Tackling the issue of “doxxing” in Hong Kong
What legislative changes are being considered in Hong Kong to address the rise in doxxing cases and the resulting harm caused to the affected data subjects?
The Hong Kong Government has released significant proposals before the Legislative Council to criminalise unlawful doxxing acts and enhance the Privacy Commissioner for Personal Data (PCPD)’s capabilities to combat doxxing.
Doxxing describes the act of unlawfully revealing personal information of a third party or his/her family to the public – usually through online platforms – without prior consent and with the intention to humiliate, intimidate, or cause psychological or bodily harm to the victims.
In recent years, Hong Kong has seen a rapid surge in doxxing activities. Between June 2019 and April 2021, the PCPD received nearly 6,000 doxxing-related complaints, and close to 1,500 cases have been referred to the police for criminal investigation. However, to date, there have only been a few convictions; although, in the event of a conviction, a custodial sentence is a real possibility.
Under section 64 of the Personal Data (Privacy) Ordinance (the PDPO), the conviction threshold requires the act to be “without the data user’s consent” (such as improper disclosure of medical records of a data subject without the consent of the hospital as a data user). However, with the development of the internet and social media, most doxxing acts are recklessly dispensed, and repeatedly reposted online, making it difficult for law enforcement to trace and identify the data user and ascertain whether there has been any consent provided.
Additionally, under the current regime, the PCPD is required to refer cases to the Police and the Department of Justice for investigation and prosecution, which can delay the handling of doxxing cases.
In the bid for stronger enforcement and protection over online data privacy, on 17 May 2021 the Government released a discussion paper containing proposed amendments to the PDPO before the Legislative Council (the Proposed Reform):
- Adding a “doxxing” offence under section 64 of the PDPO which requires a person to obtain the data subject’s consent and extend the protection to the data subject’s immediate family members. The penalty for the existing offence under section 64 will tally with the new doxxing provisions. Any person who contravenes the doxxing offence is liable upon conviction to a fine of HK$1,000,000 (c. £93,000) and to imprisonment for up to five years, or on summary conviction to a fine of HK$100,000 (c. £9,300) and to imprisonment for up to two years
- Empowering the PCPD to carry out criminal investigations and initiate proceedings in its own name to allow more effective collection of evidence for prosecution and to expedite the processing of doxxing cases
- Empowering the PCPD with statutory powers to demand rectification of doxxing contents by serving a “Rectification Notice” on any person who provides services in Hong Kong to Hong Kong residents (including online platforms) and requiring the removal of the information unlawfully disclosed in an expeditious manner, and
- Empowering the PCPD with the power to apply to court or seek an injunction if they believe that there is very likely to be large-scale or repeated doxxing acts against specific persons or groups.
The Proposed Reform will be formalised in an amendment bill (the Personal Data (Privacy) (Amendment) Bill 2021) (the Amendment Bill), which will be gazetted on 16 July 2021 and introduced into the Legislative Council for first and second readings on 21 July 2021.
Why is this important?
The Proposed Reform shows the Government’s desire to combat the effective weaponizing of personal data. Subject to proper safeguards, the greater power to be conferred on the PCPD should help to expedite the processing of doxxing cases, improve the enforcement of doxxing offences and better safeguard the privacy interests of data subjects. The Proposed Reform is in tandem with the recent gazette of a three-phased new inspection regime under the Hong Kong Companies Ordinance, Cap 622, which aims to withhold certain personal information of directors and company secretaries from general public inspection to prevent the potential abuse of such data by eg doxxing.
Any practical tips?
Companies with an online geographical reach should keep informed of the upcoming implementation of the Proposed Reform and should be prepared for enhanced regulatory obligations coming into effect. As the Proposed Reform and the forthcoming Amendment Bill are yet to be finalised, the PCPD welcomes any views, proposals and recommendations that companies, or other stakeholders may have.