ENG

Privacy & Data Protection

Hong Kong: Recent amendments to PDPO regarding anti-doxxing

Latest developments

On 8 October 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (the Amendment Ordinance) came into effect to combat malicious doxxing acts so as to protect personal data privacy of individuals.

Summary

The Amendment Ordinance amends the PDPO by introducing anti-doxxing provisions which can be categorised as follows:

(i) Creating offences to curb doxxing acts committed without the data subject’s consent

There are a total of seven (7) new offences: two-tier offences on doxxing with five (5) ancillary offences related to non-compliance with or obstruction of investigative and enforcement powers exercised by the Privacy Commissioner of Personal Data (PCPD).

The two-tier doxxing offences are as follows:

  • First tier offence: Section 64(3A) makes it an offence for any disclosure of personal data of a data subject without the relevant consent of the data subject (a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
  • Second tier offence: This is provided under Section 64(3C) which is similar to Section 64(3A), save that the offence relates to whether disclosure causes any specified harm to the data subject or any family member of the data subject.

    “Specified harm” in relation to the two-tier offences means (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.

  • A person who commits a first tier offence is liable on summary conviction to a level 6 fine (currently at HK$100,000) and imprisonment for 2 years; while a person who commits a second tier offence is liable for conviction on indictment to a fine of HK$1,000,000 and imprisonment for 5 years.

The five (5) ancillary offences relate to non-compliance with or obstruction of investigative and enforcement powers of the PCPD (as further discussed in (ii) and (iii) below) are as follows:

  • Non-compliance with a notice;
  • Non-compliance with a notice with intent to defraud;
  • Obstruction, hindrance or resistance to investigations;
  • Non-compliance with a cessation notice; and
  • Non-compliance with secrecy obligations.

(ii) Empowering the Privacy Commissioner to carry out criminal investigation and institute prosecution

The new PDPO empowers the PCPD with four (4) main types of prosecution and investigative powers:

  • Power to prosecute offences: Such powers cover not just the proposed new doxxing offence, but other criminal offences in the PDPO. The enhanced power does not derogate from the powers of the Secretary of Justice to prosecute criminal offences.
  • Power to require delivery of materials and provide assistance: Such powers include, among others, the power to require a person to provide the PCPD with materials, require a person to answer questions or require a person to give the PCPD all the assistance reasonably required.
  • Power in relation to premises and electronic devices: Such power includes, among others, search and seizure powers (with warrant) at relevant premises and access of electronic devices (with or without warrant) to assist with investigations.
  • Power to stop, search and arrest persons: Such powers may be exercised, without warrant, by the PCPD (or a person authorised by the PCPD) to stop, search and arrest any person reasonably suspected of having committed a doxxing or related offence.

(iii) Conferring on the Privacy Commissioner statutory powers to demand the cessation of doxxing contents

In addition to the powers set out in (ii) above, if the PCPD has reasonable ground to believe that (a) there is a subject message; and (b) a “Hong Kong person” is able to take a cessation action (whether or not in Hong Kong) in relation to the message, then the PCPD may serve a “cessation notice” on the person directing the person to take the cessation action.

“Cessation action” includes removing the message from the electronic platform, ceasing or restricting access by any person of the platform or discontinuing the hosting service for the platform.

It is worth noting the extra-territorial scope of the proposed “cessation notice” regime. So long as:

  • The relevant message concerns a disclosure (whether taking place inside or outside Hong Kong) of a Hong Kong resident or a person that is present in Hong Kong (at the time when the disclosure is made), and the person that discloses the personal data essentially commits the doxxing offence described above; and
  • The person that is going to receive the cessation notice can take the cessation action, a cessation notice can be issued, regardless of where the recipient of the notice is located.

Enforcement actions

Since the Amendment Ordinance came into effect in October 2021, the PCPD has been relatively active in taking enforcement actions against suspected doxxing offences.

The first arrest took place in May 2022. A person was suspected of having disclosed the personal data, including the mobile phone number, occupation, residential address and names of their employers without consent, on a social media platform in October 2021, amid a money dispute. The defendant was arrested on 13 December 2021 and was charged with four charges of disclosing personal data without consent with an intent to cause specified harm to the data subject or being reckless as to whether specified harm would be caused to the data subject under section 64(3A) of the PDPO. The case had its first mention on 25 May 2022, and we are at the date of this publication, not aware of any penalties that have been imposed.

Separately, the first conviction under the new anti- doxxing regime took place on 6 October 2022. This was the fourth arrest made by the PCPD, whereby the defendant disclosed on four social media platforms the complainant’s personal data, including her name, photos, residential address, private and office telephone numbers, name of her employer and position without her consent, in contravention of section 64(3A) of the PDPO. The defendant also impersonated the complainant to open accounts on three of the said platforms, and stated in the relevant messages that the complainant welcomed others to visit her at her address. Many strangers later contacted the complainant and tried to get acquainted with her. A total of seven charges were laid against the defendant in respect of the doxing offence and the defendant pleaded guilty to and was convicted of all seven charges and was sentenced to an 8 months’ imprisonment.

The second sentencing case prosecuted by PCPD concluded on 8 March 2023. The defendant was an online trader and the victim was her supplier. Their business relationship turned sour because of a monetary dispute. The defendant then in December 2021 disclosed in 14 groups on a social media platform (1) allegations about the victim’s fraudulent behaviour; and (2) personal data such as the Chinese names and photos of the victim and her husband, and the phone number of the victim. The PCPD arrested the defendant on 26 July 2022. The defendant pleaded guilty to all charges and was convicted by the Court on 1 February 2023. The conviction relates to the defendant’s disclosure of the personal data of the victim and her husband without their consent, with an intent to cause specified harm to them or their family members, or being reckless as to whether specified harm would be (or would likely be) caused to them or their family members, in contravention of section 64(3A) of the PDPO. Based on the relevant reports and the nature of this case, the court sentenced the defendant to two months of imprisonment, suspended for two years.

How could it be relevant for you?

With the advancement of technology, doxxing contents can be spread and reposted in a click. To remove doxxing contents in an expeditious manner, in relation to a message, whether in written or electronic form, including but not limited to those posted on online platforms, a cessation notice may be served by the PCPD on Hong Kong service providers as well as non- Hong Kong service providers.

Further, as noted above, the PCPD is empowered to carry out investigations and request information and assistance in case of suspected doxxing offences. If you operate an online platform that processes personal data, you should be prepared for circumstances when your users may be suspected of committing relevant doxxing offences, and how to respond to cessation notices and other requests for information or assistance from the PCPD.

Next steps

The Amendment Ordinance follows the last major amendment to the PDPO in 2013 when the PDPO introduced significant changes to the direct marketing regime in Hong Kong. According to the Report on the Work of the Office of the Privacy Commissioner for Personal Data in 2022 published for the meeting of the Legislative Council Panel on Constitutional Affairs on 20 February 2023, it is expected that the PDPO will be amended further in the near future to address other proposed amendments that were previously discussed in the legislature. A brief overview of some of the further legislative amendments to the PDPO being considered by the PCPD and the Hong Kong Government is set out as follows:

  • Mandatory data breach notification: Hong Kong currently does not require mandatory notification in the event of data breaches and it is expected that the PDPO may be amended to introduce mandatory data breach notifications in specified circumstances.
  • Regulation of data processors: The PDPO currently does not directly regulate data processors and it is expected that the PDPO may be amended to directly bind data processors in certain instances e.g. in relation to data retention and security requirements, or notification requirements to the PCPD.
  • Data retention period: It is expected that the PDPO will introduce express requirement on data users to specifically set out the retention periods for separate categories of personal data so that data subjects are clearly informed of the details of the retention policy.
  • Sanctioning powers: The PCPD’s power is expected to be further broadened by enabling the PCPD to impose administrative fines (linked to the annual turnover of the data user concerned) based on breaches of the requirements under the PDPO.

The above legislative proposals are scheduled for consultation with the Legislative Council Panel on Constitutional Affairs within 2023.

*Information is accurate up to 27 November 2023

Privacy & Data Protection - Explore further sections

Australia

Privacy Act Reform

Privacy Legislation Amendment Act 2022

Consumer Data Right Privacy Act Reform

China

Security Assessment

Standard Contract

Certification

Hong Kong

Recent amendments to PDPO regarding anti-doxxing

New Guidance on Cross-border transfer of Personal Data

Singapore

Proposed Guidelines for Children’s Personal Data

Joint Guide on ASEAN and EU Model Contractual Clauses

Explore other chapters in the guide

Data as a key digital asset

Read More

Crypto assets

Read More

AI as a digital asset

Read More

Privacy & Data Protection

Read More

Cybersecurity

Read More

Digital Identity and Trust Services

Read More

Consumer

Read More