two years’ imprisonment.
An indictable offence is committed if a specified harm is caused to the data subject or a family member of the data subject due to the disclosure of personal data. The penalty for such indictable offence is a fine of up to HK$1,000,000 and up to five years’ imprisonment.
The Commissioner’s Powers and its Extra-Territorial Effect
The Privacy Commissioner is now conferred with new investigation and enforcement powers. These include powers to request a person to provide materials and assistance to facilitate investigation into doxxing offences, to obtain search warrants, carrying out specified investigation in premises and to seize and detain any evidence for purposes of the investigation. The Privacy Commissioner may also arrest, stop and search any person reasonably suspects of having committed doxxing offences, and may apply to the Hong Kong Court of First Instance for an injunction against a person who engaged, is engaging or is likely to engage in conduct which contravenes the doxxing offences.
The Privacy Commissioner may serve a notice in the case of doxxing if the data subject is a Hong Kong resident or is present in Hong Kong regardless of whether the disclosure was made in Hong Kong or not. Cessation notices may also be served inside or outside of Hong Kong depending on whether the doxxer or the service provider is inside or outside of Hong Kong. The Amendment Ordinance equips the Privacy Commissioner with the flexibility necessary to take appropriate action given the global reach and vast nature of the internet. Any doxxer or service provider served with a cessation notice and either fails to comply or establish an appropriate defence may commit a criminal offence and be subject to penalties or imprisonment.
The anti-doxxing regime under the Amendment Ordinance not only defines broad and encompassing offences coupled with hefty penalties but also confers new investigative and enforcement powers to the Privacy Commissioner that have extra-territorial effect. Clients who may well be platform providers, operators or users should adopt appropriate approaches to potentially doxxing messages and ensure compliance with the Amendment Ordinance.
If you would like to discuss any of the matters raised in this eUpdate, please contact either Hilda Chan or Janet Wong.