In the wake of rampant doxing that has occurred in recent years, the Hong Kong government has made key revisions to its data privacy regime to criminalise the unauthorised disclosure of personal data and enhance the privacy watchdog's investigation and enforcement powers. The amended provisions of the Personal Data (Privacy) Ordinance (“PDPO”) targeting doxing activities came into effect on 8 October 2021.

The three main aspects of the amendments made are as follows:

1. Criminalisation of doxing behaviour

To curb doxing activities, the offence under the previous section 64(2) of the PDPO will be replaced by two offences.

The first-tier offence is against disclosure of personal information without the victim's (“data subject”) consent, where the disclosing party intends or is reckless as to causing any specific harm by that disclosure. If the disclosure results in specified harm, the disclosing party will be liable for a second-tier offence, which is a more serious indictable offence punishable with a fine of up to HK$1,000,000 and imprisonment of up to 5 years.

Under both offences, “specified harm” generally consists of four limbs, namely (i) harassment, molestation, pestering, threat or intimidation to the person, (ii) bodily or psychological harm to the person, (iii) harm causing the person to be reasonably concerned for the person's safety or well-being; and (iv) damage to the property of the person.

2. Conferring investigation and prosecution powers to the Commissioner

The Commissioner will be allowed to elect whether to investigate doxing behaviour and directly prosecute relevant offences at the Magistrates' Courts or to refer more serious cases to the police or Department of Justice.

In order to facilitate investigations and consolidate enforcement efforts, the Commissioner will be empowered to require any individual to provide relevant information and provide assistance. Furthermore, it will be considered an offence if the individual (i) without reasonable excuse or with intent to defraud, fails to comply with the request, or (ii) during compliance, demonstrates the intent to defraud and provides materially false or misleading information. The Commissioner will have the power to stop, search, and arrest any individual without a warrant if he or she is reasonably suspected of having committed certain offences, and to apply for search and seizure warrants during investigations.

* 3. Commissioner may issue cessation notices and apply for injunctions*

If the data subject is a Hong Kong resident or is present in Hong Kong when an unauthorised disclosure is made, the Commissioner will have authority to issue a cessation notice, regardless of where the disclosure has taken place. Cessation actions can include the removal of doxing content, limiting access to the content or its disclosing platform, as well as the discontinuance of hosting service for that platform. Beyond individuals and companies in Hong Kong, overseas service providers with no presence in Hong Kong will also be bound and a failure to abide by the notice without reasonable excuse is an offence subject to a fine of up to HK$100,000 and imprisonment of up to 2 years.

To tackle repeat doxing, the Commissioner will be empowered to make injunction applications to the court to compel compliance.

Remedies for the deficiencies prior to the amendment

Between June 2019 and June 2021, the Office of Commissioner for Personal Data (“PCPD”) received over 5,800 complaints of doxing. The impact of the non-consensual disclosure of personal information has been worsened by the rise of the internet and social media platforms, which enable fast and easy sharing and reposting. This has hampered the PCPD and police's efforts to track down culprits and contain the spread of information.

On 27 September 2021, a former clerical assistant from the Immigration Department was sentenced to 45-month imprisonment after leaking the personal information of 215 people on social media platforms and Telegram, a cloud-based messaging app, for over 11 months. Condemning the behaviour as “a betrayal of moral standards” and “a cyberterrorist act”, the court expressed that the sentence could have been longer and challenged the police's delay in identifying the culprit.

The PCPD and police experienced difficulty in enforcing the old section 64 prior to the amendment for several reasons. First and foremost, they were often unable to identify the original source of the private information due to the high number of reposts of such content across multiple platforms. Secondly, they were unable to prove that the information was obtained from that specific data user or that the disclosing party failed to obtain the data user's consent. Thirdly, the old section fails to remedy situations where the data user is physically harassed or harmed, or where harm is caused to the data user's family members, which has unfortunately become increasingly common.

Furthermore, the PCPD's previous requests to remove private information lacked non-compliance consequences, resulting in frequent delayed responses and a response rate of only approximately 70% among internet service providers.

Our observations

With the new amendments, it is prudent for employers to review their internal policies for storing, using, and processing their customers' and employees' personal information. Employers should take active steps to secure the personal information of its customers and employees so as to minimise the risk of misappropriation or misuse. Some practical measures include:

  • redacting personal information from relevant documents;
  • restricting access to personal data to a need-to-know basis;
  • protecting electronic files with passwords, firewalls, automatic intrusion detection systems, and authentication measures; and
  • ensuring that documents containing sensitive personal information are not taken off-site.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.