Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear.

By Kieran Donovan and Jacqueline Van

In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable information about an individual or related persons, usually via the internet, and often with malicious intent). The law empowers the Privacy Commissioner for Personal Data (Commissioner) to carry out criminal investigations, institute prosecutions, and issue cessation notices in relation to doxxing. The law is similar in many respects to New Zealand’s Harmful Digital Communications Act and Singapore’s Protection from Harassment Act, each of which were expressly referred to by the Hong Kong SAR’s Legislative Council Research Office in advance of the amendment coming into force.

This blog post reviews doxxing-related enforcement activity in Hong Kong since the amendment came into effect.

Background to the Amendment

Prior to the amendment, doxxing activities were prosecuted in Hong Kong under s64(1) and s64(2) of the PDPO. However, enforcing against doxxing under these provisions was challenging, for at least two reasons:

  • Prosecutors struggled to prove that data was “obtained without the data user’s consent”, as tracing the source of doxxing content based on mere distribution or reposting on online platforms presents complications.
  • The Commissioner did not have legal authority to request the removal of doxxing contents from online platforms, and compliance with such requests was not mandatory.

Against this backdrop and an increasing number of doxxing complaints, the government introduced the Personal Data (Privacy) (Amendment) Bill to strengthen enforcement measures, which came into effect as the Personal Data (Privacy) Amendment Ordinance 2021 (the Amendment Ordinance) in October 2021.

The Amendment Ordinance: Specific Doxxing Offences

The Amendment Ordinance amended and created specific doxxing offences. Notably:

The Amendment Ordinance criminalises doxxing acts by introducing two new doxxing offences in a two-tier structure, replacing s64(2) of the PDPO.

The first-tier (under s64(3A)) is a summary offence for disclosing any personal data of a data subject without the relevant consent of the data subject with an intent to cause “specified harm” or being reckless as to whether any specified harm would be caused to the data subject or any family member of the data subject. A person who commits an offence under s64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

The second-tier (under s64(3C)) is an indictable offence whereby, in addition to the elements of the first-tier offence, the offender causes any “specified harm” to the data subject or any of their family members as a result of the disclosure. The offence is punishable by a HK$1,000,000 fine and five years’ imprisonment.

Under both offences, “specified harm” contains four categories: (i) harassment, molestation, pestering, threat, or intimidation to the relevant person; (ii) bodily harm or psychological harm to that person; (iii) harm causing the person reasonably to be concerned for their safety or well-being; or (iv) damage to the person’s property.

Existing defences available under s64 still apply after the amendment.

The Amendment Ordinance empowers the Commissioner to serve cessation notices to demand the takedown or restricting of doxxing content disclosure.

The Commissioner can serve cessation notices to not only Hong Kong individuals and service providers with a place of business in Hong Kong, but also non-Hong Kong operators of electronic platforms.

Failure to comply with the cessation notice is an offence, resulting in, on first conviction, at a maximum a fine at level 5 (i.e., at HK$50,000) and imprisonment for two years.

The Amendment Ordinance confers criminal investigation and prosecution powers to the Commissioner.

Subject to certain requirements, the Commissioner may (i) issue a written notice to request a person to provide materials and assist the Commissioner in a doxxing-related investigation (for which failure to comply will be an offence); (ii) apply for a warrant from a magistrate to search premises and access electronic devices; (iii) access electronic devices without a court warrant; and (iv) stop, search, and arrest certain persons.

Pursuant to the new s64C, the Commissioner may also prosecute, in their own name, doxxing-related offences that are triable summarily in the Magistrates’ Court.

Observations and Takeaways

Hong Kong has actively enforced against individuals for doxxing acts — including eight arrests made by local law enforcement, and a first conviction in October 2022.

Since the Amendment Ordinance has come into effect, eight arrests have been made for contravention of s64(3A) or s64(3C) of the PDPO by individuals. The first arrest happened in December 2021, only two months after the Amendment Ordinance came into effect.

On 6 October 2022, the Shatin Magistrates’ Court handed down the first conviction for a doxxing offence, convicting an individual of seven charges, brought under s64(3A) and s64(3C), after a guilty plea. The case concerned the defendant’s disclosure of the complainant’s personal data after their relationship ended and impersonation of the complainant on various social media platforms, including inviting online strangers to visit the complainant at her home address.

Although the court has not yet issued the judgment, observers expect the decision to shed more light on how to interpret and apply the new provisions in the PDPO, as well as how to approach sentencing.

The Commissioner has proactively issued cessation notices to online platforms, though its ability to enforce such notices remains unclear.

As of 30 April 2022, the Commissioner served over 600 cessation notices on 13 online platforms, requesting the removal of over 3,000 entries of doxxing content. In addition, the Commissioner achieved the removal of about 80% of such doxxing content.

No public sources indicate that the Commissioner has exercised its powers to prosecute a Hong Kong person or non-HK service provider for failure to comply with cessation notices. Pending any enforcement on this front, it remains to be seen whether (and if so how strictly) the Commissioner will enforce against online platforms that fail to comply with cessation notices, and in particular how the extraterritorial effect of the cessation notice regime will affect enforcement.

Guidelines issued relating to the Amendment Ordinance in October 2021 provide that any person who receives a cessation notice (including an online platform operator or doxxing content discloser) must comply with its requirements within the specified timeframe, regardless of whether the person appeals the cessation notice. This guidance appears to envision that the notice should be complied with even if, for example, the recipient believes the cessation notice is defective due to a lack of information (such as detail on the grounds of belief of the doxxing). While online platforms may rely on certain defences under s66O(1), such defences (including how broadly they may be interpreted) remain untested. The threat of a fine and criminal penalty for failure to comply with the notice, and the immunity provision under s66P for persons who comply with a cessation notice, might influence whether, and if so how, online providers will respond to such notices (especially in cases in which the platform questions the content or substantive detail of the cessation notice).